Man typing on keyboard of laptop showing PAM and MFA affects cyber insurance premiums

How PAM, MFA Helps Organizations Meet Cyber Insurance Requirements

It’s no longer a question of if, but when your organization will be breached. In 2021 alone, 212.4 million U.S. businesses were affected by a cyberattack. As the majority of today’s most damaging attacks stem from compromised credentials, cybersecurity has become a major concern for business leaders.

This uptick in cyberattacks has prompted cyber insurance providers to raise their premiums. And, many underwriters are looking for robust privileged access management (PAM) controls before pricing out their policies, given that compromised credentials are a leading cause of attacks. While there’s clearly no substitute for a strong cyber framework, cyber liability insurance often serves as an organization’s last line of defense when all else fails.

What cyber insurance covers

Every company faces cyber risk—the bigger the organization, the more vulnerabilities they have. Cyber risk comes in the form of privacy risk, security, operational and service risk. The good news is that these types of risks are covered by cyber insurance.

Cyber insurance is designed to protect an organization from the primary risks through four insuring agreements:

  • Network security and privacy liability
  • Network business interruption
  • Media liability
  • Error and omissions

Network security policies are important for most organizations and coverage often includes first-party costs and expenses directly incurred as a result of a cyber incident. Privacy liability coverage protects organizations from breaches or violations that expose sensitive customer and employee information and an organization to liability. Network business interruption, media liability and error and omissions coverage should also be considered in accordance with business needs.

A robust cyber insurance policy covers first-party expenses, third-party expenses and cyber crime costs.

The rise in cyber insurance

The price of cyber insurance coverage grew by 130% in Q4 2021 alone, and that number is expected to continue rising over the next two years. These rising premiums are causing many organizations to question the need and value of cyber insurance. According to a recent cyber insurance market trends report, the industries making the most cyber insurance claims include manufacturing, financial services and healthcare. No industry is safe from a cyberattack and defending against data theft and cybercrime in an increasing digital economy is more important than ever.

It’s so important that the Ransomware Task Force included ways to strengthen cyber insurance in their recently released Blueprint for Ransomware Defense: An Action Plan for Ransomware Mitigation, Response, and Recovery for Small- and Medium-sized Enterprises. The blueprint recommends specific security controls that the cyber insurance industry has seen lower incident costs. It also acknowledges controls that insurers actively look at during the underwriting process to include:

  • Implementation of strong backups
  • Security awareness and incident response training
  • Email security deployed across the entire enterprise
  • Advanced endpoint protection against malware
  • Network visibility and security

By looking at these factors companies can determine if a cyber insurance policy is right for them. But, there are many factors that still impact a rise in premiums: increasing sophistication of cyber threat actors, increasing cost of ransomware attacks, and an inability to accurately understand a customer’s security posture. With these elements being so prevalent companies need to understand the full scope of what their policies actually cover.

What cyber insurance doesn’t cover

Cyber insurance provides financial protection for organizations in regards to their digital assets. However, it doesn’t cover every possible risk and cost. Most policies exclude upgrades to systems after a breach to prevent future incidents. Cyber policies also don’t cover potential future profits that may be lost or loss of value caused by the theft of intellectual property from the company. With these holes in policies, companies need to look to identity based security approaches to ensure they’re truly secure and meeting their insurance requirements.

PAM and MFA can help meet cyber insurance requirements

Enhancing your organization’s cybersecurity posture starts with identity security. PAM is an information security mechanism that safeguards identities with special access or capabilities beyond regular users. Essentially, PAM tools help to ensure that users only have access to the resources they need to get their jobs done—nothing more, nothing less. It allows organizations to manage access rights for better visibility and control and to verify everything before granting access to important assets.

It comes down to security, IT administration efficiency, compliance and business agility—and PAM covers it all. Insurance underwriters look for PAM controls when pricing cyber policies. They look for ways the organization is discovering and securely managing privileged credentials, how they are monitoring privileged accounts and the means they have to isolate and audit privileged sessions. PAM helps organizations comply with GDPR, NIS, PCI DSS and other regulations, which in turn helps organizations comply with cyber insurance requirements and prerequisites.

Multi-Factor Authentication (MFA) for privileged accounts is important for organizations of all sizes and it’s also important to meet cyber insurance requirements. Insurance providers want to see MFA in place to allow secure connectivity on-premises and in the cloud. MFA is a crucial method for controlling access to critical applications and resources.

To protect against ransomware and comply with a baseline security posture used by most cyber insurers, organizations are required to enforce MFA on identities. In fact, insurers may decline an organization that doesn’t enforce MFA. Having MFA in front of privileged accounts is not just a requirement for cyber insurance, it’s also a true best practice.

Next Steps

The most important thing organizations can do in the fight against cyberattacks is to educate their staff. Make sure no one is clicking on phishing emails and conduct periodic phishing and spear phishing email tests. Most cyber insurance providers want to see that organizations are conducting security awareness training at least four times a year.

Cyber insurance premiums are going through the roof as a result of an increase in cyberattacks. While not every organization has the means to go the cyber insurance route, it is an option for many organizations that want to back up their security plans and frameworks. Cyber insurance should be in addition to a solid cybersecurity program, not in lieu of. The key to having both a strong cybersecurity posture and meeting insurance requirements starts with having a strong PAM strategy and incorporating MFA. By combining that with  a strong security awareness training program businesses can meet cyber insurance requirements, save money and reduce risk.