Cyber Insurance Qualification Requires Identity Security & Privileged Access Management

Cyber insurance provides insurance coverage for events including data breaches, downtimes, and cyberattacks. Cyberattacks may include malware, ransomware, phishing, DDoS, hacking, insider threats, and more. Offerings and coverage will vary depending on the policy issuer.

Ransomware costs remain stubbornly high. Sectors such as manufacturing and healthcare are often prime ransomware targets, due to the criticality of network or systems downtime and a stronger likelihood of the victim paying the ransom. One thing we do know is that the number one goal of ransomware operators is getting paid, so they’re incentivized to request a ransom that they think the organization can reasonably pay.

Understanding what your maximum loss is — given your IT infrastructure, and particularly your backups — will help determine what limit you can buy. Insurance in this case transfers the risk of the financial impact of a loss that you cannot mitigate through your own backups procedures.

Paying off a ransomware operator is the last thing anyone wants to do.

Research shows that 80% of organizations who fell victim to ransomware paid the ransom. Of those who paid, 77% relied on cyber insurance policies to cover the payment. Even the FBI does not recommend paying the ransom, as 21% of organizations who paid were unable to retrieve their data from the cybercriminals.

To avoid paying the ransom, there need to be some key elements in place to mitigate having to pay, such as a full Disaster Recovery plan and a Business Continuity plan. If you don’t have valid backups, if you don’t have a plan in place, and if you haven’t tested or validated your backups, you may feel no choice but to pay it.

Most cybersecurity insurance questionnaires have a N/A option, but you must provide feedback as a requirement as to why you marked it N/A. Many insurance companies encourage clients to complete an addendum document (a simple word document) along with the application, where they can then clarify their answer to any question that does not perfectly relate to their industry, network infrastructure, or other circumstance.

Companies should follow industry-recognized frameworks for their security programs. Some follow NIST, CIS Controls, or MITRE, just to name a few. Each framework has slightly different ways of approaching security, but at the core they accomplish the same objective — providing a methodical security program to protect against bad actors. Consider the various frameworks out there depending on your industry, and then build your security program around it.

Following best practices for implementing security controls, creating and testing an incident response plan, and maintaining a comprehensive employee security awareness program are great initial steps to mitigating cyber risks.

Companies with the best cyber risk profiles will get the lowest available premiums. There is no direct relationship between InfoSec controls and premiums savings, such as with a safe driver credit on auto insurance, or a sprinklered building credit on property insurance. However, if your agent is marketing your coverage to multiple carriers (which would be a good thing to do after investing in your network security infrastructure), then that may help you get the best premium available in the marketplace.

It’s unlikely that your insurance premiums will go down year over year (at least for the time being); however, you can best manage how much they go up by presenting the best possible cyber risk profile to the marketplace. A Ransomware Supplemental Application showing key controls are in place is a big factor in this. Having these key controls in place is crucial:

• Patch and vulnerability management
• Multifactor authentication (MFA) for email, remote network access, and privileged/admin access. Use FIDO2 authentication for the most sensitive accounts.
• Removal of admin rights
• Perform user access reviews and ensure access is continuously right-sized
• Management of privileged accounts and secrets
• Backups that are encrypted and kept offline or in the cloud
• Employee Awareness Training
• Auditing of privileged activity and access
• Threat detection and response
• Cyber Incident Response Plan (that has been tested)

The best pricing will typically go to companies that have a 24/7 security operations center (whether in house or third party), have total control over their privileged accounts and service accounts, can show a proper patching cadence, and have no exposure to open ports. Most carriers do some kind of external vulnerability scan that detect these things. A good score helps push you into that best pricing category.

Terms may vary from cyber insurer to cyber insurer. Organizations need to maintain the right controls in place. This is why holistic, cross-domain visibility of your entire security estate is important, which in practice, can look like:

• Ensuring all privileged accounts are identified and have appropriate MFA implemented, preferably phishing-resistant FIDO2.
• Assessing, adjust, and prevent excessive permissions for human and machine identities — and right-size access for all.
• Implementing robust privileged access security controls extend beyond the traditional perimeter, this includes for both employees and third-party vendors.
• Minimizing the threat surface via least privileged controls and removal of admin rights.

These protections are not a panacea, but should assist in thwarting many identity-based risks while ensuring your organization stays cyber-insurable. Additionally, if the insured party fails to maintain adequate security measures as required by the policy, or if there is a significant change in the risk profile of the business without proper notification, the insurer may terminate the policy. This is why it’s paramount for policyholders to comply with all policy requirements and to communicate any significant changes in their business operations to avoid termination.