Businessman standing with an umbrella in the ocean showing cyber insurance and zero trust architecture

Obtain (And Keep) Cyber Insurance With Two Magic Words: Zero Trust

Cybersecurity leaders everywhere understand the constant threat of cyberattacks, which leave a myriad of consequences in their wake –  from reputational damage and lost revenue to data loss and internal fatigue. In fact, 45% of information security professionals have contemplated quitting the industry altogether due to stress caused from the unrelenting threat of ransomware and “always on call” expectations.

Understandably, most organizations are turning to advanced tools and processes to protect themselves from bad actors, while many are obtaining cyber insurance to help mitigate the aftereffects of a successful attack. But there’s a problem. This type of insurance – previously an additional line item on policies that most organizations could purchase without a second thought – has become fiendishly difficult and extremely expensive to secure and maintain.

Businesses looking to obtain cyber insurance would be wise to adhere to the principles of Zero Trust Architecture (ZTA). The concept of ZTA is simple: ‘never trust, always verify.’ Underwriters are scrutinizing business’ security protocols to make sure they have proper identity verification solutions in place. For example, multifactor authentication (MFA), a key component of ZTA, is now a requirement for cyber insurance coverage.

What’s changed in the cyber insurance landscape?

Demand for cyber insurance is skyrocketing – growing by 46% in 2020 alone, according to a study by the Government Accountability Office. And to add fuel to the fire, insurance premiums have shot through the roof, while the coverage offered by insurers has gone down. In 2020, insurance costs surged in price, up 29% from the prior year.

Underwriters now require clients to submit their businesses to an in-depth vetting process. This involves assessing the security measures organizations have in place to prevent, detect, and recover from an attack. Plus, most insurers want confirmation that organizations have robust processes in place for handling sensitive data. In short, a zero-trust architecture (ZTA) is what they’re looking for.

The importance of Zero Trust

The concept of Zero Trust is deceptively simple: ‘never trust, always verify.’ It replaces the traditional perimeter-centric network access model and forces users to verify their identity at multiple points as they move through a network. This prevents attackers from gaining access through a perimeter vulnerability or moving laterally through a network until they reach their target.

Why do insurance companies care? Organizations without ZTA in place are more susceptible to cyber threats and spent an average of 42% more recovering from a data breach last year than those with mature deployments. This isn’t lost on underwriters who understand the evolving threat landscape, security best practices, and what solutions are out there. For example, multifactor authentication (MFA) is a best practice authentication method for a reason, and a key component of ZTA. It prevents attackers from using compromised credentials to gain access to systems by requiring a second factor like biometrics or a one-time password (OTP) before access is granted.

MFA has become particularly important since the onset of the pandemic, as it’s now routine for employees to access sensitive data remotely, from a range of devices and locations. It, along with several other tools, is now a requirement for cyber insurance coverage.

Additionally, privileged access management (PAM) and role-based access further enhance an organization’s ZTA by ensuring that users are only granted access to systems and files which they need to use.

How can organizations obtain insurance – and prevent a successful data breach?

In the business of risk, insurers carefully consider each applicants’ ability to successfully thwart an attack. They know that 61% of all breaches happen via brute force and credential-stuffing attacks, so those with a strong adherence to zero trust principles will find it easier to obtain or renew their cyber insurance policy.

At a minimum, underwriters expect organizations to have key identity-based tools and protocols in place that support ZTA, including identity governance, MFA, privileged access management (PAM), and single sign-on (SSO). While these requirements may feel onerous in the short term, they enable organizations to enhance their overall security posture – reducing the risk of a successful breach in the long term.

The road to ZTA

Ensuring your organization satisfies the increasingly stringent requirements of cyber insurance can be an overwhelming process. And unfortunately, taking shortcuts isn’t an option.

Start by talking to your finance, IT, security, and compliance teams. You’ll need evidence-based answers for the questions below with a clear plan of action if the honest answer to any of them is “no.”

  • Is the goal of your identity and access management (IAM) strategy to build a Zero Trust architecture that guards against illicit access?
  • Have you done a comprehensive digital identity maturity assessment, and modified your security strategy based on the findings?
  • Do you have an MFA solution in place to strengthen access security?
  • Are you using a PAM solution that protects privileged accounts from unauthorized access?
  • Are you confident in your password hygiene regimen, patch management plan, employee training program, and phishing simulation tests?
In the business of risk, insurers consider the applicants' ability to thwart a #cyberattack. So those with a strong adherence to #zerotrust principles may find it easier to obtain or renew their #cyberinsurance policy. #cybersecurity #respectdataClick to Tweet

Ultimately, success comes down to thorough preparation, transparency, and a willingness to collaborate with underwriters to ensure your security and IT infrastructure meets their requirements. In the end, neither you, nor your insurance company, wants you to file a claim.