The changing nature of cyber security insurance
Cyber security insurance used to be like any other risk management tool. Manage it by building internal expertise, outsource it to a specialist provider; or lay it off to an underwriter or insurer. Cyber insurance has been seen as an effective risk management option to protect against loosely defined operational risks for many years.
Things are changing. Right now, cyber insurance is becoming increasingly difficult and costly to procure. It’s at the point where you need to verify your ability to manage the security risks in order to be eligible to insure them.
What is happening in the cyber insurance market?
Pricing cyber risk is proving to be an imperfect science for insurers. Cyber risks emerging from some digital transformation initiatives, the explosion of ransomware claims and the massive increase in loss ratios for insurers has fundamentally changed the market. Insurers now want evidence that cyber security controls are in place and that the effectiveness of cyber risk management efforts can be substantiated.
They want to know that there is:
- A culture of cyber security from the Board down;
- Ongoing staff awareness; and that
- In the event of an attack, a tested response plan is in place.
They also need a high level of confidence that technical risks too, are being managed in line with a recognised security risk management framework – for example, ACSC Essential Eight, ISO 27001 or NIST.
Cyber security has shown itself to be one of those risky areas where things can go wrong, and it’s too late after the event. An insurance proposal can now take months to prepare with involved questionnaires and supplementary queries after that. Even then, when the specific technical requirements of the insurer are met, you may still find significant premium increases, coverage limits, exclusions and retentions. Improved quality of cyber security risk data is now a priority for all stakeholders in the insurance process – with insurers seeking assurance of a stated posture and those seeking insurance being able to verify just that.
For those seeking cyber insurance in 2022 they can expect more of what occurred in 2021:
- Continued underwriting rigor – the need to verify focus across all security controls
- Increase of cyber insurance premiums dramatically across the board
- Less coverage with greater sub-limits and exclusionary language
- Rise in technology solutions to assist organisations with risk management efforts
- Increased government threat intel sharing and critical infrastructure resilience obligations
What are we seeing in the security market?
Insurers are now effectively setting the table stakes for security controls as international security agencies confirm the importance of those very same prevention, containment and recovery mitigation strategies. There is now some real clarity around the security steps organisations need to improve their cyber resilience. Putting in place a system that measures the effectiveness of each of these safeguards is a foundational step in the success of any cyber risk management process.
Whether it’s to meet the pre-conditions of an insurer, or to improve your cyber resilience or comply with tightening cyber regulatory requirements – organisations should adopt a security framework and maintain compliance processes against the relevant cyber security controls. A set of safeguards that can be regularly measured and any variance reported for risk management purposes. Those controls should include both technical as well as “softer” cultural controls, for example: staff cyber security training and awareness programs. These KPIs need to reflect the adoption of a cyber security culture within the organisation from the top down; at both technical and business levels.
With appropriate cyber risk management systems in place, poor performance of any one of your controls can be quickly identified and the security gap closed. With the increasing volatility of security operating environments, time is of the essence, so the more responsive the security risk management process the more cyber resilient the enterprise.
In fact, supported by systematic empirical measurement the security and risk teams, as well as senior executives, can promptly make evidence-based decisions about the state of their cyber security preparedness.
Steps that need to be taken
The latest joint ACSC, NCSC, FBI, NSA and CISA cyber security advisory, reminds organisations that it is vital to maintain an active awareness of their cyber posture in the current hostile risk environment. Organisations should ensure that they have effective measures in place, to inform their security and risk, as well as their executive, teams of the security posture of the enterprise. Cyber security is no longer a set and forget activity – so having regular visibility of the state of your security controls is now a base-line security requirement.
As noted above, the recommended controls as per latest joint advisory are closely aligned with the “mandatory” mitigation efforts being sought by cyber insurance underwriters everywhere.
What do you need to access insurance?
The good news is that cyber insurance policies are still being written; it’s just their terms have tightened. The successful management of adequate security controls across your organisation will deliver two important outcomes:
- It provides a mechanism by which your cyber resilience can be effectively managed; and
- The adequacy of your risk management efforts can be demonstrated to underwriters and others.
Neither of these can be ignored, if as forecast, cyber insurance is to become an increasingly important part of managing the risks associated with digitalisation.
Tighten up controls and in-built security on systems
From the perspective of both insurers and international security agencies, organisations are not as well protected as they should be. This low level of protection makes the risk of attack higher, and given the nature of the threats, the impacts more severe. That also affects insurance premiums.
So, if you’re starting out it’s a good idea to focus attention on improving low cost, but high value controls. Often some of these are inbuilt into your IT systems and yet maybe not appropriately configured. The improvement of high value security controls can significantly improve your insurability. The costs of some of these efforts need not be prohibitive.
For example, prompt and rigorous patching of systems and fully testing backups are fundamental steps in a good cyber hygiene regime.
Manage the “people” issues – awareness and privilege
Human error has been blamed for as much as 90+% of cyber security breaches so again it provides good scope for high value security controls.
The first and most cost-effective initiative is to improve staff training and cyber awareness. Reducing the risk of someone clicking a malware attachment or installing unauthorised third-party applications can pay big dividends.
Second, managing the way privileged accounts are assigned and used. Minimising who has access, for how long and for what purpose can be a significant risk mitigation strategy.
Thirdly, when it comes to building or configuring systems, IT and security team members need to be aware of the key role they play in secure code development and application security. Proactive security practices and cultural awareness can impact significantly on improving your overall cyber posture.
Dealing with incidents
You can also do a lot to ensure that if an incident occurs you have sound processes and plans, and an available expert service in place.
It may not reduce your actual premium but it will almost certainly reduce the overall cost of an incident.
This is part the process – the last line of defence. Defining a plan, testing it and having the tools and mechanisms at your disposal if and when you need them. In the case of ransomware, for example, backups are a major part of any recovery plan. Having backups that have been tested as suitable to reinstate business operations, are a significant fall back in that they provide more options for resolving your situation.
The cost of entry
Where once a back to base alarm or dead locks would ensure an insurance premium rebate; in the cyber insurance market, equivalent security controls are merely the cost of entry. While the improvement of some controls can provide greater benefits than others; ultimately good cyber posture with verifiable assessment artefacts is now a condition precedent for cyber cover.
As insurers challenge your answers to mandatory questionnaires and insurance proposals and interrogate your security team for evidence, it’s important to be prepared. Tightening your controls, managing your staff awareness and incident plans will confirm your intent. Having an easy-to-understand report on the state of each of your security controls for all stakeholders, their effectiveness and ultimately your cyber maturity level will also help. It will provide the audit artefacts that insurers and regulators are increasingly seeking.
Trying to “game the system” is no longer an option. If you want to participate in one of the increasing number of industries that require minimum levels of cyber security compliance you need a security risk management system that easily and quickly reports your cyber security posture and any vulnerabilities requiring your attention.