NEW: Microsoft Vulnerabilities Report 2022 - Read the Findings of Our Annual Report Read Now

  • Partners
  • Support
  • Careers
  • English
    • Deutsch
    • français
    • español
    • 한국어
    • português
BeyondTrust
  • Products

    Privileged Password Management

    Discover, manage, audit, and monitor privileged accounts and credentials.

    • Password Safe
    • DevOps Secrets Safe
    • Privileged Access Discovery Application

    Endpoint Privilege Management

    Enforce least privilege across Windows, Mac, Linux, and Unix endpoints.

    • Windows and Mac
    • Unix and Linux
    • Active Directory Bridge

    Secure Remote Access

    Centrally manage remote access for service desks, vendors, and operators.

    • Remote Support
    • Privileged Remote Access
    • Privileged Access Discovery Application

    Cloud Security Management

    Automate the management of identities and assets across your multicloud footprint.

    • Cloud Privilege Broker

    BeyondInsight

    Experience the industry’s most innovative, comprehensive platform for privileged access management.

  • Solutions

    Use Cases

    • Cloud Security
    • Compliance
    • Cyber Insurance
    • Digital Transformation
    • Endpoint Security
    • Operational Technology
    • Ransomware
    • Service Desk Efficiency
    • Zero Trust

    Industry Applications

    • Financial Services
    • Government Agencies
    • Healthcare
    • Law Enforcement
    • Manufacturing
    • Schools & Universities

    Solutions

    The BeyondTrust Privileged Access Management portfolio is an integrated solution that provides visibility and control over all privileged accounts and users.

  • Resources

    Learn

    • Blog
    • Customer Stories
    • Competitor Comparisons
    • Datasheets
    • Demos
    • Glossary
    • Podcast
    • Whitepapers

    Attend

    • Events
    • Go Beyond
    • Training
    • Webinars

    Support

    • Changelog
    • Professional Services
    • Technical Documentation

    Universal Privilege Management

    Our innovative Universal Privilege Management approach secures every user, asset, and session across your entire enterprise.

  • Company
    • About
    • Leadership
    • Core Values
    • Partners
    • Careers
  • Watch Demo
  • Contact Sales

Is Your Organization (Still) Cyber Insurable?

December 1, 2021

  • Blog
  • Archive

The current state of cyber insurance & cyber liability

Cyber insurance has been a hot topic in my recent roundtables with enterprises and technology leaders. Companies are concerned about the prospect of their cyber insurance premiums potentially sky-rocketing, and are suddenly faced with a more rigorous underwriting process that involves completing a security questionnaire related to their business practices, risk management approach, and what they are currently doing or using to mitigate risk. To renew their insurance, some customers are having to give a presentation on their organization’s security to the insurers.

In this blog, I will cover how the cyber insurance market is changing, why it is changing, and the new expectations for a company seeking to obtain, or maintain, cyber liability coverage.

How the cybersecurity insurance landscape is changing

It may not seem like it, but cyber liability insurance has been around for decades—since at least the late 1990’s. Early policies tended to focus on covering the impact of computing errors, rather than acts of malice (i.e. cyberattacks). As the threat landscape evolved, so too has the cyber insurance market.

Over the past 5-10 years, cyber insurance has become an increasingly common and accepted part of IT and enterprise risk management strategy. Cyber insurance customers gained some peace of mind in knowing that if they incurred a cyberattack that resulted in damages, they could file a claim, potentially lessening the fallout of such a negative incident by a considerable amount.

Fast-forward to 2020/2021. Bring on a global pandemic. Send everyone home by the masses. Force those who have never worked from home to do so. Force companies who have never had a workforce outside of their network perimeter/ brick and mortar building to now enable a primarily remote working model. Few organizations were adequately prepared for these scenarios. And amongst the majority of organizations that were caught off-guard, many shortchanged security practices in the haste to make work-from-home work.

Unsurprisingly, these actions preceded and coincided with alarming spikes in cyberattacks, headlined by colossal breaches such as SolarWinds Orion, Colonial Pipeline, JBS Meats, and Kaseya. But these are only a few of the hundreds of thousands of cyber breaches and compromises that have occurred. In addition to the proliferation of breaches causing downtime, there was a 141% increase in records breached in 2020 over 2019.

Of course, we cannot overlook the leading role ransomware has played over the past two years. In 2020, ransomware surged 150%, and, in 2021, it has been responsible for much pain across both the public and private sectors. The average ransomware payout has increased precipitously, from $115k in 2019, to $312k in 2020, to $570k the first half of 2021, according to research by Palo Alto Networks' Unit 42.

Cyber liability underwriting requirements become more stringent

So, how is today’s threat landscape impacting the cyber insurance market?

While the economics for ransomware operators have been growing more favorable, the economics of the cyber insurance industry is faltering. To stay solvent and viable, many cyber insurers are steeply increasing premiums, dropping coverage, or exiting the cyber insurance market altogether. Insurers are also tightening underwriting guidelines and mandating their customers have certain security controls in place, such as privileged access management (PAM).

