MythBusters: Purchasing cyber insurance doesn’t change your risk of an attack

Our corporate site Contact us

Does buying cyber insurance actually make your organisation a bigger target for a ransomware attack?

To answer this question, which has sparked debate over the past few years, Marsh’s Cyber Risk Intelligence Centre (CRIC) partnered with the University of St. Gallen’s Institute of Insurance Economics.

Using proprietary Marsh data and cutting-edge statistical methods, this research is the first we are aware of that explores whether cyber insurance influences the likelihood of ransomware attacks. The results for insurance buyers are reassuring.

A question of motivation

Could cyber insurance be a double-edged sword? On the one hand, attackers might see insured companies as more lucrative targets, expecting a payout. On the other, would attackers even know which organisations are insured during their reconnaissance?

We wanted to answer this critical question: Does having cyber insurance increase your risk of an attack?

Methodology and assumptions

We used over a decade of insurance placement and incident data across all lines of insurance from clients with under US$1 billion of revenue, and assumed those clients only used one insurance broker. Some of the clients never purchased cyber insurance, while others purchased cyber insurance during the study period.

To reduce bias and support a fair comparison, the modeling methodology controlled for key variables, including year fixed effects, revenue, employee count, industry, and geographic location. This approach helped to isolate the variable of insurance purchase and not other control variables.

Using this modeling methodology, we grouped cohorts of companies that had similar risk trends over time prior to any purchase of cyber insurance. After aligning the time of purchase for cyber insurance for those that acquired it, we studied the divergence in risk trends between firms that purchased cyber insurance and those that did not.

Results

For each period in the study, treating time t=0 as the time of cyber insurance purchase (if any), we computed a point estimate and 95% confidence interval of the change in probability of a ransomware attack.

In the graph below, the dots represent the change in likelihood of experiencing a ransomware attack given a cyber insurance purchase; the lines below and above the dots show confidence intervals. If the confidence interval includes 0, we concluded that there was no statistically significant difference in ransomware rates between those companies that purchased cyber insurance and those who did not.

An increase in the intervals above 0 would have implied that those that purchased cyber insurance suffered additional attacks relative to those that did not. The point estimates before time 0 confirmed that the firms we wanted to compare indeed had no difference in ransomware attacks before the purchase of insurance, ensuring comparability.

Our findings were clear: There was no evidence that purchasing cyber insurance increased ransomware attack risk.

Conclusion

This study drives home a clear point: Purchasing cyber insurance does not increase ransomware risk.

This research may provide insurance buyers with confidence that they are not creating additional risk by investing in cyber insurance, but rather are taking a proactive step toward effectively managing and mitigating potential cyber threats. Future studies will explore not only how often attacks happen, but how severe their impact may be.

Man thinking at desk with laptop and fan in office

Article

MythBusters: Purchasing cyber insurance doesn’t change your risk of an attack