It’s not a question of if, but when, your organization will face a cybersecurity threat. More than ever, organizations are seeking cyber insurance to mitigate the eventual costs. But with rising cyber insurance premiums and increased risk of cyber attacks, cyber insurance is likely to become even more expensive or limited in scope, if not both.
To counter these trends, organizations must reinforce security and manage risks, starting with securing the logon. How? These four best practices below can help your organization meet cyber insurance requirements and save on premiums, all while improving their overall security.
Understand the changing cyber insurance landscape
It’s no secret that the cyber insurance landscape is changing rapidly. The average cost of a data breach is now a staggering $4.24 million. And, according to a report by Willis Towers Watson, the average settlement from insurers hovers around $4.88 million.
In response, we’ve seen cyber insurance premiums skyrocket. In the fourth quarter of 2021, Marsh Global Insurance Market Index reports that cyber insurance pricing spiked by 130% in the U.S. and 92% in the U.K. And the momentum will likely continue: Standard & Poor’s Corp. predicts in cyber insurance premiums will, on average, increase 20% to 30% per year in the near future.
Subpar protection responsible for higher risks and higher costs
Why the rise in insurance costs? In a word: subpar protection (the same reason cybersecurity claims are filed in the first place). Organizations clearly don’t yet fully grasp the importance of cybersecurity across the enterprise.
Add to that the surge in remote work and related vulnerabilities, like misconfigured remote desktop software, insufficient access management requirements, and a lack of monitoring across different security tools, and it’s easy to see why insurance companies have raised costs to cover their (i.e., your organization’s) increased risk.
The key: Lower your risk profile
Two factors largely determine the cost of insurance coverage: the policyholder’s risk profile, and the insurance provider’s risk appetite. The weaker the policyholder’s risk management program, the greater the risk to insurance providers.
If your organization can prove a lower risk profile, which presents less risk to insurance providers, they can provide better rates. So, if you’re looking to meet requirements and save on cyber insurance premiums, focus on lowering your risk profile.
There are as many ways to lower risks as there are risks themselves. We don’t have time to cover all of them here, but we can look at the pillars of a strong risk management program. These are the main factors cyber insurance providers consider when evaluating your risk profile.
1. Enable MFA across all users
Cyber insurance is driving a long-overdue improvement in user access security. As the cyber insurance market tightens, insurers screen for clients with security controls that more closely align to higher standards. For example, cyber insurers are increasingly requiring multi-factor authentication (MFA) – one way to dramatically reduce their exposure. MFA is quickly becoming a must for all accounts, privileged and non-privileged, to secure network, remote and cloud access.
This makes sense – after all, we’ve all known for a long time that passwords are too weak. MFA isn’t a panacea on its own, but it is a key defense against the threat of compromised passwords. Throughout the 2021 Verizon Data Breach Investigation Report (DBIR), we see the many variations and attack use-cases for compromised credentials, and the high efficacy of each method. The report found that credentials are the #1 data type stolen, and that hacked credentials lead to 61% of all breaches.
Adding a second factor (two-factor authentication) typically means either requiring “something that you have” or “something that you are” in addition to a password, “something that you know”. If one factor is compromised or broken, an unauthorized user still has at least one more barrier to breach before successfully breaking into a target system.
Where do cyber insurers want to see mfa implemented?
MFA was not a requirement in previous cyber insurance renewals. Now, cyber insurers demand organizations have MFA in place when subscribing to or renewing cyber insurance. And who can blame them? They’re tired of paying claims, and sometimes hefty fines, for data breaches. So they’re are toughening their requirements for coverage.
New cyber insurance requirements ask organizations to answer yes to all of the following questions regarding MFA:
Is multi-factor authentication required for all employees when accessing email through a website or cloud based service?
Is multi-factor authentication required for all remote access to the network provided to employees, contractors, and third-party service providers?
In addition to remote access, is multi-factor authentication required for the following, including such access provided to 3rd party service providers:
All internal & remote admin access to directory services (Active Directory, LDAP, etc.)
