Cybersecurity attacks are a major threat to every organization – no matter the size – and the attacks aren’t going away anytime soon. Without the proper tools to prevent, detect, mitigate, and recover from a ransomware attack, an organization faces a long recovery process at best…and never reopening at worst. As of last year, the average downtime from a ransomware attack is 23 days: do you have a plan to keep your business open without functionality for the better part of a month?
Yet even with the proper tools, the unthinkable can still happen. Cyber insurance provides a critical layer of financial security when all else fails and your business is impacted by a cyber event. How can you secure this protection for your business, in the midst of changing regulations and greatly increased demand?
Cyber insurance is no longer a buyer’s market
It’s no surprise that in the midst of these growing cyberattacks, demand for cyber insurance has also grown – even outgrowing the available supply. Unable to take on the liability for every business, insurance providers are becoming choosier, and changing their coverage to compensate for this higher risk and greater demand in many ways, including:
- Reduced payouts & limits
- More specific coverage
- Dramatically raised premium rates, for both new and renewing coverage
- New, more vigorous underwriting procedures
Your organization can’t do much about the first three factors; at best, you can learn the changing standards and choose the best option from what is available to you. However, your organization can improve its own security controls to address the fourth factor. By demonstrating a stronger cybersecurity positioning, you will improve your eligibility for cyber insurance coverage…and can even improve the offers available to you.
5 factors raising the bar for cyber insurance
IT security is a staggeringly complex topic, and your security strategy must be comprehensive to meet the current threat landscape. When it comes to qualifying for cyber insurance, however, several key features are at the top of most providers’ checklists. Properly demonstrating your strategy for the following 5 cybersecurity topics can be the difference between either having coverage, or flying without that critical parachute.
Multi-Factor Authentication (MFA)
What’s required
Multi-Factor Authentication (or 2-Factor Authentication), which establishes a second login component beyond just a password, used to be a “nice to have” feature. Those days are gone. MFA (or 2FA) is such a powerful safeguard – in such a volatile threat landscape – that it is now mandatory for many cyber insurance providers. When 61% of last year’s breaches involved stolen credentials, it’s no surprise that providers see the value of an extra layer protecting those user identities.
What you can do
If you don’t already have an MFA strategy, start planning for one today. Even if cyber insurance isn’t in your immediate strategy, MFA provides an exponential security advantage for relatively little cost, making this a worthy investment for every organization. The inclusion of this second required credential prevents a staggering 99% of unauthorized logins – protecting your users no matter how complex or weak their passwords are.
And if you’re implementing MFA to meet requirements for cyber insurance, be especially wary of your timeline. Although relatively straightforward to use, MFA can take some planning to implement properly and should not be rushed. We highly recommend giving yourself more than 30 days (60, if possible) to implement an MFA solution before it’s required by an insurance provider.
Endpoint Detection & Response (EDR)
What’s required
Just as Multi-Factor Authentication is now mandatory for many providers, Endpoint Detection & Response (EDR) is likely the next requirement coming in 2022. Along with its associated “Detection & Response” solutions like Managed “MDR” and Extended “XDR,” it monitors inside your network, searching for evidence of breaches or the seeds of a cyberattack that may have slipped past your outer defenses.
This extra layer of protection is crucial for catching vulnerabilities and compromises before they spiral into a catastrophic full-scale attack…especially in an era where attacks are commonplace and many security agencies encourage organizations to act as if the initial breach is inevitable. It’s no surprise that cyber insurance providers would see the value in this extra layer of due diligence.
What you can do
Get ahead of the curve now, by planning and budgeting for these powerful detection tools before they become mandatory. EDR requires a more developed security strategy than MFA, so this will likely turn into a larger conversation with your IT team – either internal or external. All the more reason to start talking about it today, before it becomes an emergency.
24/7 Network Monitoring & Security/Network Operations Center (SOC/NOC)
What’s required
Along with Endpoint Detection & Response, providers are upping their monitoring requirements in other ways. One other “nice to have” that’s rapidly becoming a “need to have” is 24/7 Network Monitoring and a Security Operations Center (SOC) or Network Operations Center (NOC). Sometimes an internal team and sometimes outsourced from an IT security provider, the Security Operations Center introduces a human element into your network monitoring.
More than a single alerting program or weekly scanning tool, the SOC connects your network to a dedicated team that knows how to deploy and supervise security monitoring tools, and can react with human recognition and reasoning when something doesn’t look quite right. The SOC can also monitor the broader threat landscape more effectively, providing crucial insights into the dangers facing your organization.
What you can do
Get a SOC. In the modern cybersecurity environment, where threats are ever-present and the security arms race has evolved beyond antivirus and a spam blocker, a dedicated security monitoring solution is essential. Implementing 24/7 Network Monitoring and a Security or Network Operations Center will give you a leg up on the competition, and prove to cyber insurance providers that your organization is actively improving its security posture.
Network Backups
What’s required
Server backups are absolutely essential to modern cybersecurity – so essential that simply having a server backup solution is no longer enough. Insurance providers are now demanding tighter controls, stronger backup policies, frequent testing, and proof that your network & server backups can hold their ground against the most common disasters likely to overwhelm them.
What you can do
There are several factors to consider when configuring your backup solution. Immutable backups are unchangeable, meaning that attackers can’t encrypt them and your data is more secure. Air-gapped backups are segmented from your network, offline and inaccessible to attackers, hardware disasters, or physical destruction.
You must also implement several policies to meet insurer’s standards for frequency and testing. Frequency covers how often the backups are made: Once a day? Twice? Once an hour? Your backup frequency determines how closely you’ll be able to recover to the time of disaster…which determines how much the downtime will cost you. And finally, many organizations skip over testing their backups…which means they have no idea if the backup will work on the unthinkable day they need it.
Network Segmentation
What’s required
Network backups are a great example of “don’t put all your eggs in one basket,” but they’re not the only example. One requirement becoming more commonplace for insurers is network segmentation – the policy of separating important systems within your company environment, so a breach of one device can’t spread to others.
By limiting the scope of a breach, and preventing a single phishing click from taking down the entire office, network segmentation significantly reduces the liability that cyber insurers must assume. It’s quickly becoming critical in their underwriting decisions as a result.
What you can do
Talk to your IT team about your network, and determine your level of segmentation. Can you separate or restrict permissions on certain nonessential devices? Are you willing to slightly reduce productivity to greatly increase the difficulty of an attack spreading? Does your fish tank thermometer use the same Wi-Fi as the rest of your office? Some of these questions might not have even occurred to you, so a discussion is always a great opportunity to assess your risks.
Start planning your security improvements today
If you want cybersecurity insurance in your future, now is the time to start the necessary conversations. Many insurance providers are no longer allowing the grace periods they did in the past, which means the clock is ticking to implement key solutions like MFA and EDR. Talk to cybersecurity insurance underwriters to get a better sense of where your market is heading, so you can be ahead of the curve instead of scrambling to catch up.
Finally, and most importantly, these cybersecurity requirements are mandatory for a good reason: they work. Even if insurance isn’t in your organization’s immediate future, the threats out there are significant and growing all the time. By taking steps to proactively safeguard your business now, regardless of insurance planning, you will achieve greater peace of mind in a turbulent threat environment – a worthy goal for any organization.