According to a recent study, more organizations than ever before are investing in cyber insurance as concerns about ransomware and other breaches continue to grow. In fact, 48% of companies have already invested in cyber insurance for identity-related incidents, and an additional 32% plan to do so in the future.
The increasing demand for cyber insurance is not surprising given the rising number of cyberattacks and the potential financial losses associated with them. Insurance companies have become more cautious in underwriting cyber insurance policies, making it more difficult for organizations to obtain affordable coverage with the necessary level of protection. Insurers are aware that cyberattacks are on the rise, and the losses incurred by these attacks may exceed what the insurance market is able to absorb. As a result, premiums for cyber insurance have increased in recent years to manage the growing risk.
According to Check Point Research, there was a 38% increase in global cyberattacks in 2022 compared to the previous year. The costs for insurers to defend and settle cyber claims also rose accordingly. IBM’s “Cost of a Data Breach Report 2023” revealed that 83% of organizations experienced more than one data breach, with the average cost of a data breach reaching $9.44 million in the United States and $4.25 million globally. Verizon’s “2023 Data Breach Investigations Report” found that stolen credentials and phishing attacks were the primary methods used by attackers to gain access to organizations.
With the increasing frequency and severity of cyber incidents, insurance companies are tightening their coverage policies and scrutinizing claims more closely. Analysis from Willis Towers Watson showed that 27% of data breach claims from 2013 to 2019 had exclusions in the policy that prevented full or any payout. In a more recent case, Travelers Property Casualty Company of America denied coverage and sought to rescind a cyber policy due to alleged misrepresentations in the application by the insured organization regarding their use of multifactor authentication (MFA). These instances highlight the importance of accurately representing an organization’s cybersecurity measures to maintain coverage.
Insurance companies now emphasize effective cyber-risk management as a prerequisite for coverage. They may deny coverage if an organization does not have the minimum necessary controls in place, and may even increase the minimum control requirements. For example, traditional multifactor authentication might not be deemed strong enough to mitigate the risk of man-in-the-middle (MitM) attacks. Premiums may also be tied to the maturity of an organization’s security controls. Additionally, insurers may impose additional conditions and limitations on policies based on the policyholders’ security posture and the controls they have implemented.
Many organizations are now seeking guidance on the controls they need to implement to satisfy the requirements of cyber-insurance underwriters. A recommended starting point is to implement the following 10 controls to manage cyber-risk:
1. Use invisible/phishing-resistant multifactor authentication and consider transitioning to a passwordless solution.
2. Segment and segregate networks to limit the potential impact of a breach.
3. Adopt a robust data backup strategy to ensure data can be restored in case of a breach.
4. Disable administrative privileges on endpoints to reduce the risk of unauthorized access.
5. Conduct regular employee security awareness training to mitigate the risk of social engineering attacks.
6. Deploy endpoint detection and response (EDR) and anti-malware solutions to detect and mitigate threats.
7. Implement Sender Policy Framework (SPF) to prevent email spoofing and phishing attempts.
8. Establish a 24/7 security operation center (SOC) to monitor and respond to security incidents.
9. Deploy a security information event management (SIEM) platform for threat detection, incident response, and compliance management.
10. Implement robust security measures for service accounts within Active Directory (AD) environments.
While these 10 controls provide a good starting point, underwriters evaluate a range of factors when reviewing new policy applications. As the insurance market and the cyberattack landscape continue to evolve, underwriters may impose more stringent requirements for identity protection, authentication mechanisms, access controls, and identity management processes to minimize the risk and impact of a data breach.
It is also worth noting that many cyber-insurance policies require organizations to comply with specific regulations related to data protection and privacy. Demonstrating compliance with these regulations can increase the likelihood of qualifying for coverage and lead to more favorable policy terms. Compliance efforts can also demonstrate an organization’s commitment to securing identities and personal information, which may positively influence underwriting decisions, coverage terms, and premiums.
In conclusion, as the frequency and severity of cyberattacks continue to rise, organizations must prioritize effective risk management and demonstrate their commitment to securing sensitive information. By implementing robust security controls, complying with relevant regulations, and staying up to date with the evolving cyber insurance landscape, organizations can better protect themselves against the financial fallout of cyber incidents.