CIO News

Cybersecurity, cyber insurance, complementing each other says Harish Chib at Sophos

Cyberattacks have increased exponentially in the last couple of years in the UAE. According to the Sophos State of Ransomware Report 2022, 59% of UAE organisations surveyed were hit with ransomware in 2021, up from 38% in 2020. The average cost to recover from the most recent ransomware attack in 2021 was $1.26 Million.

Average cost to recover from most recent ransomware attack in 2021 was $1.26 Million

It took on average one month to recover from the damage and disruption. 88% of organisations said the attack had impacted their ability to operate, and 83% of the victims said they had lost business and, or revenue because of the attack

The market is starting to harden, as insurers see payouts rising faster than income from premiums

The challenge of sophisticated cyberattacks like ransomware faced by UAE organisations continues to grow. Optimising cybersecurity has become imperative for all organisations. It is important that investments are made as part of a wider dynamic security strategy that is regularly reviewed and updated. A part of this strategy should also include cyber insurance.

Cyber insurance conditions are getting harder

Cyber insurance has, until now, been a soft market, characterised by high capacity and low premiums. However, the market is starting to harden, as insurers see their payouts rising faster than the income from premiums: the industry’s loss ratio has risen.

Several factors are driving this hardening of the market:

  • Cyberattacks are constantly evolving, making it hard for insurers to assess the true risk of a client being attacked
  • The costs to recover from a cyberattack are increasing
  • The pandemic and growing use of the cloud have accelerated the interconnectedness of the business environment, increasing exposure

While most organisations already have some cyber insurance coverage, many are finding the bar for renewal is getting higher as capacity shrinks – and premiums are going up. It is also getting harder for many organisations to get insurance in the first place as the underwriting process grows more and more rigorous and overall capacity drops.

Good cybersecurity helps with cyber insurance

There is a direct relationship between cybersecurity and cyber insurance and having strong cyber defences in place can help in a number of ways:

#1 Good cybersecurity makes it easier to get cyber insurance

In light of the challenges facing the cyber insurance market, providers are focusing increasingly on managing – and reducing – risk. Good cybersecurity can help organisations reduce cyber risk which, in turn, makes a more attractive prospect for cyber insurance coverage.

#2 Good cybersecurity helps reduce premiums

Just as being a non-alcoholic, non-smoker and having good medical reports reduce your health insurance premiums, having advanced IT defences helps reduce cyber insurance costs. While the insurers’ exact premium calculation algorithms are a closely guarded secret, customers consistently say that the quality of their protection impacts their premiums.

#3 Good cybersecurity reduces likelihood of claim, higher premiums in future

As with other forms of insurance, if you make a claim, you can expect a significant increase in your premiums in subsequent years. By minimising risk of being impacted by a cyberattack, organisations reduce the likelihood of calling on their policy – and help keep your premiums down.

#4 Good cybersecurity reduces the risks of non-payment

Poor IT security hygiene can prevent organisations from receiving financial support in the event of an incident. If the insurer believes that the organisation left the door open through weak practices, they may have grounds to not pay out.

#5 Good cybersecurity can minimise the impact and cost if an incident occurs

Responding quickly and appropriately to a cyberattack can significantly reduce the impact and cost of the incident. Having a malware incident response plan in place and being able to call on experienced incident responders will help to minimise the fall-out from the attack.

Cybersecurity and cyber insurance both are necessary, and they complement each other. Just like a health insurance protects from the financial impact of a disease but not from the disease itself, cyber insurance protects from the impact of cybercrime though not from the crime itself.

Lastly, organisations must not fall into the trap of prioritising cyber insurance ahead of all security measures; in fact, insurers may not provide insurance if an organisation does not have adequate security measures in place. In addition, by investing and prioritising security, it can become easier to get coverage, lower premiums, and remove barriers to pay outs if you need to make a claim.


Organisations must not fall into the trap of prioritising cyber insurance ahead of security since insurers may not provide insurance if the organisation does not have adequate measures in place.