Improved cyber hygiene among businesses has led to a reduction in cyber insurance premiums by 15% worldwide over the last two years, a new report from Howden Insurance Brokers has found. This is despite the fact that cyberthreats, particularly ransomware attacks, are becoming more prevalent.

Awareness of cyber hygiene practices, like multifactor authentication, EDR and cloud backups, has grown significantly since 2022.

Ransomware attacks have increased by 18% this year, according to Howden and NCC Group, but effective risk controls have reduced the need for companies to pay ransoms. However, recovery costs are now on the rise again after a brief decline in 2022.

Insurance premiums skyrocketed in 2021 and 2022 as the COVID-19 pandemic forced companies to rush their transitions to remote work. Threat actors actively exploited new network vulnerabilities that resulted from the use of personal devices, increased access points and loss of centralised data controls, leading to more claims.

Sarah Neild, head of cyber retail U.K. at Howden, explained why the cost of cyber insurance has declined. She told TechRepublic in an email, “Increased risk awareness off the back of persistent and high-profile attacks is one reason.

“Insurers mandating minimum hygiene levels for businesses in order to access capacity has also had a major impact.” Fewer claims are being made as a result, so policies are getting cheaper.

Neild added, “The considerable investment burden on companies notwithstanding, it has helped to instil much needed resilience for policyholders. This is now paying dividends as they navigate a rapidly moving threat environment.”

The Howden data also showed that the number of indirect claims from third parties not intentionally targeted in a cyber incident has been lower than direct claims on average, further indicating that companies are effectively managing their risks and mitigating losses.

Competition between insurers is increasing, too, as more and more offer cyber insurance policies, helping to drive prices down for customers, the report stated.

“Favourable dynamics have persisted into 2024, with the cost of cyber insurance continuing to fall despite ongoing attacks, heightened geopolitical instability and the proliferation of Gen AI,” Neild said in a press release.

“At no other point has the market experienced the current mix of conditions: a heightened threat landscape combined with a stable insurance market underpinned by robust risk controls.”

The Howden report also found that demand for cyber insurance in Europe is likely to grow in the next few years. Penetration levels in the region are currently low, but awareness of cyber risks and strategic security investments are rising. Small and medium organisations are also an underserved market.

Neild said she expects the low prices to continue. However, they are unlikely to drop any further.  She told TechRepublic, “Current dynamics — supply vs demand, strong competition etc. — suggest buyers will continue to benefit from favourable conditions. Capacity is up and the recent strong performance of the market points to the cost of cover being commensurate with loss costs.

“That said, we are already seeing price decreases moderate following high-profile attacks in the first half of 2024, in the healthcare sector in particular. We therefore expect market conditions to stabilise from here and come to a landing point that offers an attractive long-term proposition for both buyers and carriers.”

Why cyber insurance is becoming more important to businesses

Cyber insurance can help businesses withstand the costs associated with a successful cyberattack or penalties for breaching increasingly rigorous compliance regulations. Data breach costs rose to $4.45 million per incident in 2023, according to IBM, partly due to the fact that it was taking longer to investigate breaches.

A report from Splunk published last month found the number one cause of unplanned downtime within the world’s largest companies was cybersecurity-related human errors, such as clicking a phishing link. Downtime overall costs them $400 billion a year, or roughly 9% of their profits.

Downtime from a cybersecurity incident directly results in financial losses through lost revenue, regulatory fines and overtime wages for staff rectifying the issue. The report also unveiled hidden costs that take longer to have an impact, like diminished shareholder value, stagnant developer productivity and reputational damage.

In addition to the rising associated costs, cyberattacks are also becoming increasingly successful. In April, a study by Kaspersky found the number of devices infected with data-stealing malware increased by seven times between 2020 and 2023. Last month, insurance broker Marsh revealed they had received more than 1,800 cyber claims from North American clients in 2023, a record high, due to companies being struck by ransomware.

Despite this, there is evidence that companies are improving their defences against cyberattacks. According to a 2024 report from Mandiant, the median dwell time — the amount of time attackers remain undetected within a target environment — of global organisations decreased from 16 days in 2022 to 10 days in 2023 and is now at its lowest point in more than a decade.