Comply With Cyber Insurance Requirements And Save: 4 Best Practices

By François Amigorena, IS Decisions

It’s not a question of if, but when, your organization will face a cybersecurity threat. And more than ever, organizations are seeking cyber insurance to mitigate the eventual costs. But rising cyber insurance premiums and increased risk of cyberattacks are set to make cyber insurance even more expensive or limited in scope, if not both.

To counter these trends, organizations must reinforce security and manage risks, starting with securing the logon. How? The four best practices below can help your organization meet cyber insurance requirements and save on premiums, all while reducing the risk of cyberattacks.

Understand The Changing Cyber Insurance Landscape

It’s no secret that the cyber insurance landscape is changing rapidly. The average cost of a data breach is now $4.24 million. And, according to a report by Willis Towers Watson, the average settlement hovers around $4.88 million.

And we’ve seen cyber insurance premiums spike in response. The Marsh Global Insurance Market Index reports that cyber insurance pricing rose a whopping 130% in the U.S. and 92% in the U.K. in the fourth quarter of 2021. Looking ahead, the momentum is set to continue: Standard & Poor’s Corp. predicts an average increase in cyber insurance premiums of 20% to 30% per year over the next few years.

Higher Risks Risk, Higher Costs

Why the rise in insurance costs? In a word: subpar protection (the same reason cybersecurity claims are filed in the first place). Organizations clearly don’t yet fully grasp the importance of cybersecurity across the enterprise.

Add to that the surge in remote work and related vulnerabilities, like misconfigured remote desktop software, insufficient access management requirements, and a lack of monitoring across different security tools, and it’s easy to see why insurance companies have raised costs to cover their (i.e., your organization’s) increased risk.

Lower Your Risk Profile

Two factors largely determine the cost of insurance coverage: the policyholder’s risk profile, and the insurance provider’s risk appetite. The weaker the policyholder’s risk management program, the greater the risk to insurance providers.

If your organization can prove a lower risk profile, which presents less risk to insurance providers, they can provide better rates. So, if you’re looking to meet requirements and save on cyber insurance premiums, focus on lowering your risk profile.

Follow These 4 Best Practices To Lower Your Risk Profile

There are as many ways to lower risks as there are risks themselves. We don’t have time to cover all of them here, but we can look at the pillars of a strong risk management program. These are the main factors cyber insurance providers consider when evaluating your risk profile.

Enable MFA

Cyber insurance is driving a long-overdue improvement in user access security. As the cyber insurance market tightens, insurers screen for clients with security controls that more closely align to higher standards. For example, cyber insurers are increasingly requiring multi-factor authentication (MFA) – one way to dramatically reduce their exposure. MFA is quickly becoming a must for all accounts, privileged and non-privileged, to secure network, remote, and cloud access.

This makes sense – after all, we’ve all known for a long time that passwords are too weak. MFA isn’t a panacea on its own, but it is a key defense against the threat of compromised passwords. Throughout the 2021 Verizon Data Breach Investigation Report (DBIR), we see the many variations and attack use-cases for compromised credentials, and the high efficacy of each method. The report found that credentials are the #1 data type stolen and that hacked credentials lead to 61% of all breaches.

Adding a second factor (two-factor authentication) typically means either requiring “something that you have” or “something that you are” in addition to a password, “something that you know”. If one factor is compromised or broken, an unauthorized user still has at least one more barrier to breach before successfully breaking into a target system.

Where Do Cyber Insurers Want To See MFA Implemented?

MFA was not a requirement in previous cyber insurance renewals. Now, cyber insurers demand organizations have MFA in place when subscribing to or renewing cyber insurance. And who can blame them? They’re tired of paying claims, and sometimes hefty fines, for data breaches. So they are toughening their requirements for coverage.

New cyber insurance requirements ask organizations to answer yes to all of the following questions regarding MFA:

1. Is multi-factor authentication required for all employees when accessing email through a website or cloud-based service?
2. Is multi-factor authentication required for all remote access to the network provided to employees, contractors, and third-party service providers?
3. In addition to remote access, is multi-factor authentication required for the following, including such access provided to 3rd party service providers:
   1. All internal & remote admin access to directory services (Active Directory, LDAP, etc.)
   2. All internal & remote admin access to network backups
   3. All internal & remote admin access to network infrastructure components (switches, routers, firewalls)
   4. All internal & remote admin access to the organization’s endpoints/servers

Even so, enabling MFA across your organization is not a guarantee of discounted premiums. Dan Burke, senior vice president and national cyber practice leader at Woodruff Sawyer, one of the largest insurance brokerage and consulting firms in the U.S., points out that insurers rarely discount cyber insurance premiums based on a single security measure. Instead, they holistically evaluate a combination of security controls, in light of the organization’s industry, size, and specific risks.

