Cyber insurance is an important aspect of cyber resilience, but organizations are increasingly struggling with the cost and process of gaining it. Lawrence Perret-Hall looks at the issue and how cross-industry collaboration can provide a way forward.
Cybercrime remains one of the most pertinent risks for businesses, with ransomware posing a particular threat to organizations. Hackers are continually developing sophisticated and tailored techniques to extract sensitive data and information from businesses.
The increase in successful ransomware attacks has affected both the safety of organizations and their ability to secure further protection. Frequent breaches are also pushing up the cost of cyber insurance premiums. To reduce their own risk, many insurers now request detailed information about a customer’s security posture and exclude some types of incidents, such as state-sponsored attacks, from the cover they provide. While rising costs and reduced coverage may go some way to painting a negative image of the cyber insurance world, this industry plays a vital role in supporting businesses and protecting organizations against financial loss.
Yet we continue to see critical and damaging data breaches. Insurers and managed security service providers (MSSPs) therefore must work together to relieve businesses that find themselves in a difficult position. With threats continuing to rise, the insurance industry must adapt to the changing cyber climate and work proactively with security experts to stay one step ahead of cybercriminals.
Responding to the threat landscape
The cyber threat landscape evolves according to the whims of cybercriminals, who constantly adapt their techniques to make attacks more targeted and effective. Insurers and security service providers must therefore respond accordingly.
In the past, multi-factor authentication (MFA) was seen as the ‘silver bullet’ for strong cyber security. For many insurers, it was perceived as a certified solution to assess vulnerability and became practically a prerequisite for cover. Some threat vectors, such as business email compromise (BEC), initially became almost obsolete as a result of MFA. However, cybercriminals are now increasingly able to evade MFA protections via ‘MFA fatigue’ – a phenomenon that bombards users with access notifications until they mistakenly approve a malicious log in. We are seeing BEC again become a critical issue as a result.
These developments prove that no single measure can be used to quantify risk. Instead, measuring an organization’s risk appetite should be based on the multiple levels of defence / defense they have in place, and whether or not they are prepared for the eventuality that some of these levels may be manipulated and overcome by threat actors.
Many businesses treat cyber security reactively, with MSSPs and insurers brought in only after a breach has occurred. Vulnerability assessments are a great example of how businesses, MSSPs, and insurers all have a more proactive role to play in mitigating against cyber attacks. MSSPs can deliver regular assessments to businesses and their insurers, detailing the company’s security posture as well as flagging the vulnerabilities that an organization needs to respond to before a threat actor has the chance to exploit any weaknesses. Insurers can then use these reports to more accurately measure risk and appropriately charge premiums.
Using real-time data from these reports will build insurer confidence that their customers are maintaining a strong security posture. If the cyber landscape changes and their risk increases, the presence of an MSSP can also provide reassurance that appropriate mitigating steps will be taken, cyber hygiene bolstered, and any new vulnerabilities patched.
Creating an industry standard
Using data from vulnerability assessments enables insurers to capture more detailed information about customers and standardise the industry approach to risk quantification. Currently, there is huge diversity in the ways insurers collect data on clients. For businesses, it can be a time-consuming and often complex process to answer the questionnaires that are typically issued, while the questions insurers ask do not often provide a holistic picture of a company’s security posture. Complete standardisation is hard to achieve, but adopting alternative methods of information gathering using security tools and assessments is one step towards more effective cyber risk measurement.
A trusted chain of partners will be invaluable for insurers looking to stabilise the market and maintain its profitability. There are signs that premiums will begin to settle, but this change will not happen overnight. In the meantime, businesses who partner with MSSPs and take proactive steps to bolster their cyber defences are best placed to secure affordable premiums and ensure continued protection. And by rewarding organizations with a security-first mindset, collaborating with MSSPs and staying alert to the changing cyber threat landscape, insurers can do their bit to keep businesses safe from future threats.
Lawrence Perret-Hall is Director at CYFOR Secure.