The current state of cyber insurance & cyber liability
Cyber insurance has been a hot topic in my recent roundtables with enterprises and technology leaders. Companies are concerned about the prospect of their cyber insurance premiums potentially sky-rocketing, and are suddenly faced with a more rigorous underwriting process that involves completing a security questionnaire related to their business practices, risk management approach, and what they are currently doing or using to mitigate risk. To renew their insurance, some customers are having to give a presentation on their organization’s security to the insurers.
In this blog, I will cover how the cyber insurance market is changing, why it is changing, and the new expectations for a company seeking to obtain, or maintain, cyber liability coverage.
How the cybersecurity insurance landscape is changing
It may not seem like it, but cyber liability insurance has been around for decades—since at least the late 1990’s. Early policies tended to focus on covering the impact of computing errors, rather than acts of malice (i.e. cyberattacks). As the threat landscape evolved, so too has the cyber insurance market.
Over the past 5-10 years, cyber insurance has become an increasingly common and accepted part of IT and enterprise risk management strategy. Cyber insurance customers gained some peace of mind in knowing that if they incurred a cyberattack that resulted in damages, they could file a claim, potentially lessening the fallout of such a negative incident by a considerable amount.
Fast-forward to 2020/2021. Bring on a global pandemic. Send everyone home by the masses. Force those who have never worked from home to do so. Force companies who have never had a workforce outside of their network perimeter/ brick and mortar building to now enable a primarily remote working model. Few organizations were adequately prepared for these scenarios. And amongst the majority of organizations that were caught off-guard, many shortchanged security practices in the haste to make work-from-home work.
Unsurprisingly, these actions preceded and coincided with alarming spikes in cyberattacks, headlined by colossal breaches such as SolarWinds Orion, Colonial Pipeline, JBS Meats, and Kaseya. But these are only a few of the hundreds of thousands of cyber breaches and compromises that have occurred. In addition to the proliferation of breaches causing downtime, there was a 141% increase in records breached in 2020 over 2019.
Of course, we cannot overlook the leading role ransomware has played over the past two years. In 2020, ransomware surged 150%, and, in 2021, it has been responsible for much pain across both the public and private sectors. The average ransomware payout has increased precipitously, from $115k in 2019, to $312k in 2020, to $570k the first half of 2021, according to research by Palo Alto Networks' Unit 42.
Cyber liability underwriting requirements become more stringent
So, how is today’s threat landscape impacting the cyber insurance market?
While the economics for ransomware operators have been growing more favorable, the economics of the cyber insurance industry is faltering. To stay solvent and viable, many cyber insurers are steeply increasing premiums, dropping coverage, or exiting the cyber insurance market altogether. Insurers are also tightening underwriting guidelines and mandating their customers have certain security controls in place, such as privileged access management (PAM).
A bad--or “unlucky”—driver who has been involved in several accidents, or who has a heavy foot and have been caught speeding several times will almost certainly see their auto policy premiums become more expensive, or even be dropped by their carrier. The cyber insurance market is no different. From the cyber insurer’s standpoint, in today’s environment, not every insurance applicant is a good candidate, and not every customer is a good customer.
Qualification for cyber liability coverage is being scrutinized and potentially denied based on the answers of prospective and current customers to security checklists and questionnaires. Cyber Insurance companies are also increasingly hiring security professionals to help them navigate the path to insuring qualified customers and denying those who don’t qualify or otherwise pose too big of a risk to insure.
Another development is that some insurers are breaking their insurance offerings into coverages for malware, spyware, and ransomware, to name a few. So, while an organization might qualify for basic malware coverage, they might not qualify for ransomware insurance coverage.
How to improve your cyber insurability
If your company is looking for cyber insurance, but isn’t taking robust precautions to protect against cyber threats, don’t think cyber insurance is going to bail you out. They will be holding companies accountable for their cybersecurity programs and technology controls. Insurers expect and demand their customers to adequately uphold their end of the bargain with regard to mitigating risk, reducing the attack surface, and maturing their security IT strategies.
In addition, if you are impacted by a cyberattack, a cyber insurer may require proof that you had the agreed upon security controls in place. Absence of a control, even on a single endpoint or application, may give the insurer the leeway it needs to deny your claim in the court of law.
Implementing and maturing your privileged access security controls ranks as one of the most impactful ways you can not only proactively reduce cyber risk and minimize your attack surface, but also improve your ability to obtain cyber insurance coverage and get the best rates. Multiple security controls provided partly or wholly by PAM solutions are now commonly required by cyber insurers. Some of these controls include:
- Enforcing least privilege (including removing admin rights) across human and machine accounts
- Applying multi-factor authentication for remote network access that originates outside your network by employees and third parties (e.g. VPN, remote desktop)
- The ability to identify and remediate indicators of compromise (IoCs)
- Defense against ransomware (PAM provides blended ransomware and malware protection that can dismantle many phases of the attack—preventing it from landing and/or spreading)
You can learn more about how PAM helps address cyber insurer requirements in this cybersecurity insurance checklist.
Privileged access management can help eliminate internal and external attack vectors and protect your privileges across all your assets, no matter if they are on-prem, in the cloud, on endpoints, or are used by your vendors. And while I would love to tell you that PAM can solve all your security needs and PAM alone is enough to qualify for cyber insurance. The truth is PAM is just one—albeit a highly important one—of many security tools needed to truly help protect organizations against modern threat actors.
Christopher Hills, Chief Security Strategist, BeyondTrust
Christopher L. Hills has more than 20 years’ experience as a Technical Director, Senior Solutions Architect, and Security Engineer operating in highly sensitive environments. Chris is a military veteran of the United States Navy and started with BeyondTrust after his most recent role leading a Privileged Access Management (PAM) team as a Technical Director within a Fortune 500 organization. In his current position, he has responsibilities as a Chief Security Strategist (America’s) working with Customer, Marketing, and Executives on Thought Leadership, Market Trends, Company Vision and Strategy reporting to the CSO. Chris has held the Deputy CTO and Deputy CISO role since starting with BeyondTrust. In his free time, Chris enjoys spending time with his family on the water boating, supporting his son’s football career as a senior, going to the sand dunes and offroading.