Combatting the challenges of cyber insurance
By Joseph Carson, Chief Security Scientist and Advisory CISO at Delinea
Cyber insurance is just like any other insurance policy. It helps businesses to offset costs related to damages from cybersecurity incidents like ransomware and data breaches. In the last 10 years, cyber insurance has become critical for almost every company that has a digital presence. This is because businesses are increasingly looking for some sort of financial security against potential cyber threats, such as ransomware, that are just lurking around the corner.
However, businesses face a frustrating challenge when it comes to getting covered, mostly due to soaring prices and a long list of complex eligibility criteria which will assess them against a range of different security controls and best practices.
The only solution, in this case, is increasing cyber insurance readiness and ensuring that best practices are implemented across the organization to demonstrate effective risk management. A key component for mitigating risk lies in ensuring effective identity and access controls are in place to keep pace with more stringent cyber insurance standards.
Cyber insurance policies: changing requirements
The cyber insurance industry is relatively new. In fact, before 2010, cyber insurance companies hardly existed outside Europe and America. Today, it’s a $7.6 billion industry, and it’s expected to grow to over $36 billion by 2028. This is evidently because digitalization has become a core requirement across almost every industry.
As digital and interconnected businesses are increasing rapidly, so is the presence of cybercriminals across this space. With the added ‘convenience’ of the dark web and advanced automated tools, cybercriminals can launch attacks with almost minimal effort and resources or simply choose cybercrime as a service by giving the attackers the target you want them to attack.
This growing need to protect the digital space and interconnected organizational networks has paved the way for cyber insurance companies to emerge as a unified umbrella of financial protection. However, such increasing threat vectors are also the reason why cyber insurance providers have to set up a long list of complex criteria before granting coverage to organizations.
The high demand and rising cost of claims in the current market are also driving up premiums. According to reports, coverage prices increased by 130% in the US and 92% in the UK in the fourth quarter of 2021 alone. Prices are also expected to keep rising this year due to the ongoing inflation in the global economy, as well as due to the financial impact of the Covid-19 pandemic.
What are the cyber insurance requirements?
Cyber insurance companies provide coverage based on an organization’s cybersecurity capabilities and infrastructural readiness. If a company’s cybersecurity infrastructure is not up to the mark, insurance providers will assume a certain risk factor in providing coverage. With cyberattacks becoming almost inevitable, it also comes down to how well-prepared companies are in preventing or mitigating the impact of such attacks.
There is no specific industry standard yet for cyber insurance, and it changes based on the provider and different policy premiums. Some insurers base their criteria on the general standards set up by government regulators, while others have their own evaluation metrics.
However, most insurance providers consider three major factors of cybersecurity readiness – network firewall, antivirus, and access security control.
They are also likely to ask in-depth questions about a company’s risk management practices and security controls. For example, they might want to know how the company monitors potential threats or authenticates user access.
These factors are essentially the pillars of cybersecurity readiness and provide an accurate framework for insurance providers to assess the security infrastructure of their clients. In terms of access control, more definitive criteria would be privileged access management (PAM).
Managing “privileged access” to monitor credential usage behavior and potential risks
The majority of all cyberattacks are targeted at end-users. It’s often easier for cybercriminals to exploit a user’s lack of awareness, rather than targeting highly secured and encrypted systems. That’s why access control is one of the most important aspects of cybersecurity, and cyber insurance providers
often check if an organization has put in place common security controls to minimize risk. Among these are automating password management, protecting privileged accounts, limiting privileged access, and implementing multi-factor authentication. Making privileged access a core part of your strategy is one of the best practices that can help to demonstrate that you’re taking cyber security seriously.
If we look at the list of cyberattacks from 2022 alone, more than half of all incidents are due to credential leaks. It is becoming increasingly important to regulate who has access to your data and devices, particularly in larger organizations, where data is often stored in layers and different databases are managed by different departments. When access is not restricted, a single credential leak could expose the entire system.
Access control acts as a doorway between attackers and the core information system. Efficient access management can restrict attackers from inflicting significant damage, or even prevent such attacks entirely.
Privileged access management doesn’t only help build cyber insurance readiness, but it’s beneficial for the company as a whole. Large clusters of privileged credentials pose a serious threat to business networks. Having an automated solution that authenticates and assesses credential access in real-time can significantly reduce the risks of a security breach.
It also helps to efficiently set up and manage different levels of access to cloud platforms, including authentication, authorization, and monitoring. For example, if a user is not authorized to access a certain file or segment on the network, the PAM software can instantly report the incident and suspend all-access, eliminating certain cyberattacks or data breach attempts before they turn into a cyber catastrophe.
In short, PAM solutions designate special access to internal users of organizations to secure their applications and network infrastructure. If a standard user can gain access to private or confidential data this becomes a security threat, which is why privileged access management is critical for a company’s network security. Such solutions can protect companies from both internal and external threat actors, by monitoring all administrative access and reporting any unusual behavior.
When it comes to getting insured, you’ll have to play the convincing game. Insurance providers need to be assured that your organization is more than capable of defending against potential threat actors and security incidents, and PAM solutions go a long way in providing that assurance.
Why cyber insurance matter?
Cyberattacks are becoming increasingly common and frequent. By having any aspect of your business on the cloud, you are attracting hundreds of illicit threat actors who want to exploit your valuable data and information. Having cyber insurance can give businesses financial security against such threats in the digital space.
Access control management doesn’t just reduce the risk to your business from internal and external threat vectors but also allows organizations to meet eligibility requirements for financial protection if the worst happens and a breach does occur.
About the Author
Joseph Carson is Chief Security Scientist and Advisory CISO at Delinea Joseph. He is a cyber security professional and ethical hacker: with over 25 years experience in enterprise security specializing in blockchain, endpoint security, network security, application security & virtualization, access controls, and privileged account management. Certified Information Systems Security Professional (CISSP), cyber security advisor to several governments, critical infrastructure, financial, transportation, and maritime industries.
Joseph can be reached online at @joe_carson and at our company website delinea.com