A bad--or “unlucky”—driver who has been involved in several accidents, or who has a heavy foot and have been caught speeding several times will almost certainly see their auto policy premiums become more expensive, or even be dropped by their carrier. The cyber insurance market is no different. From the cyber insurer’s standpoint, in today’s environment, not every insurance applicant is a good candidate, and not every customer is a good customer.

Qualification for cyber liability coverage is being scrutinized and potentially denied based on the answers of prospective and current customers to security checklists and questionnaires. Cyber Insurance companies are also increasingly hiring security professionals to help them navigate the path to insuring qualified customers and denying those who don’t qualify or otherwise pose too big of a risk to insure.

Another development is that some insurers are breaking their insurance offerings into coverages for malware, spyware, and ransomware, to name a few. So, while an organization might qualify for basic malware coverage, they might not qualify for ransomware insurance coverage.

How to improve your cyber insurability

If your company is looking for cyber insurance, but isn’t taking robust precautions to protect against cyber threats, don’t think cyber insurance is going to bail you out. They will be holding companies accountable for their cybersecurity programs and technology controls. Insurers expect and demand their customers to adequately uphold their end of the bargain with regard to mitigating risk, reducing the attack surface, and maturing their security IT strategies.

In addition, if you are impacted by a cyberattack, a cyber insurer may require proof that you had the agreed upon security controls in place. Absence of a control, even on a single endpoint or application, may give the insurer the leeway it needs to deny your claim in the court of law.

Implementing and maturing your privileged access security controls ranks as one of the most impactful ways you can not only proactively reduce cyber risk and minimize your attack surface, but also improve your ability to obtain cyber insurance coverage and get the best rates. Multiple security controls provided partly or wholly by PAM solutions are now commonly required by cyber insurers. Some of these controls include:

  • Enforcing least privilege (including removing admin rights) across human and machine accounts
  • Applying multi-factor authentication for remote network access that originates outside your network by employees and third parties (e.g. VPN, remote desktop)
  • The ability to identify and remediate indicators of compromise (IoCs)
  • Defense against ransomware (PAM provides blended ransomware and malware protection that can dismantle many phases of the attack—preventing it from landing and/or spreading)

You can learn more about how PAM helps address cyber insurer requirements in this cybersecurity insurance checklist.

Privileged access management can help eliminate internal and external attack vectors and protect your privileges across all your assets, no matter if they are on-prem, in the cloud, on endpoints, or are used by your vendors. And while I would love to tell you that PAM can solve all your security needs and PAM alone is enough to qualify for cyber insurance. The truth is PAM is just one—albeit a highly important one—of many security tools needed to truly help protect organizations against modern threat actors.

If you’d like to learn more about how BeyondTrust PAM can help you meet cyber liability insurance requirements, check out our page here.

Whitepapers

Cybersecurity Insurance Checklist

Photograph of Christopher Hills

Christopher Hills, Chief Security Strategist, BeyondTrust

Christopher L. Hills has more than 15 years’ experience as a Senior Security and Architecture Engineer operating in highly sensitive environments. Chris is a military veteran of the United States Navy and started with BeyondTrust after his most recent role leading a Privileged Access Management (PAM) team as a Technical Director within a Fortune 500 organization. In his current position, he has responsibilities as a Senior Solutions Architect consulting on PAM implementations and reports to the Office of the CTO as Chief Security Strategist for the Americas. In his free time, Chris enjoys spending time with his family on the water with their 32-foot speedboat in the summer and taking to the sand dunes and off-roading in the winter.

Stay Up To Date

Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Up next

From November 30, 2021:
Linux Vulnerabilities & Exploits: Learn Attack & Defense – Morpheus Edition
From December 2, 2021:
BeyondTrust Launches Cloud Privilege Broker to Help Organizations Gain Control Over Permissions and Entitlements Across Multicloud Environments

You May Also Be Interested In:

Whitepapers

Microsoft Vulnerabilities Report 2022

Whitepapers

Cybersecurity Insurance Checklist

Whitepapers

Privileged Access Management: PAM Checklist

Keep up with BeyondTrust

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Customer Support
Contact Sales

Products

  • Endpoint Privilege Management
  • Password Management
  • Privileged Remote Access
  • DevOps Secrets Safe
  • Remote Support
  • Cloud Privilege Broker

Resources

  • Blog
  • Case Studies
  • Competitor Comparisons
  • Datasheets
  • Glossary
  • Podcast
  • Videos
  • Webcasts
  • Whitepapers

About

  • Company
  • Careers
  • Contact
  • Events
  • Leadership Team
  • Partner Program
  • Press
BeyondTrust Logo
  • Facebook
  • Twitter
  • LinkedIn
  • Privacy
  • Security
  • Manage Cookies
  • WEEE Compliance

Copyright © 1999 — 2022 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.