I am back with my next blog to discuss cyber re-insurance and cyber liability insurance along with some nuances of late that have many companies (insurance clients) running ragged due to new requirements. If you read my first two blogs, you’ll see a funny coincidence about the mid-90s. This was the timeframe when many “cyber-esque” aspects were born.
The Internet bubble started in 1994-2000, composed primarily of Internet Service Providers. At that time enterprise risk management was a concept that included cybersecurity. The mid-90s also included the first sightings of cyber liability insurance. It provided very limited coverage, representing the very basic depths of computers and issues of that time. Online media and errors in data processing were the only coverage areas for cyber liability insurance. In the 2000s, with the growth of Internet coverage and Internet threats, cyber liability coverages also expanded.
Recent years have seen cybersecurity threats and incidents worsen with the continued proliferation of phishing, malware, business email compromise, ransomware, and social engineering. Similar to non-cyber liability insurance policies, there are various types of cyber insurance, including:
- Network Security: Primarily for losses due to cyber-attacks performed via networks
- Extortion
- Forensic Investigations
- Computer Data Loss
- Business Interruption
The Cost of Doing Business Skyrockets
Fast forward, it’s 2020 and cyber insurance companies are issuing astronomical payouts for ransomware events, which have been rising by 40% year over year. The cost of doing business has insurance companies pondering more strategic approaches to address the rising costs of ransomware and other events. Additional reasons for an uptick in claims have been centered around GDPR (General Data Protection Regulation), BIPA (Biometric Information Privacy Act), and CCPA (California Consumer Privacy Act).
Cyber insurers found that many of their customers were missing the mark on their security posture. Organizations were deficient in maintaining core foundational security measures and controls which should have been implemented at the start of their security program. Now, insurers were taking longer times to process renewal applications and conducting stronger due diligence. In some cases, dropping customers from coverage altogether or raising their premiums by 2x and 3x.
Leveling the Playing Field with Controls
To level the playing field for all cyber liability insurance customers, insurance companies took a hard stance in requiring all customers to complete a “Supplemental Ransomware Questionnaire”. This effectively provided a review of a customer’s current security posture and maturity based on 14 core security controls. Some of these core security controls (e.g. NIST CSF, ISO 2700X) were meant to assist a customer in responding more favorably to a Ransomware event, and further reduce the high cost of claims. They include:
- Multi-Factor Authentication
- Security Monitoring (SIEM, SOC, MSSP)
- Network Segmentation: Isolation of critical and sensitive data/assets
- Backups: 3 backup solutions to ensure the availability of data during an incident
- Endpoint Detection and Response
- Resilience: Business Continuity Plans, Incident Response Plans, etc.
Initiatives CISOs Should Consider
In addition to insurance company requirements, CISOs should take the time to re-evaluate security programs to effectively increase maturity, address current cyber threat issues and reduce overall risk in your organization. Start filling your roadmap with more initiatives that, in the end, will have you operating with resilience in mind. Some suggestions:
- Dust off your recent security risk assessment and confirm that all remediation items have been completed. If it’s been over a year, conduct that assessment again.
- Think about the training of your security operations (SOC), threat hunters, and incident responders through attack simulation, cyber ranges, and ongoing war games (e.g. tabletop exercises). Regular training is key.
- In relation to the above, ensure your Incident Response Plan is up to date. Especially confirming and validating roles and responsibilities, communication information, external and 3rd party contacts and requirements, and how your organization classifies an incident (and its severity).
- Business Continuity and Disaster Recovery. When was the last time you conducted a Business Impact Analysis (BIA) of your critical business and assets? Do you have your RPO (Recovery Point Objective) and RTO (Recovery Time Objective) defined? Have you tested your disaster recovery processes, especially with your cloud providers?
- Phishing emails. This is still the top source (attack vector) for ransomware and malware incidents. Do you know who your riskiest users are? How are you addressing unintentional or accidental insiders?
Reducing Risk with a Human Focus
At the forefront of curtailing cyber risk is the need for the reduction and prevention of cyber incidents that lead to a breach, ransomware, and data loss events. One factor that sticks out is the most common attack vectors, which tend to be phishing or email-type attacks. The number one cause of successful attacks through email tends to be the humans or users within your organization. Finding ways to stay ahead of attacks and preventing incidents all comes down to understanding your risky users and staying proactive. Check out Elevate Security for more information.