Cyber reinsurance and cyber liability insurance have many companies running ragged due to new insurance requirements. As risk to companies from cyber attacks has increased, the insurance companies have become more stringent. What can CISOs do to meet these requirements and keep premiums down while minimizing the toll they take on their teams, who already have their hands full protecting company assets?
The Internet bubble started in 1994-2000, composed primarily of Internet Service Providers. At that time enterprise risk management was a concept that included cybersecurity. The mid-90s also included the first sightings of cyber liability insurance. It provided limited coverage, representing the very basic depths of computers and issues of that time. Online media and errors in data processing were the only coverage areas for cyber liability insurance. In the 2000s, with the growth of Internet coverage and Internet threats, cyber liability coverages also expanded.
Recent years have seen cybersecurity threats and incidents worsen with the continued proliferation of phishing, malware, business email compromise, ransomware, and social engineering. Like non-cyber liability insurance policies, there are various types of cyber insurance. These include Network Security (primarily for losses due to cyber-attacks performed via networks), Extortion, Forensic Investigations, Computer Data Loss, and Business Interruption.
The Cost of Doing Business Skyrockets
By 2020 cyber insurance companies were issuing astronomical payouts for ransomware events, which are now rising by 40% year over year. The cost of doing business has insurance companies pondering more strategic approaches to address the rising costs of ransomware and other events. Additional reasons for an uptick in claims have been centered around GDPR (General Data Protection Regulation), BIPA (Biometric Information Privacy Act), and CCPA (California Consumer Privacy Act).
Cyber insurers found that many of their customers were missing the mark on their security posture. Organizations were deficient in maintaining core foundational security measures and controls which should have been implemented at the start of their security program. Now, insurers were taking longer times to process renewal applications and conducting stronger due diligence. In some cases, dropping customers from coverage altogether or raising their premiums by 2x and 3x.
Leveling the Playing Field with Controls
To level the playing field for all cyber liability insurance customers, insurance companies took a hard stance in requiring all customers to complete a “Supplemental Ransomware Questionnaire.” This effectively provided a review of a customer’s current security posture and maturity based on 14 core security controls. Some of these core security controls (e.g. NIST CSF, ISO 2700X) were meant to assist a customer in responding more favorably to a Ransomware event, and further reduce the high cost of claims. They include:
- Multi-Factor Authentication
- Security Monitoring (SIEM, SOC, MSSP)
- Network Segmentation: Isolation of critical and sensitive data/assets
- Backups: 3 backup solutions to ensure the availability of data during an incident
- Endpoint Detection and Response
- Resilience: Business Continuity Plans, Incident Response Plans, etc.
Initiatives CISOs Should Consider
- Dust off your recent security risk assessment and confirm that all remediation items have been completed. If it’s been over a year, conduct that assessment again.
- Think about the training of your security operations (SOC), threat hunters, and incident responders through attack simulation, cyber ranges, and ongoing war games (e.g. tabletop exercises). Regular training is key.
- In relation to the above, ensure your Incident Response Plan is up to date. Especially confirming and validating roles and responsibilities, communication information, external and 3rd party contacts and requirements, and how your organization classifies an incident (and its severity).
- Business Continuity and Disaster Recovery. When was the last time you conducted a Business Impact Analysis (BIA) of your critical business and assets? Do you have your RPO (Recovery Point Objective) and RTO (Recovery Time Objective) defined? Have you tested your disaster recovery processes, especially with your cloud providers?
- Phishing emails. This is still the top source (attack vector) for ransomware and malware incidents. Do you know who your riskiest users are? How are you addressing unintentional or accidental insiders?
In addition to insurance company requirements, CISOs should take the time to re-evaluate security programs to effectively increase maturity, address current cyber threat issues and reduce overall risk in your organization. Start filling your roadmap with more initiatives that, in the end, will have you operating with resilience in mind.