Cyber insurance and employee training in risk management

There is no surprise that investments in cybersecurity are increasing, as leadership recognizes that protecting their companies from rapidly evolving cyberthreats has become a strategic priority. CISOs and other security leaders must use the full range of cybersecurity resources available to them, and it's critical to recognize how these resources can complement one another.  

Cyber insurance has become popular as companies anticipate the potential financial consequences from a successful cyberattack. While it's important to plan for this possibility, it's also vital to focus on prevention. Once a company has already suffered a data breach or some other type of cyber incident, the financial, operational, and reputational costs can be severe and lasting. As with any form of insurance, the hope is that your company won't need it. 

Companies need to work with insurance providers to develop an approach to cyber risk management that is affordable and effective. When companies improve their risk profile by implementing robust cybersecurity measures such as organization-wide cybersecurity awareness training, this should be reflected in their premiums and coverage. By focusing on prevention, companies will reduce the likelihood of a major cyberattack. 

The rapid growth of cyber insurance 
For over a decade, cyber insurance has been the fastest-growing sector of the global insurance market. According to Howden's 2024 cyber insurance report, premiums had a compound annual growth rate of 30% between 2012 and 2022. This rate accelerated particularly quickly between 2020 and 2022, with triple-digit rate increases recorded between late 2021 and early 2022. However, rates have fallen rapidly in 2023 and 2024 as companies take more aggressive action to prevent cyberattacks.  

Despite the stabilization of cyber insurance premiums, the sector's overall growth is a reflection of the dramatic proliferation of cyberthreats in recent years. For example, Howden reports an 85% increase in global ransomware attacks last year. The 2024 Allianz Risk Barometer found that cyber incidents constitute the "top global business risk — for the first time by a clear margin — and across all company sizes." IBM reports that the global average cost of a data breach reached an all-time high of $4.45 million in 2023. 

Although companies are taking a more proactive approach to cybersecurity, the cyber threat landscape is constantly evolving. AI has lowered the barriers to entry for cybercriminals, while cyberattacks are becoming more sophisticated and difficult to detect. This is why CISOs and other security leaders must make managing cyber risk a core focus of their entire businesses in 2024 and the years to come.  

Making the right investments in cybersecurity 
Beyond cyber insurance, companies are investing in cybersecurity across the board. PwC reports that 79% of executives will increase their cyber spending in 2024, up from 64% last year. As companies commit more financial resources to cybersecurity, it's crucial to ensure that these investments are being put to the best possible use. While cyber insurance premiums are no longer rocketing upward like they were a couple of years ago, the market is expected to continue growing in the coming years.  

It makes sense for companies to pay for cyber insurance, particularly considering the number of successful cyberattacks and the growing cost of containing them. However, preventing these attacks in the first place has never been more essential, which is why companies need to understand which attack vectors cybercriminals exploit. According to the latest Verizon Data Breach Investigations Report, 68% of successful breaches involved a human element. The most common initial attack vector identified by IBM is phishing, which relies on the deception and manipulation of employees to gain access and steal information or money. 

Security leaders are responsible for helping their companies determine where cybersecurity investments will do the most good. It's clear that cyber insurance will continue to be an important line item in cybersecurity budgets, but insurance needs to be supplemented with preventive measures such as security awareness training. This will help companies prepare for worst-case scenarios while simultaneously doing everything possible to prevent those scenarios from becoming a reality.  

A comprehensive approach to cyber risk management 
Companies around the world regard cyberthreats as the top risk they confront with good reason. Beyond the fact that cyberattacks are becoming more frequent, sophisticated, and destructive, regulatory scrutiny is intensifying. For example, the United States SEC recently adopted "rules requiring periodic disclosures about a registrant's processes to assess, identify, and manage material cybersecurity risks." Meanwhile, data privacy and security regulations are only going to become more stringent in the coming years, particularly as AI and its applications evolve.  

As companies continue to increase their spending on cybersecurity, the recent dip in cyber premiums has made insurance a more attractive investment. In the coming years, companies and their insurance providers will need to work together to limit risk as efficiently and sustainably as possible. Just as auto insurance companies offer safe driver discounts and health insurance companies reward healthy behavior and preventive care, cyber insurance companies may incentivize a responsible approach to cybersecurity. 

A critical factor in determining a company's overall cybersecurity posture is whether it has implemented a robust cybersecurity awareness training program across the organization. Awareness training doesn't just help companies prevent cyberattacks. It also helps them contain those attacks when they're successful. While IBM reports that insurance is a significant factor in reducing the overall cost of data breaches, it found that employee training has an even larger impact on reducing costs — more so than encryption, threat intelligence, data security and protection software, and a wide range of other factors.   

Cybersecurity has never been a bigger priority for companies, consumers, and regulators. Now is the time for security leaders to develop a comprehensive cybersecurity strategy that deploys all available resources, from cybersecurity awareness training to insurance protection. By establishing many layers of cybersecurity, companies will ensure that they're protected no matter what cyberthreats may be lurking around the corner.