Article by Yubico Asia Pacific and Japan Vice President Geoff Schomburgk.
The cyber threat landscape has always been worrisome, but today many more CISOs are noticing new gray hairs in the mirror, given an anticipated rise in cyberattacks from nation-states and other bad actors.
Ransomware attacks and other forms of account compromise continue to make headlines every month, with malicious actors, state-sponsored or not, potentially costing businesses millions in downtime and lost opportunities. There are also serious reputational risks for vendors who may see customers flock to a competitor after a publicized attack.
These attacks have broken old cyber insurance risk models because it has become too easy for an attacker to steal credentials and work from the inside. They use relatively simple technology, but can cause serious damage during days of downtime, even more so than a classic breach or reputation damage. These developments have far-reaching implications throughout the insurance industry, from insurers to brokers to policyholders themselves.
Due to an increased risk profile caused by recent events, cyber insurance premiums have skyrocketed, rising 150 to 300 percent in some cases. So it’s no surprise that this heightened threat environment has inspired a rapid rise in interest in cyber insurance, as businesses consider signing up for the first time or looking to increase liability coverage.
The cyber insurance industry is still developing in response to all the new threats coming from novel sources. However, the basic principle of insurance still holds: those companies with the highest risk will pay the highest premiums, or may not qualify at all.
ask the right questions
What can companies do as “homework” before approaching cyber insurance providers? How do they put themselves in the best position to negotiate reasonable premiums on a policy that will pay if the worst happens? It’s worth reviewing this checklist first before investing in a policy:
1. What are the minimum security requirements of the insurer?
Most cyber insurance quotes will come with a cyber risk vulnerability report. It will be advertised as a beneficial report for assessing risk, but of course it is in the insurer’s interest to find any obvious weak links in an organization’s armor. While the minimum requirements will vary, they are likely to closely mirror what is included in the Australian Cyber Security Center (ACSC) Eight Essentials.
These are eight strategies for mitigating cybersecurity incidents, and implementing them effectively helps achieve a baseline cybersecurity posture. One of the eight strategies requires the implementation of phishing-resistant MFA authentication.
You can be sure that simple password authentication will not be enough to meet the minimum requirements of cyber insurers because the risk is too high for them. So before requesting a cyber insurance quote, it makes sense for companies to rate themselves on the Eight Essentials first.
In the past, a signed certification by the company’s CISO that minimum standards had been established was sufficient. However, for high liability or high risk policies, some insurance companies may now need adequate due diligence to go further.
2. How quickly can organizations implement stronger authentication?
If cyber insurance is something an organization needs right away, it may not have time to wait for a full cycle of security updates. It’s worth asking what security practices, hardware-based authentication, or increased employee training can do today to make your security profile more attractive to cyber insurers.
3. Has the pandemic weakened a company’s security profile because more people are logging in from home?
Many companies’ focused pre-pandemic security efforts had office locations set as boundaries. But with so many remote workers now working permanently remotely or in a hybrid way, tightening the organization’s security control has become that much more complicated.
There is more risk because there are many attack vectors, and cyber insurers are well aware of this. Focusing on firewalls, web proxies and data protection is not enough; today, robust MFA for those logging in remotely needs to be part of the picture.
Attackers aren’t getting in, they’re logging in, and compromised credentials are at the root of 65 per cent of cybersecurity incidents, according to the Office of the Australian Information Commissioner’s (OAIC) Reportable Data Breach Report for July -December 2021. It is imperative to raise the level of security for user authentication beyond passwords.
4. Will a policy pay when something bad happens?
This is a legal question and it’s still in development, but it’s key to keep up with precedent-setting court cases on these issues. It’s no secret that insurance companies stay in business by NOT paying when they don’t have to or by keeping their payments low. Therefore, it is important to carefully document all downtime and losses from day one of a breach or other incident.
Some good news is a recent ruling on a $1.4 billion attack on the global pharmaceutical company Merck from Russia. Although the attack targeted Ukraine in 2017 (a grim reminder of the physical invasion to come), the court ruled that it was not an “act of war or terrorism”. Therefore, a payment could not be excluded.
Insurance companies will try to limit your losses by dividing covered items into categories. For example, losses due to downtime, replacement of hardware and systems, payment for ransomware, and protection of the identity of affected customers may have been covered in a single package before, but today they are likely to be. detailed. That makes policies more complex, requiring brokers to look to reinsurers to spread risk.
5. Have we recently performed a full cybersecurity review? If not, how do we do it?
Risk assessments should be carried out on a standard schedule, including both internal and external threats. You can start with a thorough review of user access, what identity access management (IAM) system an organization uses, and what type of anti-phishing user education it has employed or plans to employ. A review should take a close look at privileged users, critical staff, and administrators, but should not exclude users. The safest end goal will be to at least begin a path to strong MFA authentication for all users.
Organizations should review their cyber security posture in line with the Eight Essentials. They can bring this information into conversations with insurance brokers, which will put them in a stronger negotiating position when negotiating cyber insurance premiums.
6. Is the cyber policy specific about what is covered and what will be paid?
Repetitive policies are never good because each company will have specific threat vectors and, most likely, scenarios of how an attack would occur. Companies taking out a cyber policy should ensure that there are enough specific references to the organization’s vulnerabilities and that they are satisfied with how third party liability is considered.
In general, the more specific you are in terms of what is included in covered attacks, the better. Note: This is when it would be helpful to have appropriate legal counsel, preferably with a background in cyber insurance. What we say here should not be taken as legal advice to follow.
These six questions are just a starting point for cyber insurance research, but they are a good foundation for considering how to get the best deal on premiums and the most comprehensive protection for years to come.