Rampant ransomware attacks have made cyber insurance a C-suite priority. Despite the raised consciousness, it’s more difficult than ever to secure or renew a policy. Nefarious activity continues to put pressure on carriers who are responding with even higher premiums and stricter underwriting requirements as they aim to mitigate risks. What was considered acceptable for 2022 may not be considered acceptable for 2023.
The takeaway for companies in the market for cyber insurance is this: Get ready to answer a litany of pre-audit questions and demonstrate a hardened defense strategy.
Top Challenges Shaping Today’s Global Cyber Insurance Market
The growing frequency and sophistication of cyberattacks, especially on the ransomware front, have compelled even more companies to seek coverage. As we’ve previously covered, many cyber insurance providers have reported massive direct-loss ratios for standalone policies. They continue to struggle to adequately cover escalating costs, and things are changing fast. Consider The Marsh & McLennan Cos. Global Insurance Market Index, which found that U.S. cyber insurance prices skyrocketed in the second quarter of 2022, up 79% from a year ago after more than doubling in the two prior quarters.
I spoke about this at the 2022 CyberArk Impact event in Boston alongside CJ Dietzman, CISSP, CISA and managing director and cybersecurity marketplace leader at Marsh Specialty. During our talk he noted, “The ransomware epidemic eviscerated the profitability of cyber insurance. Five to seven years ago, you could fill out a one-page cyber insurance application and answer a handful of questions. Fast forward and the world has changed. Getting insurance with favorable terms, conditions, pricing coverage and low retention is hard right now.”
Insurers aren’t just considering ransomware risk as they tighten up qualifications. Current market volatility and continued geopolitical tensions also factor into the equation. SolarWinds, Kaseya, Log4j and other high-profile incidents have intensified concerns around software supply chain risks, prompting new questions around aggregation exposure and systemic losses. Meanwhile, global privacy regulations continue to evolve in patchwork fashion, and litigation and fines are growing — fueling even more underwriting questions.
With fees at a premium, HelpNetSecurity reports the number of organizations that won’t be able to afford cyber insurance, or that will be declined or offered limited coverage, is set to double in 2023.
2023 Requirements Will Dig Deep. A Solid Controls Narrative Provides an Edge
Scoring a policy or renewal with the right terms may be difficult, but it’s not impossible. Dietzman confirmed carriers and underwriters are responding favorably to companies instituting robust security controls and incident response plans — especially those prepared to dive deep into their cybersecurity architectures and planned roadmaps. “It’s important to articulate a meaningful risk-based approach to cybersecurity. If you do, you’re sitting on high water,” Dietzman explained.
Underwriters often assess security systems and practices by using open-source scanning tools like OpenVAS and OpenSCAP to probe an applicant’s networks for vulnerabilities and security rating services like SecurityScorecard and BitSight to evaluate risk. Many underwriters partner with outside cybersecurity firms to vet customers.
During these evaluations, they’re looking for evidence of specific cybersecurity controls and practices, and upcoming 2023 audits will examine certain areas more closely than ever before.
Since ransomware attacks typically start on workstations and servers, endpoint security will be under the microscope. Initially, insurers wanted to see that a company trained its employees in phishing and credential theft techniques and used endpoint detection and response (EDR/XDR) solutions to help identify and remediate suspicious activity.
But while training and EDR/XDR solutions are both critical (and still required by most insurers), attackers are constantly switching things up. This makes it very difficult for employees to reliably recognize new attack techniques and also means sophisticated attackers have found ways to turn off or bypass EDR/XDR by abusing administrative credentials, as seen in the SolarWinds attack. This has prompted more underwriting scrutiny around endpoint privilege controls, especially a company’s ability to remove local admin rights from all users — senior system administrators, developers and even people using legacy applications that require admin rights. The big challenge for organizations here will be finding the right balance between least privilege control and operational efficiency.
Requirements for multifactor authentication (MFA) — a checkmark item for insurers until recently — are also growing. Insurers started to dig deeper as more post-payout analyses revealed MFA wasn’t being fully utilized, particularly in the healthcare and higher education sectors. They found major coverage gaps for privileged accounts, which are not often linked to a specific person (i.e., the admin account that exists on every server) but are used by system administrators and other privileged users and protect sensitive data. As a result, underwriters have started mandating privileged access management (PAM) for privileged accounts not tied to specific users (i.e., local admin, root and service accounts) to achieve MFA, along with isolation of high-value assets.
Insurers are also looking at how organizations authenticate third-party privileged users from vendor organizations who need access to sensitive data and company systems. Vendors require the same security, yet they are rarely given the same security consideration as employees. For instance, if a vendor is onboarded for a brief two-week engagement, they should be onboarded and offboarded following the same HR processes as a new employee to minimize risk.
This heightened focus on privileged access management is starting to extend beyond human identities to non-human identities, which typically outnumber human identities by 45:1. These “machine identities” could be service accounts, hardcoded secrets or any off-the-shelf or homegrown solution requiring powerful credentials to perform its function (i.e., configuration management databases platforms and DevOps orchestration tools), along with automated processes such as robotic process automation (RPA). As part of this, insurers are looking for stronger privileged controls around automated patch management systems, vulnerability scanners and other existing security tools that attackers may try to disable.
Beyond technology safeguards, insurance carriers still want to see sound people practices, such as conducting ongoing cybersecurity awareness training. They’ll also evaluate data backup practices and incident response plans to understand how quickly the organization could restore operations in the wake of an attack.
Steps in the Right Direction
As companies prepare for cyber insurance renewals, they should be cognizant that security control requirements are evolving to address the fast-paced world of digital business.
Yet accelerated change is always difficult from an organizational and cultural standpoint and can stir up fear and uncertainty. The best way to minimize this is to make sure people understand the “why,” and that risk mitigation controls will not impact operational efficiency. It’s important for companies to spend time on the education factor.
The good news is that more companies are stepping up to the plate and taking meaningful steps to bolster their ransomware defenses. As stronger controls are implemented and used more effectively, insurer losses are starting to stabilize and soften the market a bit. We’re not out of the woods yet, but we’re starting to move in the right direction.
As organizations work to meet today’s requirements with an eye on the future, their focus must remain on effectively mitigating cyber risk without slowing business down.
Organizations looking to close security gaps within a specified period to either land or maintain a cyber insurance policy can benefit by aligning with the right security partner. CyberArk can play that role, helping you strengthen security, meet pre-audit requirements, keep premiums down and maintain business velocity. To learn more, check out our cyber insurance resources.