CYBER INSURANCE
How to Combat the Meteoric Rise in Cyber Insurance Rates
Let’s face it, insurance companies don’t like to lose money. So, when (according to Fitch Ratings) cyber insurers paid out about 73% of premiums collected in 2020 (a dramatic rise from about 34% in 2018), it was a given that cyber insurance rates were going to go up – and go up a lot. Premiums have increased upwards of 50%, according to infosec experts and vendors (reported by TechTarget), with some quotes higher – much higher – up to 100% or more! One North Carolina school board last year approved $22,318 for one year of cyber liability insurance — up from 2020’s cost of $6,653 – an increase of 235%!
A big reason for the huge jump in cyber insurance rates is ransomware claims. According to AM Best (which categorized prospects for the U.S. cyber insurance market as “grim”), ransomware claims were up 35% in 2020 and now account for 75% of cyber claims. The issue has become severe enough that last June seven major insurers formed a company, CyberAcuView, to combine their data collection and analysis resources. Lloyd’s directing its syndicate of insurers to exclude state sponsored cyber attacks from coverage starting 2023.
CYBER INSURANCE READINESS
When cyber insurance is a “must have” for many companies, yet premiums are skyrocketing, the best way to minimize those rising premiums is to demonstrate the implementation of several key security controls. Just as home insurance companies provide discounts for burglar alarms and other home security controls, cyber insurance companies do so for companies that have implemented security controls to maximize the protection of their data. Here is a list of controls and activities that can best position your organization for the underwriters:
Multi-Factor Authentication (MFA): Probably the most important security control is the application of multi-factor authentication to protect your company’s data, especially for mission critical data systems and data stores. With MFA, stolen credentials are useless if the threat actor doesn’t also have the authentication device used for access. Insured Misrepresented MFA Use
Regular Backups and Restoration Testing: Backing up key data regularly and conducting period tests to demonstrate the ability to restore that data are a key part of any rigorous disaster recovery program and your best control to minimize downtime in the event of a ransomware attack.
Implement Principle of Least Privilege (PoLP): Reduce the amount of accounts that have full permissions to operating systems and applications such as Windows Active Directory domain administrators or accounts created for application access to windows domain and system resources, commonly referred to as service accounts. Create accounts that have only the access needed to perform the function required within an operating system or applications.
Data Minimization Program: Effective reduction of data that is either redundant, obsolete, or trivial (ROT) is an important factor to reduce the amount of sensitive data that is at risk, as we saw in the California Pizza Kitchen data breach. Prompt erasure of personal data which is no longer needed for the purposes it was originally collected is also a compliance requirement of Article 17(1)(a) of GDPR. Hackers can’t access sensitive data that is no longer there.
Prompt Application of Patches: The ability to demonstrate a program of prompt application of software and operating system patches and security updates can also reduce risk. A delay of a mere four days in applying a patch for the Log4j vulnerability was all it took for ONUS to be impacted by a ransomware attack in December 2021.
Endpoint Detection and Response (EDR): Implementation of an EDR security solution that continually monitors and collects data regarding your connected devices and applies rules-based automated responses to respond to cyber threats.
Email Security and Configuration: Having a program to keep spam and malware filters current will reduce phishing attempts getting to intended email targets, reducing risk.
Mobile Device Management (MDM): Implementation of MDM methodologies and toolsets can minimize the risk related to mobile devices, especially bring your own device (BYOD).
Routine Cyber Training: A comprehensive training program for all employees, with regular intervals to reinforce training principles and spot training as needed to address newly identified risks, is another important security control for companies to have.
Policies and Procedures Documentation: Another way to reinforce security best practices is up-to-date policies and procedures associated with the use of technology within the company, especially with regard to credentials and passwords.
Penetration Testing: Insurance underwriters expect to see regular pen testing performed by a 3rd party. Pen testing should not be confused with automated vulnerability scanning. While both may find vulnerabilities, a pen test is simulating what a motivated threat actor may accomplish. Pen testing is viewed as the ultimate control effectiveness test.
Web Application Firewalls (WAF): Required by PCI DSS, a WAF is increasingly seen as table stakes for organizations that have a big on-line presence. It should be noted that a WAF is a not a substitute for secure coding practices (OWASP v4), but can slow down hackers by blocking many of the common attempts of hacking web applications.
Duty of Care Risk Analysis (DoCRA): The largest cost to a breach, according to Netdiligence Reports, is liability (regulator fines, class action lawsuits and attorney fees). Organizations that can demonstrate they have a Duty of Care based Risk Management Program can reduce their overall risk to themselves and cyber insurance carriers. An effective risk management program tells interested parties, including underwriters, you are on top of the new risks and associated risk treatments. Core components of a defensible risk management program include:
- Criteria that includes impacts directly to the organization and those outside the organization (it’s the Golden Rule)
- Define an acceptable level of risk (acceptable to all parties)
- Define a process to determine the reasonableness (or burden) of remediation efforts
- Document your calculus (risk register)
- Manage Remediation (program management)
- Regular updates to the risk register (at least annually)
Be ready for the underwriters. These controls are your best defense against the rising costs of cyber insurance, and they are key indicators for cyber insurance carriers to assess risks that influence insurance premiums.
HALOCK Security Briefing Archives: Updates on cybersecurity trends, threats, legislation, reasonable security, duty of care, key acts and laws, and more that impact your risk management program.