Here’s what your organization needs to know about cyber insurance
Currently, 4.7 million experts worldwide work in the cybersecurity field trying to limit the global costs of cybercrime. Losses from cybercrime are expected to surge in the next five years, rising from $8.44 trillion in 2022 to approximately $11 trillion in 2023 and potentially reaching approximately $24 trillion by 2027.
Insurers provide cybersecurity recommendations and the insured look to insurers to understand the insurance needs. As such, it is critical to close the gap in both the insurers’ technical cybersecurity knowledge and their knowledge of how the insured’s organization is structured digitally to understand what is already deployed and what else is needed to increase security.
Incidence response (IR) is the process by which an organization handles a data breach or cyberattack. As insurers partner with technology and service providers, often to minimize costs, customers are losing the power to choose which IR firms they can work with and what technology providers they can implement.
In addition, how these recommended technologies are implemented is often not monitored in an ongoing way, which means the security of critical assets may not be continuous. Many insurance company claims teams are utilizing high volume digital forensic firms that, as a result, aren’t necessarily imaging all of the evidence in a case. The ramifications of the gaps created by this high volume digital forensics scheme have yet to be seen in this rapidly changing space.
Cybercrime has continued to rapidly increase in 2023 and cyber insurance cost increases have kept pace. According to a recent study of 3,000 cybersecurity and IT professionals, 95% of organizations that purchased a cyber insurance policy in the last year reported a direct impact of this trend on their cyber coverage:
60% said it impacted their ability to get coverage;
62% said it impacted the cost of their coverage;
and 28% said it impacted the terms of their policy.
While cyber insurance is a critical component of a risk-loss management strategy, the cost benefit is becoming more difficult to analyse owing to continued cyberattacks and increasing premiums. As the cost of premiums increase and organizations learn to implement better system backups, some have opted to invest more heavily in system recovery procedures over cyber insurance.
In addition to rising rates, insurers have introduced exclusion clauses into policies in an effort to minimize risk exposure. In the past two years, many cyber insurers have focused on potentially catastrophic cyber risk, including fallout from geopolitical conflicts and corresponding nation state activity. For example, Lloyd’s of London mandated new war exclusion wording, while Marsh continues to question insurers on clients’ behalf regarding their approach to war and cyber catastrophic risk.
The challenge facing insurance companies is quantifying the risk and complexity of measuring the cascading impact of a cyber attack. This monumental task is complicated by a rapidly evolving threat landscape. Without continuous monitoring and reassessments to analyse the insured’s internal environment, the risk quantification is considered static and difficult to predictably rely on.
Several IR cases point to Fortune 1000 organizations with eight-figure cybersecurity budgets that get compromised owing to poor implementation of tools and the lack of a critical asset inventory. Furthermore, appropriate internal and third-party access control continues to be a challenge for all organizations and something that cannot be surfaced by questionnaires and control checklists.
Cyber risk management is being driven by advances in predictive aggregation models, improved cyber hygiene, ways to prioritize investments, greater information sharing between private and public entities, and increased government actions and regulations in support of a cyber resilient society.
While these advances can improve internal risk management, they rely on detailed, reliable and continuous data. There is often a gap between the quality and quantity of information available to the insurers and the insured. Consequently, questionnaires are becoming more lengthy and complicated for potential insureds to fill out, often muddling the understanding of the final cyber coverage for the insured.
Organizations can minimize and even simplify risk assessments by focusing on four core areas. These can be summarized in four core questions that will be asked by the IR team in the event of a breach:
What type of firewall is being used?
It is absolutely essential that a firewall be in place in any cyber defence structure. It is the drawbridge and fortified door guarding the castle.
Equally as critical is the need for at least 60 days of firewall logs, six months if possible. Just like security camera footage, firewall logs are vital evidence in a potential cyber incident.
How is the environment backed up?
Spending the money for quality back-ups is as important as cyber insurance premiums.
Ensure your back-ups are configured to be immune to any possible network intrusion or infection
Back-up length needs to be industry appropriate for the timeline and budget that your industry demands
Is there a multifactor authentication (MFA) in place for all users?
An MFA requirement for access to any company system is not optional and needs to be implemented so that it cannot be compromised without gross negligence.
This needs to apply to all departments and levels of employees throughout the company with a zero-exception policy.
Do you regularly verify who has access to your systems?
Having a system of changing passwords is not enough; you need to verify who has access to what systems and software at least quarterly.
The lowest level of access policies must be mandatory to ensure proper risk mitigation.The principle of least privilege (POLP) model is mandatory to ensure proper risk mitigation. POLP is a concept that limits users’ access rights to only what are strictly required to do their jobs.
Having a tool that sends alerts when new accounts are created is a necessary cost to ensure unauthorized users can be identified immediately within the environment.
Despite the increasing complexity in cyber insurance and rapidly emerging and changing cyber threats, addressing these questions can help security leaders and cyber insurance providers alike bridge the knowledge gap between insurers and insured.
Source: World Economic forum