Man holding tablet with virtual lock showing password security and cyber insurance

Why Password Security Should Be a Qualifier for Cyber Insurance

Like Netflix subscriptions, Charmin sales and GrubHub orders, cyberattacks skyrocketed throughout the COVID-19 pandemic. Unlike video streaming, toilet paper and delivery fees though, cyberattacks cost a lot of money to the end user and organization affected. In fact, the average cost of records lost or stolen in a breach is $180 per person, while a ransomware attack on a business costs about $1.85 million on average.

It’s hardly surprising then, that cyber insurance has grown more prevalent, too. An insurance broker with mostly enterprise clients reported that the percentage of their clients with cyber insurance grew from about 25% in 2016 to 50% in 2020. Recovering customer data, repairing damaged computer systems and covering legal fees and expenses can often be a lifesaver for an organization that’s suffered a cyberattack.

Meanwhile, cybersecurity claims are increasing, too. One cyber insurer reported processing more claims across more organizations in the first half of 2021 than it had in any other time period to date.

The cyberattacks that are discussed in these claims share some common traits. You’ll see these similarities addressed in applications for cybersecurity insurance — insurers often ask if policyholders already use commercial-grade anti-virus software, since many cyberattacks involve some form of malware.

Meanwhile, passwords are linked to 80% of breaches, and poor password hygiene is an easy entry point for bad actors to exploit in cyberattacks. Ironically though, many cyber insurance companies don’t consider password security as criteria for a cyber insurance policy.

The password security snag

Omitting well-defined password security from cyber insurance policies exposes policyholders and insurers alike to costly claims that better passwords could prevent. Which makes it even more surprising how password security is given such short shrift in most cyber insurance policies, considering how meticulous these policies otherwise are.

For instance, one of the 10 largest property and casualty insurers in the U.S. asks about the policyholder’s data encryption, mobile device encryption, and even firewalls on its application for cybersecurity and privacy coverage. They don’t mention the word “password” anywhere on the application.

Consider the cyber risk coverage application for another of the 10 largest property and casualty insurers in the U.S. This insurer asks if the applicant has “multi-factor login for privileged access,” which is a tool for mitigating unlawful access. But the application’s only other mention of passwords is the question, “Are procedures in place regarding the creation and periodic updating of passwords?” A “procedure” could technically be as simple as, “include letters in your passwords, and change them every 3 years,” which makes this criterion ineffective when compared to the risk.

The password threat landscape

To understand why password security should be a precursor to any cyber insurance policy, one must understand just how significant a role poor password hygiene plays in cyberattacks.

Weak passwords are dangerous for two major reasons. First, it only takes one password to bring down an entire network. Hackers in June used one authentication token to breach gaming company Electronic Arts and steal 780 GB worth of data and gaming code.

Second, weak passwords are easy to crack. Hackers have access to billions of passwords freely available on the dark web that have been aggregated through different attacks. On top of that, 65% of American adults in a 2019 Google survey said they reuse passwords for at least several accounts, if not all of them.

So, not only are billions of passwords available to hackers, but they could also work for many different accounts, too. And if any of those accounts are on a network, then lots more could be compromised besides one account. For a cybersecurity policyholder, such an incident could entail a large claim and a lot of additional work for the insurer to handle.

That’s why requiring cybersecurity insurance applicants to have an active password policy would benefit policyholders and insurers alike. Such a best practice could protect policyholders against cyberattacks, which would subsequently reduce both the volume of filed claims as well as the burden on insurers to address those claims.

The path to a better system

Not all cyber insurers are vague about password protection in their policies. One insurer asks applicants multiple specific questions about password length, composition, change frequency and changing default passwords on third party products. The National Institute of Standards and Technology (NIST) sets the password standards for all federal agencies in the US and is referenced by other organizations as the guidelines to follow.

As it stands however, there’s no clear-cut answer as to why many cyber insurance carriers don’t include the NIST password standards or requirements like multi-factor authentication, password security software or automated password generation as qualifiers for cyber insurance.

But if cyber insurers want to create a better system that can reduce claims and better protect their policyholders, they cannot ignore the biggest driver of cyberattacks – passwords. In turn, policyholders should examine the password practices they use—by fortifying password practices, organizations can better protect their networks from cyberattack and avoid filing claims on their cyber insurance.