Cyber insurance claim values are an effective way to quantify the impact of cyberattacks on organizations. A higher claim value indicates that the victim experienced considerable financial and operational consequences from the attack, while a low claim value reflects limited disruption.
Reducing the value of cyber insurance claims is to everyone’s advantage. For clients, lower claims demonstrate improved cyber resilience while insurers benefit from lower payouts. It also creates a virtuous circle: If insurers are spending less covering claims, they are able to drop premiums, delivering further advantage to clients.
While there is broad consensus that stronger defenses reduce the financial and operational impacts of cyberattacks and the value of the resulting claims, no one has been able to quantify it. Until now.
Sophos recently commissioned a vendor-agnostic study to quantify the financial impact of various cyber controls on cyber insurance claim values. The study reveals the differing impact of endpoint protection solutions, EDR/XDR technologies, and MDR services on attack-related claims, providing valuable insights for insurers and organizations alike.
Key findings in this study include:
- Organizations that use MDR services claim 97.5% less than those that rely on endpoint protection alone ($75,000 vs $3M).
- Organizations that use EDR/XDR solutions claim one-sixth (1/6) that of organizations that only use endpoint protection ($500,000 vs. $3M).
- Organizations that use MDR services have the most predictable claims; those that use EDR/XDR tools have the least predictable.
- Organizations that use MDR services recover fastest from significant cyberattacks with almost half (47%) fully recovered within a week compared to just 18% of those that rely on endpoint protection alone and 27% of those that use EDR/XDR solutions.
- Organizations that use MDR services have the most predictable recovery time from ransomware incidents; EDR/XDR users the least.
Why this study matters
Organizations spend vast sums on cybersecurity every year. By quantifying the impact of cyber controls on cyberattack outcomes, this research enables organizations to direct their investments where they will see greatest return.
In parallel, insurers exert significant influence on cybersecurity spend by requiring certain controls as conditions of coverage and offering discounts if others are in place. This research enables them to ensure that they are incentivising the investments that really do make a positive difference to incident outcomes and the resulting claim values.
Research criteria
282 claim events from 232 organizations with between 50 and 3,000 employees were studied in this research program. Respondents used cybersecurity solutions from a wide range of providers, including 19 different endpoint protection vendors and 14 separate MDR service providers. All organizations were using multi-factor authentication (MFA) at the time of the claim-triggering cyberattacks. The research was conducted for Sophos by Vanson Bourne.
Responses were segmented into three statistically significant groups based on the cyber defenses they had deployed at the time of the claim-resulting attacks:
- Endpoint users: Had been using an endpoint protection solution for at least a year, but were not using endpoint detection and response (EDR) or extended detection and response (XDR) tools or MDR services (n=63 organizations, 83 claim events).
- EDR/XDR users: Had been using an endpoint protection solution and an EDR/XDR tool for at least a year but were not using MDR services (n=109 organizations, 129 claim events).
- MDR users: Had been using an endpoint protection solution and an MDR service for at least a year (n=60 organizations, 70 claim events).
We use this segment terminology throughout the report.
For the avoidance of doubt, the research focuses solely on claims resulting from cyberattacks and excludes claims made on a cyber insurance policy for other reasons (for example, the business impact of cybersecurity vendor outages or accidental data loss).
Finding #1: Organizations that use MDR services claim 97.5% less than those that rely on endpoint protection alone
The research reveals that the median claim value by organizations using MDR services is 97.5% lower than that of endpoint users. The average (median) claim by MDR users was just $75,000 compared with $3M for endpoint users. Put another way, endpoint users typically claim 40X more due to cyberattacks than MDR users. The lower claim value likely reflects the ability of the MDR service to quickly detect and neutralize malicious activity, ejecting adversaries before serious damage is done.
The data also affirms the benefit of using an EDR or XDR tool in addition to endpoint protection, with the average claim by EDR/XDR users coming in at one sixth (1/6) that of endpoint users ($500,000 vs. $3M).
FINDING #2: MDR users have the most predictable claims; EDR/XDR users the least predictable
Claim predictability is an important indicator of the consistency and reliability of cyber controls in reducing the impact of cyberattacks. To understand how different controls compare, a theoretical example claim for an organization with $100M annual revenue was modeled for each of the segments. This is based upon the output results generated from the multi-variate regression model used for the analysis (see ‘About the survey’ at the end of this blog for more details).
The analysis reveals two important insights:
- MDR users’ claims are the most predictable
- EDR/XDR users’ claims are the least predictable
The predictability of MDR users’ claims reflects the consistency with which MDR providers quickly detect and neutralize threats. By providing 24/7 monitoring, investigation, and response delivered by security operations specialists, MDR services can take swift action at any time of the day or night.
Continuous coverage is particularly important given that many adversaries deliberately target “off hours” to carry out their attacks in the hope that it will delay detection until they have achieved their goals – analysis by Sophos X-Ops reveals that 91% of ransomware attacks start outside the standard business hours of 8am-6pm, Monday to Friday.
The unpredictable nature of claims by EDR/XDR users demonstrates that the efficacy of these tools in stopping cyberattacks before major damage is done is wholly dependent on the skills and responsiveness of the user. Some organizations use EDR/XDR tools to great effect, stopping attacks swiftly and effectively. However, others are not able to deliver effective security operations despite having invested in EDR/XDR technology – with anecdotal feedback suggesting this is often due to a lack of capacity to deliver 24/7 coverage and/or a shortage of expertise.
The discovery that EDR/XDR users’ claims cover a wider band than those of endpoint users further suggests that the poor use of these tools can, in fact, exacerbate the situation. For example, organizations may delay bringing in external incident response experts to assist while they try to resolve the situation themselves.
FINDING #4: MDR users have the most predictable recovery time from ransomware incidents; EDR/XDR users the least
Modeling recovery time based on a theoretical example of an organization that experiences a significant ransomware attack reveals considerable variation based on the security control used. In this analysis we modeled both the recovery window (the time between the quickest and slowest possible recovery) and also the predicted recovery time based on the average recovery time reported.
- Endpoint users are “mid-table” with a 40-day recovery window and predicted recovery time of 40 days.
- EDR/XDR users are the slowest to recover, with both the widest recovery window (66 days) and the longest predicted recovery time (55 days).
- MDR users recover quickest, with a five-day recovery window and a predicted recovery time of just three days.
These findings further demonstrate that using an MDR service materially reduces the impact of cyberattacks on organizations. It also reveals the highly unpredictable nature of EDR/XDR users’ recovery. It’s important to bear in mind that EDR/XDR solutions are tools, and their efficacy and impact depends on how well they are used.
Conclusion
The research confirms what many have known instinctively: the type of cyber controls used has a material impact on cyber insurance claims. MDR users have both the lowest and most predictable claim values. Endpoint users have the highest average claim value, while EDR/XDR users have the least predictable claim value.
Cyberattacks are inevitable. How organizations defend against them is not. These findings are a useful tool for organizations that want to optimize their cyber defenses and cybersecurity return on investment, and for insurers looking to reduce exposure and make right-sized policy offers to clients.
About the survey
The research was conducted for Sophos by Vanson Bourne in the second half of 2024 and covered claims resulting from cyberattacks that had occurred within the previous 12 months. All findings have been subject to rigorous and robust statistical validation, using multi-variate regression models.
These models take the primary variable (in this case, the security solution used) and compare how this impacts other key variables (such as claim amount, and recovery time). Control variables (organization sector, organization size, type of cyber insurance, level of security posturing at the time of attack, status of claim) were also built into the models. The findings outlined in this report are the conclusions of these analyses.
