As cyber insurance premiums continue to climb, insurance providers are getting increasingly selective about who and what they’ll cover.
Cyber criminals are only getting better—a fact reflected in their increasingly sophisticated attacks. And with the heightened frequency, scale and impact of these attacks comes higher cybersecurity insurance premiums for many businesses. Many organizations are finding that the cost of cyber insurance has increased dramatically in the past few years.
But premiums aren’t the only costs that are rising. The price of admission to even be considered for coverage is going up as well. If a business wants to qualify for cyber insurance, there are several security controls they need to have in place before an insurance company will consider underwriting the policy:
Multi-factor authentication: When it comes to any remote access or accounts with administrative privileges, it is critical that businesses require users to identify themselves with something more than just a username and password. The second form of identification needs to be something you are or something you possess.
Endpoint Detection and Response (EDR): Businesses need to make sure that their employees’ devices are protected by second generation anti-virus and anti-malware software. The solutions that only look for a virus’ “fingerprint” are no longer considered acceptable.
Secured, Encrypted and Tested Backups: To protect their data, businesses need to ensure that their backups are both encrypted and stored in a secure location. Many of the underwriters are defining “secure” as: the backups are either offline or immutable.
Privileged Access Management: Businesses should make sure that access to highly privileged accounts (including system accounts) are protected and managed using an encrypted password vault.
E-mail Filtering and Web Security: The easiest way for a cybercriminal to access an organization's system is to take advantage of human curiosity. Automatically interrogating emails for suspicious content (attachments and links) before the designated recipient has a chance to open them can help reduce the risk of falling for a phishing attack.
These are the five controls that are most important to insurance companies right now. In the coming years however, organizations can expect these additional controls to come into play:
Patch Management and Vulnerability Management: Businesses should make sure they are continuously patching their applications, databases and operating systems timely.
Incident Response Plan: It is critical that organizations have a formalized plan for how to respond if something goes wrong. It is equally important that this plan is periodically tested and modified as needed.
Required Cybersecurity Awareness Training: While technology can help reduce the risk of cyber-attacks, your employees are still the easiest path to compromise. Mandatory security awareness training, with a focus on phishing, for all employees is a critical component of improving your overall cyber security profile.
Network Device Hardening Standards: Organizations should have configuration standards defined to improve the security of network devices by eliminating non-essential services and minimizing vulnerabilities.
Login and Active Monitoring of Network Devices: This is not as simple as monitoring the network traffic that enters and leaves the system. Organizations must also be cognizant of the traffic that flows between their internal network devices. Logs should be aggregated, and analytics should be used to identify and alert management of suspicious activities.
Management of End-Of-Life Systems: When an organization’s technology is no longer receiving updates or support services from vendors, the end-of-life systems must either be replaced or isolated from the rest of the network through segmentation.
Robust Third-Party Risk Program: Companies must have protocols in place to assess the controls of vendors that have access to your systems or data.
Going forward, businesses can expect the cyber insurance landscape to remain pricey and more difficult to obtain the desired coverages. Given the cost and frequency of today’s cyber-attacks, more companies are looking to outsource some of the risks as part of their mitigation strategy. Continuously monitoring and investing in their cybersecurity postures can help organizations improve their chances of obtaining the cyber coverages they desire.
About Schneider Downs Cybersecurity
The Schneider Downs cybersecurity practice consists of experts offering a comprehensive set of information technology security services, including penetration testing, intrusion prevention/detection review, ransomware security, vulnerability assessments and a robust digital forensics and incident response team. For more information, visit www.schneiderdowns.com/cybersecurity or contact the team at [email protected].
You’ve heard our thoughts… We’d like to hear yours
The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at [email protected].
Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.