Taking Control of Your Cyber Insurance with Zero Trust
Author: Jason Wild, Cyber Security Tech. at rThreat
The Changing Landscape of Cyber Insurance
In the wake of an unfortunately historic year in cyber risk - a year that began with the fallout of the SolarWinds attack and ended amid the widespread log4j vulnerability- analysts predict that 2022 will be a year of sweeping change in the cyber insurance industry as it seeks to achieve stability in an ever-changing market.
Since its roots in the early 2000s, cyber insurance has become an increasingly important, if not mandatory, component of many organizations’ risk mitigation strategy. It is estimated that by 2025, cyber insurance will reach more than $20 billion in worldwide premiums, up from $7 billion in 2020 according to GlobalData. A form of liability insurance, cyber policies can provide coverage for direct costs and operational losses, including business interruption and ransom payments. Many cyber insurers also offer additional services such as cyber forensics and increased support to policy holders.
While other areas of liability insurance have established a relatively stable underwriting processes, with vetted risk calculation processes that are slow to adapt to change, cyber insurance does not have this luxury. Underwriters have struggled to develop pricing structures that remain profitable while keeping pace with the volatile world of cyber risk transference.
The explosion of ransomware and other Advanced Persistent Threats (APTs) has led to a similar explosion in insurance payouts. With the maturation of the malware black market lowering the barrier of entry into cyber crime, including Ransomware-as-a-Service and other widely available malicious tools, today’s threat actors are not simply focused on large corporations, but regularly target downstream supply chain firms, open-source software libraries, and even small and medium businesses.
According to a survey done by San Francisco-based insurance firm Woodruff Sawyer, 46% of underwriters believe that cyber risk will increase “greatly” in the next 12 months, while 38% believe it will increase “slightly”. Only 15% believe it will “stay the same” and none of the respondents believed that cyber risk will decrease in 2022. This study also found that 85% of insurers believe companies are not sufficiently aware of cyber risk.
How Cyber Insurers are Responding
In addition to the growing severity and frequency of cyber attacks, governing bodies are increasing regulatory structure around cyber crime, enacting stricter compliance requirements, making it more difficult to negotiate with threat actors affiliated with nation-states, and holding organizations directly responsible for inadequately protecting sensitive information in the wake of an attack.
This dynamic, growing threat landscape faced by organizations and insurers is fundamentally changing the way cyber insurance operates. Premiums are going up, policy limits are going down, and there is an increased scrutiny into policyholders’ existing security controls. That is, organizations can look forward to spending more money on less coverage, and with more stringent requirements.
As coverage for damages and lost operational revenue become more difficult and expensive to provide, more and more insurers are adopting sub-limits for specific threat vectors such as ransomware or social engineering, particularly for businesses that are unable to prove they have implemented sufficient security controls to protect their assets.
While the underwriting process has often traditionally been a simple box-checking exercise, where the premium cost and coverage typically ended up being ultimately associated with revenue and number of employees, more and more insurers are performing in-depth analysis of prospective policy-holders’ risk mitigation strategies beyond the transference provided by a cyber liability policy.
In what can now be a 4-6 month process, insurers may inquire about security controls and processes, request evidence of proactive log monitoring, ongoing security education, regular security testing, and, in some cases, perform their own vulnerability testing on a prospective customer’s systems.
How rThreat’s Zero Trust Approach Can Help
Investing early and intelligently in security infrastructure may drive down costs to your organization overall. Depending on the insurer, this can include different tiers of coverage based on controls in place, from MFA, to firewalls, to SIEM, to EDR, and so on. These tiers may affect both premium and policy. It’s crucial that organizations have validated security controls, well-documented policy and procedures, and analytics to provide insurers during the underwriting or claims process to ensure access to more robust insurance service such as cyber forensics and negotiators.
But what are the most effective controls to invest in with a limited security budget? How do you prove to insurers that they are working?
The answer lies in continuous validation and implementing a Zero Trust approach to securing your organization’s assets.
rThreat’s Breach and Attack Emulation (BAE) platform can help demonstrate the effectiveness of your security posture to insurers with on-demand testing against an organization’s defenses that provides measurable data and analytics. With its cloud-based SaaS platform, rThreat’s BAE technology allows you to deploy real known and unknown malware artifacts against your defenses. These secure “live fire” exercises, mapped to the tactics of real-world threat actors, allow validation of each level of your security controls, and the teams that operate them.
With real-time analysis providing valuable insight into the way the existing controls and teams protecting your network and endpoints are able to respond to threats, your security team can identify and remediate gaps in your overall security posture and ensure your organization has access to the best coverage available on the market.
Organizations can no longer afford to view cyber insurance as the lead approach to mitigating cyber risk. The market is quickly shifting toward an emphasis on the overall security posture, with increased scrutiny on the effectiveness of specific defenses in place. At the same time that cyber insurance is becoming an all-but mandatory component of managing cyber risk, it is becoming more difficult to secure adequate coverage at an affordable price. Because of this companies should adopt a continuous validation security strategy by using a platform with rThreat’s capabilities to make their best efforts to avoid breaches – and if they do occur, have the ability to prove to the insurer that best practices were followed to avoid a breach.
Regardless of the size of your company, rThreat can provide proactive validation of your security posture – enabling you to demonstrate Zero Trust security practices and drive more cost-effective cyber coverage for your business.
