The reality of today’s threat landscape, compounded by increasing ransomware attacks, has created a challenging situation for enterprises and the cyber insurance companies that protect them.
Over the last few years, as claims have outpaced forecasts and policies became unprofitable, cyber insurance providers raised prices, in some cases doubling and tripling premiums, reduced policy limits, especially in losses involving ransomware, restricted coverage, and added more stringent underwriting processes.
These changes have put incredible pressure on security and risk leaders, who are paying significantly more today for less coverage, if they are approved at all.
The Risk Management Society assesses the situation clearly: “In 2022, cyber insurance became a C-level issue for commercial and government organizations. Risk managers felt fortunate if they could renew their cyber policy, maintain current coverage, and keep premium increases to below 50%.”
So how do security and risk leaders better align their organizations to not only get approved for coverage, but maintain or even reduce their premiums?
What cyber insurers need to know
Given the risks involved, many cyber policy applications today are surprisingly superficial. To simplify application review, most applications ask a series of “yes-no” questions about the presence of various security controls. Some applications let the applicant provide additional context about their environment, but for the most part, applications do not account for variations in risk or controls. And what about the questions the application doesn’t ask? Most applications don’t ask whether the business aligns to specific security frameworks (NIST) or if/how the company incorporates third-party threat intelligence to proactively protect against emerging threats.
Sure, there’s a follow up conversation between the applicant and provider to review the application, and some kind of standard assessment or potentially even a penetration test. But each of these evaluation tools have significant limitations, and even in the best case, their results represent a single point-in-time rather than a continuous state of readiness. In the absence of proof that the applicant’s security controls are working, configured properly, and constantly validated, the insurance carrier will likely base its coverage decision, and pricing, on the applicant’s binary yes-no responses and apply a one-size-fits-all formula based on broad industry averages.
Ultimately, it’s the applicant’s responsibility to ensure their insurance provider makes coverage decisions based on the real capabilities of their security controls and their resilience against attack.
Here are four critical areas companies should make sure their cyber insurer understands about the company’s cybersecurity program:
- Security controls levels: More than listing the controls that are in place, insurers need to understand how effective they are, and whether or not they are correctly configured. While a list of vendors and tools used in the applicant’s security program may show potential for security, there’s a very real possibility that existing tools are being underutilized, or that misconfigurations are making it even easier for adversaries to leverage these tools themselves as attack vectors.
- Resilience against 1,000s of real-world attacks, including ransomware: Like other kinds of insurance, premiums will increase based on the likelihood of an incident. Showing that the company’s IT environment can successfully stop real-world attacks provides applicants with hard evidence to negotiate costs.
- Endpoint detection and response and firewall efficacy: Endpoints are a critical part of the attack surface, so of course there are a growing number of advanced threats designed to access them. Showing the insurer that the applicant’s endpoint detection and response (EDR) and firewall technologies are effective against these threats may put the insurer at ease.
- Proactive defenses against emerging threats: The integration of third-party threat intelligence keeps businesses ahead of the latest vulnerabilities and tactics, techniques, and procedures (TTPs). Responding to and mitigating these threats in real-time not only decreases the likelihood that the organization will fall victim, but this level of proactivity provides additional assurance to a provider.
Today, businesses expect their cyber insurance policy to cover cyber ransom, risks to brand-reputation, fines, and third-party liability risks from their digital supply-chain. In turn, to receive protection at a reasonable cost, CISOs need to validate and document the effectiveness of their security controls – and in turn, the company’s resiliency – to their insurance provider.
Implementing continuous security validation (CSV), an automated approach that uses security tools and techniques leveraging attacker TTPs, can help achieve this. By running real-world attack scenarios against production environments, security teams can validate that controls are in place, properly configured, and working as promised.
Showing hard evidence of the company’s cyber resilience can help an applicant gain approval for coverage, and it may even help stretch the company’s budget a bit further. Of course, all environments vary, but some companies have reportedly used security control validation to reduce their premiums by as much as 15-20%.
Companies that implement robust security controls, and continuously test them to validate their effectiveness, should benefit from their investment. In turn, cyber insurance companies benefit from knowing that the companies they insure are worth the risk. It’s a win-win scenario.
Avishai Avivi, chief information security officer, SafeBreach
