Cyber insurance may be cyberficial, but…
Insurance might be one of the least liked, but most valued purchases within a business when you need to use it. In previous decades, it was needed against fire, theft, and other tangible threats to a business, yet as cyber-attacks are becoming an inevitable, frequent occurrence, the demand for cyber insurance is at an all-time high.
However, qualifying for cyber insurance coverage is easier said than done. Businesses not only have to manage the soaring cost of premiums, but also meet a long list of complex criteria that deems their current security strategy and implementation eligible for financial protection.
Understanding the demand for cyber insurance
According to IBM, the average cost of a data breach was $4.24 million in 2021, the highest ever in history. This number is not likely to go down anytime soon, as reports predict that the overall cost could mount up to $1 trillion in 2022. As financial worries around cyber attacks continue to grow, businesses are increasingly looking for financial protection against cyber threats. That’s why the demand for cyber insurance has soared in recent years as it was sometimes the easy choice.
Cyber insurance therefore is a business imperative, with every company that has an digital footprint, no matter how small, requiring protection against the ever-increasing threat of cyber-attacks. In fact, cyber insurance is projected to become a $20 billion industry in the next three years.
As a result of the frequent cyber incidents, premiums are also spiking at an unprecedented level. According to the Global Insurance Market Index, in Q4 2021 alone, cyber insurance coverage prices increased by 130 percent in the US and 92 percent in the UK.
Barriers to Protection
The biggest barrier to getting covered, however, is the long list of complex eligibility criteria based on the assessment of current security controls and practices a business has in place. Insurance providers won’t cover organizations until they have met a list of pre-agreed criteria on their cybersecurity and network defense capabilities.
Therefore, companies need to demonstrate cyber insurance readiness by implementing greater security measures and best practices that not only improve their security posture against the impending danger of sophisticated threats but also put them in a better place to qualify for premium cyber insurance coverage.
What are some of the common cyber insurance requirements?
Most cyber insurance providers make eligibility decisions based on an organization’s security capabilities and cybersecurity readiness. If organizations fail to meet the requirements of an insurance provider, it either results in significantly higher premium costs or complete rejection from the provider. However, rejection has become the common decision for insurers.
Although there is no universal standard for eligibility in the cyber insurance industry, most insurance providers consider three major factors when assessing an organization's cybersecurity readiness:
- Advanced network firewall
- Antivirus and anti-malware solutions
- Access security controls.
Assessing these factors helps insurance providers to examine how the company monitors and reduces threats, as well as how it protects privileged access to valuable network assets. They are then able to determine the company’s security capabilities and understand the level of risk they face from impending security threats like ransomware or data breach.
Insurance requirements change rapidly with the shifting threat landscape, however, these criteria are likely to remain the foundation of any eligibility requirement, as they define the core security structure of a company.
In order to prepare their security infrastructure to meet these eligibility criteria, and receive financial protection from cyber insurance providers, organizations need to enhance their proactive cyber defense capabilities. An effective approach to achieving this is by implementing "privileged access management".
Enhancing defensive cyber capabilities through privileged access management
Lack of preventive security measures and poor cyber-hygiene are two of the key reasons why companies are denied security insurance. Companies often take a reactive approach to cybersecurity, meaning that solutions and strategies focus on mitigating threats as they are detected.
However, the most robust security architectures are those that can assess and reduce threats before they breach the network gateway. This is where "Privileged Access Management", or PAM, solutions come in. Almost 95 percent of all cyber attacks are targeted at end-users. Threat actors find it rather easy to exploit poor credential practices, weak network access points, and lack of user awareness, rather than directly targeting highly encrypted systems or applications. That’s why access control is a critical defining factor for effective cybersecurity practices.
Incorporating PAM solutions allows an organization to implement automated password management, multi-factor authentication and access management tools. These help to constantly monitor the network activities of privileged accounts and alert on any access-based threat that might result in a breach.
PAM solutions provide an automated approach to monitoring and authenticating access requests. Such solutions apply authentication to every network layer, meaning that user identity, devices, and network protocols will need to be verified and authenticated at each layer of the organizational network in real-time. Any anomalies or discrepancies detected in the access request will restrict access and alert the security teams, which cuts down the attack pathway before a breach occurs. For instance, if a user without administrative rights attempts to access a file or application, PAM solutions can instantly detect the incident, report it to the security teams, and suspend all access to the system until the incident is resolved.
PAM solutions can also bind administrative rights to specific devices and identity parameters, reducing the risks of remote attacks and credential leaks. Furthermore, it ensures that every user only has the necessary levels of access relevant to their jobs, eliminating the need for overprivileged accounts within the network.
Overall, PAM is a streamlined solution to effective access control. Such solutions not only allow organizations to achieve complete visibility of their network activities but also safeguard network access from both internal and external threats. PAM provides a proactive framework for monitoring administrative access across the entire network or cloud infrastructure and detect any suspicious behavior from the inbound and outbound traffic.
Incorporating PAM solutions help to strengthen defensive cyber capabilities and provide much-needed reassurance to insurance providers. Cyber insurance criteria will continue to change and become more rigid as the digital threat landscape continues to evolve. Therefore, organizations must be able to convince insurers that they can defend against frequent threats and breach attempts while remaining resilient to sophisticated attacks.
Implementing PAM solutions solidifies an organization’s proactive stance against critical threats and builds credibility among insurance providers -- creating an effective pathway to receiving the financial protection of cyber insurance.
Joseph Carson is Chief Security Scientist at Delinea.