Burke explains, “Rather, enacting MFA will benefit your insurance program in two potential ways: 1. Reducing your claims activity, which over the long term can significantly improve your insurance pricing; and 2. Qualify your company for cyber insurance quotes from multiple carriers, ensuring competition for your business that will produce favorable terms.”

Monitor Access And Increase Visibility

Insurers want to mitigate their losses. As Burke notes above, the more controls and safeguards a company has to protect against threats, the better. A zero-trust security strategy complements this risk-averse mindset. You’re more likely to identify and prevent an attack when you focus on limiting and protecting access and increasing visibility to user activity and access attempts.

Access management helps meet the requirement for improved control and oversight of access to data based on user role. It targets the main ways attacks happen and looks closely at unauthorized actions, rather than standard indicators of compromise, by:

• Restricting user permissions to only users who need and have a specific purpose for access (for example, someone from the engineering team doesn’t need access to HR files).
• Securing data access using network and application permissions. Authorization and authentication go hand-in-hand, but individuals don't always protect their credentials as they should. So data access, use, and sharing should also be monitored, including data erasure and deletion attempts.
• Encrypting sensitive data in motion and at rest, with programmatic handling of compliance requirements and data governance rules.

According to a recent Allianz Cyber Insights report, Ransomware trends: Risks and Resilience, organizations can ask themselves the questions below to evaluate how well they perform patching and vulnerability management:

• Are automated scans run to detect vulnerabilities?
• Are third-party penetration tests performed regularly?
• Does the organization ensure appropriate access policies, enforcement of multi-factor authentication for critical data access, remote network connections, and privileged user access?
• Is continuous monitoring in place to detect: unusual account behavior, new domain accounts, and any account privilege escalations (administrator level), new service additions, and unusual chain of commands being run during a short period?

Security measures must extend to wherever access decisions are made, so it’s important to create a modern enterprise architecture that reduces incident response times, assists in the discovery of unknown threats, streamlines security deployments across the enterprise, and safely enables applications.

Attribute Actions To Particular Users

Evidence of a strong, “always-on” monitoring program can prove your organization has a strong cybersecurity culture that focuses on continuous improvement. This is an important way to prove reduced risk during a risk assessment.

Cyber security reporting is evolving with business requirements and technological advances. On the business side, organizational leaders often complain that cyber security reporting is too technical, disjointed, and complex. Worse, cyber security teams may not have the visibility they need to provide a holistic picture.

Depending on how the reporting is done and presented, it may lack the prioritization and coherence it needs to demonstrate how well technology investments and processes are (or aren’t) working. There’s greater awareness of the need for "end-to-end" visibility, but there are often blind spots here and there that are ripe for exploitation.

Fundamentally, cyber security leaders and teams should critically consider their reports and dashboards to ensure they're actually helping the organization more effectively manage and make decisions about cyber risks.

Automate Alerts & Responses

Lastly, organizations that automate as much as possible can strengthen their capacity to detect and respond quickly to threats. This ensures efficiency and efficacy, from attack surface monitoring and third-party risk management to partnering with insurers.

An organization should be able to operationalize and collaborate around its security posture and supply chain risk data at a moment's notice. Technology can help organizations achieve this goal. Automatically evaluating configurations and controls in a cloud environment helps an organization understand the risks in a supply chain, and how the organization looks from an attack surface perspective.

Save On Cyber Insurance Premiums With Strong Access Management

On their own, none of these best practices ensure discounted cyber insurance premiums. Yet if you strategically implement all four, you can greatly reduce risks and demonstrate a low-risk profile during a risk assessment. And the lower your risk profile, the more likely you’ll be able to negotiate lower cyber insurance premiums and enjoy long-term savings.

 About The Author

François Amigorena is the founder and CEO of IS Decisions, a global software company specializing in access management and MFA for Microsoft Windows and Active Directory environments. A former IBM executive, François is also a member of CLUSIF (Club de la Sécurité de l'Information Français), a nonprofit organization dedicated to information security.