Woman under an umbrella in heavy rain showing cyber insurance

Cyber Insurance: The Policy Changes Needed To Save the Industry

In late December last year, Mario Greco, the chief executive of insurance giant Zurich sent shockwaves through the business world when he announced that cyberattacks are set to become uninsurable.

In an interview with the Financial Times, the business leader stated that the insurance industry could no longer absorb the different types of losses created by cybercrime, particularly as the impact of breaches spread further into peoples’ lives and society.

To people who work in the cybersecurity space, this isn’t surprising. Cybercrime smashed through its digital boundaries many years ago and the consequences of attacks are significantly greater than just the loss or malfunction of software.

But these bold statements will still leave many businesses that rely on insurance as a critical cyber defence concerned.

Cybercrime today is a systemic threat that encompasses both digital and physical infrastructure, and because of the ever-evolving nature of the threats, achieving 100% security is impossible without disconnection.

Yet, even despite the volatility of attacks, insurers have still provided cover to businesses owing to the high demand for policies. However, this has led insurance providers to paying out high-figure sums to companies that have suffered ransomware attacks or data breaches, oblivious to the fact they had no valid protection against such attacks in the first place.

And now, after years of overlooking the risks and footing the bill, the insurance industry’s own risk position has become so high, systemic and unsustainable, that they have been left with no choice but to tighten their policies, or risk going bankrupt.

Employee-generated passwords and single access create the highest risk

Today, just as criminals enter buildings through a physical door in the physical world, they enter networks through a digital door in the digital world. As a result, these upcoming policy changes must focus on corporate network access and improving security to keep intruders out.

Every day, criminals gain access to corporate networks by tricking employees into handing over their access credentials. This is a leading cause of breaches. Just look at Medibank, American Airlines and Intercontinental Hotel’s Group last year – each attack suffered by the organisations was executed through compromised credentials. The criminals target an employee with a phishing email, the employee falls victim, and the company gets breached. It’s that easy. In fact, according to statistics from the last fifteen Verizon Data Breach Investigation Reports, over 80% of cyberattacks use employee credentials.

Passwords saved on web browsers and the use of work emails for personal sites, such as on gaming websites, constitute large infiltration and exfiltration honeypots. The increased use of generative AI like ChatGPT to craft perfect phishing emails will only make things worse.

These attacks are so effective because on one hand, it is employees who create, hold and control their passwords, and not the organisations they work for. When an employee starts a job, they are given a username and then asked to make up their own passwords to access all their corporate online accounts.

It is like asking employees to make their keys to access your office. Not only does the organisation not control its own keys, but it has no visibility over the strength of the password, if it’s already been compromised, or if they use the same password across all their online accounts. This is even despite the password being used to access the organisation’s digital and physical assets.

On the other hand, in an attempt to mitigate the difficulty of remembering lots of passwords, many enterprises are using single-sign-on or privileged access solutions, but this doesn’t solve the problem of employee-generated passwords or loss of access control. These solutions only make matters worse by collapsing existing physical access layers into one single digital access or unified endpoint. This has effectively taken down the physical segmentation provided by the structural model such as the Purdue model for industrial control system (ICS) security. This explains how a single compromised password can turn into stopping operations of critical infrastructure such as electricity, water, transport or manufacturing with a ransomware attack within hours.

Having removed internal gates, the digital network is left completely open to any employee who passes the initial security checkpoint. But what happens when their credentials are compromised? In one stroke, an attacker obtains valid access to everything. Imagine a company with 1500 employees and one billion dollars in assets, and the company puts that all that money in a single box and asks all 1500 employees to make their own key to open that box. Would insurers compensate the company if they lose the billion dollars?

This situation is a ticking time bomb for most organisations, and it is insurers that end up footing the bill across all their lines of businesses for these persistent entry level mistakes. Given the risks, insurance providers need to place a greater focus on the security of not just the initial corporate network access but re-establish the access points to the different security layers across the entire tech stack, in order to have twin digital-physical security layers in the same places.

Using actuarial logic to stop ransomware

When it comes to the policy changes, insurers first need to realise the root of cybersecurity problems lie in the reliance of employee-generated passwords, which companies have no control over. They can then use existing actuarial data and models from their other lines of business, such as property insurance, to minimise their risks and maximise protection. These standards would be the equivalent of using fire doors and sprinklers to reduce and contain building fires or using strong locks to reduce the chances of break-ins and robberies, both of which aim to reduce insurance pay outs.

Translating that actuarial logic to the digital-physical infrastructure, insurers can require customers to first divide their network access. Dividing network access automatically divides the risks of the network being wholly infected at once.

They can also require companies to take ownership of their access management and regain control of their digital keys. Passwords being just data, they too can be encrypted so they can’t get intercepted. Using a company-controlled password administration platform to distribute encrypted credentials ensures that only authorised individuals have access to those keys and that credentials aren’t used to open malicious links.

This not only eliminates the risk of fraud and human error, but also stops ransomware attacks by creating layer after layer of security to halt criminals in their tracks. By eliminating the need for employees to know their passwords, they cannot disclose them and the risk of them being shared, sold or stolen is eliminated.

The cyber insurance industry has been in a position of vulnerability for too many years now, but it doesn’t need to be this way. With stolen credentials being the most common way for criminals to infiltrate networks, access segmentation and encryption are a simple and effective way for insurers to take control of the risks they cover. While over 80% of breaches are credential-based, such tools also give insurers proof that the company no longer uses employee-generated passwords, a first step towards improving their digital-physical security, while preventing the majority of cybercrime.