With the frequency and intensity of phishing, ransomware, and denial of service attacks increasing, companies have shown a greater demand for cyber insurance. Yet, cyber insurance might not be readily available to all who want it in 2023. With policy costs rising, insurers want proof strong cybersecurity strategies and benchmarks are in place before agreeing to provide coverage. Many companies have no choice but to meet those terms, as more organizations are requiring their business partners have cyber coverage.
Luckily, carriers and underwriters are responding favorably to companies instituting robust security controls and incident response plans — especially those prepared to dive deep into their cybersecurity architectures and security roadmaps. In fact, these controls aren’t necessarily technology specific and are based on the policy and documentation processes that your organization may already have established. At Planet, we believe security is what you enable, and compliance is proving the strength of what you’ve enabled. One without the other may not derive the real benefits you look to get from your insurance policy, but that’s why we’re here to help support your organization in its cyber insurance journey.
Step #1: Be Realistic About Your Current Security Environment
Underwriters often assess security systems and practices by using open-source scanning tools and partner with outside cybersecurity firms to vet customers. Are you comfortable with what they would find in evaluating your organization’s environment?
During these evaluations, they’re looking for evidence of specific cybersecurity controls and practices, and upcoming 2023 audits will examine certain areas more closely than ever before.
Since ransomware attacks typically start on workstations and servers, endpoint security will be under the microscope. Initially, insurers wanted to see that a company trained its employees in phishing and credential theft techniques and used endpoint detection and response (EDR/XDR) solutions to help identify and remediate suspicious activity.
In this environment, improving and demonstrating the effectiveness of security controls will now be essential, both for organizations looking to improve their cyber resilience and oversight while enhancing their eligibility for insurers, and for insurers who need to minimize their own exposure by ensuring the accuracy of their risk pricing process. These are likely to include items below (potential solutions highlighted):
- Multi-factor authentication (AAD P1)
- End-point protection (Defender for EndPoint)
- Restricted administrator privileges (AAD P2)
- Email security (Defender for O365)
- Patch OS/application
- Staff awareness (Security Awareness Training .i.e. Evolve 365)
- Regular back ups
- Tested business resilience planning
- Disaster recovery planning.
- Security monitoring platform with proactive management capabilities and automated breach detection (Sentinel)
Step #2: Maximize Protection for Your People
The best way to make sure that you can obtain cyber insurance and ensure it remains cost effective is by adequately protecting your organization, your partners, and your customers. Be sure to follow the best risk management practices to ensure your organization employs effective security controls to quickly identify and manage any emerging cyber risk. This will give your business the best chance of identifying potential cyber security weak spots and, if the worst happens, still being able to benefit from a cost-effective cyber insurance policy that funds containment and recovery activities.
Requirements for multi-factor authentication (MFA) — a checkmark item for insurers until recently — are also growing. Insurers started to dig deeper as more post-payout analyses revealed MFA wasn’t being fully utilized, particularly in the healthcare and higher education sectors. They found major coverage gaps for privileged accounts, which are not often linked to a specific person (i.e., the admin account that exists on every server) but are used by system administrators and other privileged users and protect sensitive data. As a result, underwriters have started mandating privileged access management (PAM) for privileged accounts not tied to specific users (i.e., local admin, root and service accounts) to achieve MFA, along with isolation of high-value assets.
Step #3: Ensure Your Organization Has the Following in Place for 2023
Even for small organizations, cyber insurance providers moving forward will require at a minimum the following as we head into 2023:
- Multi-factor authentication
*Note that the above list is anticipated to become standard for all policies over $500K.
While not mandatory for insurance purposes yet, implementing the new minimum requirements issued by CISA would also be helpful to government customers in order to avoid significantly higher premiums from insurance providers. This is relevant especially if the entity has a platform that continuously monitors exposures throughout the lifetime of the policy and alerts the insured before a breach occurs.
We at Planet understand that you have a decision to make as a business regarding what cyber insurance plan you can afford this new year. However, we can help you make sure your environment has the best practices in place to protect against ballooning insurance costs.
From controlling your O365 and Azure environments to implementing necessary policies that more insurers are requiring organizations to obtain, Planet has you covered in 2023.