All internal & remote admin access to network backups
All internal & remote admin access to network infrastructure components (switches, routers, firewalls)
All internal & remote admin access to the organization’s endpoints/servers
Even so, enabling MFA across your organization is not a guarantee of discounted premiums. Dan Burke, senior vice president and national cyber practice leader at Woodruff Sawyer, one of the largest insurance brokerage and consulting firms in the U.S., points out that insurers rarely discount cyber insurance premiums based on a single security measure. Instead, they holistically evaluate a combination of security controls, in light of the organization’s industry, size and specific risks.
Burke explains, “Rather, enacting MFA will benefit your insurance program in two potential ways: 1. Reducing your claims activity, which over the long term can significantly improve your insurance pricing; and, 2. Qualify your company for cyber insurance quotes from multiple carriers, ensuring competition for your business that will produce favorable terms.”
2. Monitor access and increase visibility
Insurers want to mitigate their losses. As Burke notes above, the more controls and safeguards a company has to protect against threats, the better. A zero trust security strategy complements this risk-averse mindset. You’re more likely to identify and prevent an attack when you focus on limiting and protecting access, and increasing visibility to user activity and access attempts.
Access management helps meet the requirement for improved control and oversight of access to data based on user role. It targets the main ways attacks happen and looks closely at unauthorized actions, rather than standard indicators of compromise, by:
Restricting user permissions to only users who need and have a specific purpose for access (for example, someone from the engineering team doesn’t need access to HR files).
Securing data access using network and application permissions. Authorization and authentication go hand-in-hand, but individuals don’t always protect their credentials like they should. So data access, use and sharing should also be monitored, including data erasure and deletion attempts.
Encrypting sensitive data in motion and at rest, with programmatic handling of compliance requirements and data governance rules.
According to a recent Allianz Cyber Insights report, Ransomware trends: Risks and Resilience, organizations can ask themselves the questions below to evaluate how well they perform patching and vulnerability management:
Are automated scans run to detect vulnerabilities?
Are third-party penetration tests performed regularly?
Does the organization ensure appropriate access policies, enforcement of multi-factor authentication for critical data access, remote network connections and for privileged user access?
Is continuous monitoring in place to detect: unusual account behavior, new domain accounts and any account privilege escalations (administrator level), new service additions, and unusual chain of commands being run during a short time period?
Security measures must extend to wherever access decisions are made, so it’s important to create a modern enterprise architecture that reduces incident response times, assists in the discovery of unknown threats, streamlines security deployments across the enterprise, and safely enables applications.
Cyber security reporting is evolving with business requirements and technological advances. On the business side, organizational leaders often complain that cyber security reporting is too technical, disjointed and complex. Worse, cyber security teams may not have the visibility they need to provide a holistic picture.
Depending on how the reporting is done and presented, it may lack the prioritization and coherence it needs to demonstrate how well technology investments and processes are (or aren’t) working. There’s greater awareness of the need for “end-to-end” visibility, but there are often blind spots here and there that are ripe for exploitation.
Fundamentally, cyber security leaders and teams should critically consider their reports and dashboards to ensure they’re actually helping the organization more effectively manage and make decisions about cyber risks.
4. Automate alerts & responses
Lastly, organizations that automate as much as possible can strengthen their capacity to detect and respond quickly to threats. This ensures efficiency and efficacy, from attack surface monitoring and third-party risk management to partnering with insurers.
An organization should be able to operationalize and collaborate around its security posture, and supply chain risk data at a moment’s notice. Technology can help organizations achieve this goal. Automatically evaluating configurations and controls in a cloud environment helps an organization understand the risks in a supply chain, and how the organization looks from an attack surface perspective.
Reduce risk and save on cyber insurance with access management
On their own, none of these best practices ensure discounted cyber insurance premiums. But if you strategically implement all four, you can reduce risks – improving your overall security profile – and demonstrate a low risk profile. The lower your risk profile, the more likely you’ll be able to negotiate lower cyber insurance premiums and enjoy long-term savings.