As cyber threats continue to grow, so too do cybersecurity budgets, with recent data showing that organizations are spending 70% more on average for information security.
Moody's, a major credit-rating agency, based this conclusion on
Moody's warned, though, that this elevated level of spending may have already peaked, pointing out that cybersecurity companies have lately been announcing layoffs, citing worsening economic conditions that have shrunk budgets and delayed purchasing decisions.
As cybersecurity risks grow, so too have the costs of cybersecurity insurance. Between 2020 and 2022, insurance premiums have grown a median 50% across the board, largely sparked by a sharp increase in cyber incidents following the mass migration to remote work during pandemic lockdowns. Many people working from home had weaker cybersecurity protections and practices than they would at an office.
The report noted that, for some, premiums have soared well past the 50% mark: some U.S. issuers in education, health care, construction and manufacturing experienced premium hikes of 300% or more in 2021. Despite higher costs, though, spending continues apace as insurance coverage is now seen as a necessity, not a luxury. Only 3% of issuers said they planned to buy less cyber coverage in 2023 than in 2022. The vast majority (82%) plan to purchase about the same amount, and 16% said they would buy more. These numbers hold even for those that have faced substantial increases in cyber insurance premiums.
This cost increase has likely placed further stress on cybersecurity budgets, which could discourage issuers from taking more advanced measures for their protection. The report said the vast majority of issuers have basic cybersecurity practices like testing and applying security updates, having an incident response plan, and using multifactor authentication.
In contrast, going beyond that baseline has been inconsistent from entity to entity. For example, 75% of structured finance respondents said they conducted red or purple team (advanced simulated) attacks at least once a year; that figure was only 17% for regional and local governments. The survey found that the least-used advanced measure, across the board, was to "provide compensation for external reports of security issues affecting the company's products or operations." Overall, only 18% of organizations do this, with the most common being those in structured finance, of which 33% use this more advanced technique.
Moody's noted that its survey was developed before the widespread popularity of large language AI models late last year and, as such, did not include it in their assessment of cyber risk. However, the company anticipates that AI will soon become a major factor in both perpetuating and preventing cyber crime.
"Advanced cybercriminals and state-backed actors will have access to sufficient funds to develop cutting-edge generative AI hacking tools. Once developed, these tools, like countless other tools before them, will be shared within the hacking community, raising the attack capabilities of lower-level actors. And while the largest organizations will have budgets large enough to scale their cyber defenses in step with these advances, medium and small organizations may be left with weaker protection until the cybersecurity community develops defenses to counter the new attacks," said Moody's.