Why cyber insurance policies may be in jeopardy [Q&A]
Cyber insurance has often been seen by business leaders as a monetary guarantee that even if hackers do break into their networks and steal their data, they can still escape financially unscathed.
Yet this premise was recently rocked after Lloyd's of London, the world's biggest insurance syndicate, redefined its policies to no longer cover for nation-state cyberattacks. There are other challenges facing the cyber insurance sector in the year ahead too.
We spoke to Julia O'Toole, CEO of MyCena Security Solutions which offers easy-to-implement access segmentation and encryption management solutions for organizations to protect their networks against intruders, and Gerry Kennedy, CEO of Observatory Strategic Management a risk mitigation consultancy that engages with clients to analyse and address vulnerabilities.
BN: What is the state of cyber insurance today?
GK: The cyber insurance market is continuously evolving as insurers understand more about threats, but the period of confusion is now progressing into a period of action and the tightening of policies.
Insurers are beginning to wake up to the ubiquity of cyber and now understand the very kinetic impact cyberattacks can cause.
In response to this, they are updating their policies to make it much clearer on what they do and don't define as secure. Soon we are going to start seeing insurers stipulate exactly what technical measures companies must adopt to protect their assets. If they don’t take these measures, they won’t get insurance.
BN: What issues are the biggest risk factors for cyber insurers today?
GK: One of the biggest concerns for policy holders today is that they don't know whether to trust insurers anymore. Organizations were hit hard in the wake of COVID and there is a rising concern that insurers won’t pay up when things go wrong. This is heightened by the fact that consultants are now telling their customers to not buy cyber insurance today, and saying to spend their budgets on defensive tools instead.
In response to this growing uncertainty, insurers need to be more transparent and update policies to meet the cyber needs of businesses today. This will bring back trust to the industry, but it will also force organizations to adopt more robust tools to protect their data.
BN: What policy changes need to be made by cyber insurers to cover the industry and save them from collapse?
GK: Insurers need to understand where they are now, and what they need to do to get them to where they want to be. Some of the insurance policies that exist today were developed in the middle of the last century, so the first step is updating these to fit today’s digital landscape.
Cyber is very insurable but it must be done right. Insurers are in the perils business, and they need to clearly define exactly what they cover for as well as the exclusions.
Name the perils and define what security should look like by explaining the solutions and tools organizations need to secure their networks. Insurers can't be vague.
BN: What cyber threats create the biggest risks for cyber insurers?
JOT: Behind almost every cyberattack today is a compromised employee credential. This means that insurers must have tighter security controls on how organizations secure their access credentials.
Organizations are often targeted via their employees using phishing scams, and when an employee gets duped, they hand over their network access credentials. Criminals enter the network, and from there, because so many organizations utilize single sign-on solutions which means there are no barriers of security once they are inside the network, it is easy for them to move laterally, escalate privileges, steal data and deploy ransomware.
Insurers need to clamp down on this leading cause of breaches and add to their policies the need for employee credentials to be scrupulously controlled by the organization, not employees. That means demanding that credentials are encrypted so they can't be stolen by adversaries, and that the entire corporate network access is segmented so that each digital door is secured with a strong independent randomly generated password to prevent lateral movement.
BN: What cyber risks do businesses need to address to help them achieve cyber insurance in the future?
JOT: While many businesses understand credentials are the leading cause of breaches, they don’t know how to tackle the issue in the correct way. When the world started to massively connect their IT and OT to the network, it made two crucial errors for which we all pay the price today. First, when you work in a physical place, you are given the keys to different sites and rooms. But when you work digitally, suddenly you make the keys -- the passwords -- to all the systems and data you need to access. That means the company no longer has control or visibility over its own access. This loss of access passwords control must be reverted.
Second, when you work in a physical place, you have multiple doors to open to go from place to place. If you work on a nuclear site for example, you cannot just open one door to get straight to the reactor. You have to unlock different access doors. But when you work digitally, suddenly with a single access sign-on you can open all the doors in one go. This means the company no longer has access layers, segmentation and resilience, since they have all been merged into one access point. This happens when you deploy Single Sign-on technologies, such as single access password manager, Identity Access Management (IAM) or Privileged Access Management (PAM) solutions. These solutions remove the need for employees to remember multiple passwords, but in doing so, make it easier for criminals to just find one password, for example via phishing -- to get everything at once.
Risks are further exacerbated when people start using their identity biometrics, since these are personal immutable data. When biometrics are compromised, they can neither be erased nor changed, putting people at risk of identity theft and digital death.
To achieve future coverage, organizations will need fix these two issues.
BN: What other cyber insurance changes can we expect in the future?
GK: The expectation of full indemnity for a loss is going to go away, unless organizations elevate their duty of care to keep their assets secure. Organizations will need to map out the cyber issues that cause them the most concern and then demonstrate to insurers what they are doing to protect against them, as this will be the only way to achieve cover in the future. When it comes to demonstrating how organizations are protecting their assets, they will need to show what vendors and managed services they are working with and how they are making the organization more secure and harder to breach
JOT: It's been a long time coming but insurers are finally starting to wake up to the pervasiveness and systemic risks of cyber. The threat is not uninsurable, but new guidance that relates to today's twin digital-physical domain must be added to policies. A key part of this is going to focus on employee network access, which leads to IT and OT security, and the importance of organizations utilising encrypted network access and network access segmentation.