10 Important Controls to Establish the Value of Cyber Insurance for Your Business
Concerns about ransomware and other breaches, particularly at the credential level, are likely driving firms to invest in cyber insurance at a higher rate than ever before 48% have already invested in identity-related cyber insurance (registration required), and another 32% want to do so.
However, while many firms view cyber insurance as a critical tool for controlling cyber risk, insurers are tightening coverage limits and increasingly dismissing claims. As firms face increased scrutiny and tighter underwriting processes, it is critical to demonstrate that your organization deserves cyber-insurance coverage.
Changing Dynamics of Cyber Insurance
Insurance firms have become increasingly cautious about underwriting cyber-insurance policies in recent years, making it more difficult for enterprises to obtain policies at an acceptable price point with the necessary coverage level. It’s easy to understand why insurers are wary: cyberattacks are on the rise, and damages may surpass what the insurance market can absorb. Higher cyber insurance loss ratios in 2020 and 2021 led to higher premiums in 2022 to mitigate that risk.
According to Check Point Research, global attacks will grow 38% in 2022 compared to 2021, resulting in rising costs for insurers fighting and settling cyber claims. According to IBM’s “Cost of a Data Breach Report 2023” (registration required), 83% of businesses experienced numerous data breaches, with the median cost of a data breach reaching $9.44 million in the US and $4.25 million world wide. According to Verizon’s “2023 Data Breach Investigations Report,” stolen credentials are the most common means for attackers to get access to a company, followed closely by phishing.
It’s no surprise that premiums are rising, claim reimbursements are frequently limited, and some claims are denied entirely. Willis Towers Watson found that 27% of data breach claims had an exclusion in the policy that barred partial or full reimbursement from 2013 to 2019.
Travelers Property Casualty Company of America recently denied protection and attempted to withdraw a cyber policy due to claimed material disinformation in paperwork signed by the CEO of International Control Services Inc. (ICS) regarding the use of multifactor authentication (MFA) enterprise-wide. Both parties cancelled the policy. Falsifying the identification restrictions in place did not protect ICS from attackers, but it did result in a loss of cyber insurance.
It’s not surprising that insurers are becoming advocates for better cyber risk management for policyholders. Expect underwriters to conduct the following:
- If you don’t have bare-bones controls in place, you’ll be denied coverage. This could include raising the minimum control threshold. Traditional MFA, for example, may not be considered as a strong enough control due to man-in-the-middle (MitM) assaults.
- Premiums should be linked to the maturity of your security controls.
- Include additional policy restrictions and limitations based on policyholders’ security posture and the measures in place when an incident happens.
Controls Display Policy Worthiness
Many firms are attempting to determine precisely what they have to put in order to meet the shifting needs of cyber-insurance brokers. These ten cyber-risk management controls are a good place to start:
- Use a passwordless solution and invisible/phishing-resistant MFA.
- Networks should be segmented and separated.
- Implement a solid data backup strategy.
- Endpoint administrative privileges should be disabled.
- Provide frequent security awareness training to employees.
- Endpoint detection and response (EDR) and anti-malware solutions should be deployed.
- To avoid email spoofing and phishing, use the Sender Policy Framework (SPF).
- Create a security operation center (SOC) that is operational 24 hours a day, seven days a week.
- Deploy a platform for security information event management (SIEM) to enable threat detection, incident response, and compliance management.
- In Active Directory (AD) setups, implement strong security mechanisms for service accounts.
These ten controls are a solid starting point, but insurers evaluate many more factors when examining new policy applications. To reduce the risk and potential effect of a data breach, insurers will become increasingly sophisticated in their requirements for identity protection, authentication systems, access restrictions, and identity management processes. And, as the insurance market and cyberattack landscape evolve, make sure your cyber-risk management strategies adjust as well.
Improve Risk Management for Better Coverage
Many cyber-insurance policies require firms to follow strict data protection and privacy regulations. Compliance with these regulations boosts your chances of qualifying for coverage and, maybe, more advantageous insurance terms. Compliance can also indicate your dedication to protecting identities and personal information, which can have a beneficial impact on insurance underwriting choices, coverage terms, and premiums.
As the number of cyberattacks increases, robust cyber insurance coverage can assist firms in preparing for and managing the seemingly unavoidable ransomware attacks and data breaches. Putting identity access management and next-generation authentication at the heart of your security program can assist you in managing cyber risk, complying with regulations, and meeting cyber-insurance underwriting criteria.