As many business owners know, cyber insurance coverage can be difficult to navigate, but it’s also getting increasingly difficult to secure.
The global cybersecurity landscape looks nothing like it did before the pandemic changed the way we work. Organizations of all sizes now face a greater number of sophisticated cyber threats than ever before, and they’ve never had to defend a blurrier network security perimeter, with many employees working at least some days of the week from remote locations, using work and personal devices alike.
Cyber insurers are responding by tightening their underwriting guidelines and, increasingly often, denying coverage to organizations that don’t have specific cybersecurity controls in place. If you fear that you could be among them, then the information in this blog post may be just what you need to ace your next cyber insurance coverage renewal and keep your insurance premiums from increasing.
The Cybersecurity Insurance Industry Is in Trouble – and So Are You!
The fifth annual Hiscox Cyber Readiness Report reveals that more organizations were targeted by cybercriminals in 2020 than in 2019, and those who needed to defend their business often did so several times.
It took attackers no time at all to realize that the chaos caused by the pandemic is the perfect breeding ground for phishing attacks, which surged nearly 400 percent, according to data published by Google. Since a common purpose of phishing is to open the doors to ransomware, the fact that the average weekly number of ransomware attacks has increased 93 percent over the past 12 months shouldn’t be a huge surprise.
What may surprise you, however, is that the average ransom payment increased from an average of $84,116 in the fourth quarter of 2019 to an average of $154,108 in Q4 2020, as revealed by ransomware negotiation and response firm Coveware.
On several occasions, ransoms rocketed from five-figure price tags into the millions, such as when Garmin reportedly paid $10 million to bring its wearables, apps, website, and call centers back online, or when Colonial Pipeline paid approximately $5 million to hackers to restore access to the computerized equipment managing the oil pipeline system.
Because of these and other factors, the global insurance community saw the first two cyber insurance programs exceed $1 billion in 2020. More recently, several cyber insurers have announced a revamped approach to the cyber market, with AIG introducing ransomware co-insurance and sub-limits.
“We continue to carefully reduce cyber limits and are obtaining tighter terms and conditions to address increasing cyber loss trends, the rising threat associated with ransomware and the systemic nature of cyber risk generally,” said AIG’s CEO Peter Zaffino.
Consequently, organizations looking for cyber insurance in 2021 should have in place certain specific cybersecurity controls, otherwise they risk being denied coverage and potentially experiencing a major financial hit caused by a ransomware attack or some other cyber threat.
Controls You Should Have in Place Before Your Next Renewal
If you’re about to renew your cyber insurance policy, then the worst thing you can do is to go in unprepared. For the reasons I’ve just explained, cyber insurers are tightening their underwriting guidelines and requiring more information to better understand how likely their clients are to experience a security incident.
Clients that don’t meet their security requirements can expect to pay a lot more than those who do, and some insurance carriers even refuse to renew policy coverage altogether.
“Nearly all cyber insurance carriers now require a supplemental application that includes questions on security and process controls which would prevent or at least minimize the impact and cost of a ransomware attack,” explains Woodruff Sawyer, one of the largest insurance brokerage and consulting firms in the US.
Woodruff Sawyer breaks down the processes and security tools implemented by clients into three categories: minimum required controls, baseline controls, and best practices.
Minimum Required Controls
The minimum controls for protecting information assets that carriers want to see implemented to offer terms for organizations all focus on well-known causes of cybersecurity incidents. Here are some of the things you need to do to meet them:
- Secure your email: Email is the biggest attack vector for malware because busy employees can’t always tell apart a malicious link or attachment from a legitimate one. Spam filtering and other basic email security elements can go a long way in making email safer to use for everyone.
- Take advantage of multi-factor authentication (MFA): Passwords alone don’t provide sufficient protection because a single password leak or brute-force attack can have disastrous consequences. By requiring users to provide two or more verification factors, MFA successfully blocks 99.9 percent of all account hacks.
- Implement a basic backup and recovery strategy: Ponemon Institute found that the global average cost of data loss was approximately $141 per data record. A relatively basic backup and recovery strategy that protects key systems and databases is often enough to restore loss data following a breach and minimize its financial impact.
- Regularly patch all software: Unpatched software may contain easily exploitable security vulnerabilities, so regular patching is a must. Thanks to various patch management solutions, keeping your organization’s a software stack and IT infrastructure up to date doesn’t have to a burden.
- Invest in cybersecurity awareness training: Employees remain the weakest link in the cybersecurity chain, but they don’t have to be. Regular cybersecurity awareness training can equip them with the knowledge and skills they need to defend themselves.
Since the bare minimum is no longer enough to reliably keep increasingly sophisticated cyber threats at bay in 2021, many carriers would consider the baseline controls described below as the new minimum:
- Document your incident response plan: The first seconds, minutes, and hours following a data breach are extremely critical because they can be the difference between speedy recovery and prolonged downtime. Having a documented incident response plan is a great way to prevent chaos and ensure that everyone knows what to do.
- Have in place a comprehensive backup and recovery strategy: Backing up key systems and databases once in a while is a good start, but there’s a lot more that you can do to protect your data, including regular testing of backups, which you want to store away from your organization’s network.
- Establish a secure baseline configuration: A secure baseline configuration is a documented set of agreed security configurations of your operating systems, applications, and services to enable the secure by default deployment of particular infrastructure components.
- Filter web browsing traffic: The web is a dangerous place, and there’s a lot of potentially dangerous content that can be easily avoided with simple web filtering techniques.
- Use a protective DNS service: One way to filter web browsing traffic is to use a protective DNS service to block suspicious domain name queries before they’re resolved. Protective DNS services are constantly updated, and virtually any device can be configured to use them.
Of course, carriers are satisfied the most when their clients do a lot more than the bare minimum to protect their IT infrastructure and data. Ideally, they want to see them take the following steps:
- Encrypt sensitive data: Data encryption greatly reduces the consequences of physical data theft, such as when a thief decides to snatch a laptop or smartphone belonging to a remote employee working from a cozy café, so it should be enabled on all devices that support it.
- Use an endpoint detection and response tool: Traditional antivirus software can’t reliably protect against the wide spectrum of rapidly evolving attacks that organizations are exposed to these days. Endpoint detection and response tools make it possible for security teams to continuously monitor all endpoints from a centralized location and respond to threats quickly and effectively.
- Conduct regular penetration testing: The purpose of penetration testing is to reveal weaknesses in an organization’s cybersecurity defenses by using the same techniques real attackers would use to exploit vulnerabilities. When a weakness is discovered, it can be fixed before attackers realize that it exists.
- Continually monitor all IT systems: Suspicious activity is often the first and only sign of an attack in progress. Continuous monitoring of data from multiple systems enables real humans to analyze alerts in order to determine their validity and provide guidance on the most effective remediation of detected threats.
- Segment network traffic: By dividing your network into multiple segments or subnets, you become able to enforce granular policies and make it much more difficult for an attacker to gain access to valuable assets. Furthermore, network segmentation helps localize technical issues and improve monitoring.
Conclusion – How to Maintain Cyber Insurance Coverage
In a world where the future is as uncertain as the present, cyber insurance policies can provide welcome peace of mind, improving the odds of your organization financially surviving a security incident. If you already have a cyber insurance policy and would like to renew it soon, then keep in mind that your policy premium could increase substantially unless you have in place the required controls.
Implementing these controls can be a challenge, but it’s a challenge that’s well worth the effort, which doesn’t have to be all that substantial—especially if you partner with the right provider of managed cybersecurity services.
Let’s discuss your cyber security setup.