Download a PDF copy of the whitepaper
1: Introduction
2: THE FUTURE OF CYBER INSURANCE
3: WHO NEEDS CYBER INSURANCE?
4: Top Security Controls For Cyber Insurance
5: THE CYBER INSURANCE CLAIMS PROCES
6: THE THREE MUSKETEERS OF CYBER INSURANCE
7: HOW BLUMIRA CAN HELP
The cyber insurance industry is undergoing a massive shift. Rising premiums, changing requirements and a lack of consistency across the industry creates challenges for organizations that need coverage
Now is the time to get clarity on how cyber insurance will change, and what security controls are needed to stay ahead of those changes. For managed service providers (MSPs), this is critical not just for their own business but also for their clients.
The Evolution of Cyber Insurance
Over the past decade, the cyber insurance industry has operated much like the Wild West, in which over-eager underwriters wrote policies without fully understanding their risk — or in some cases even understanding cybersecurity at all.
However, with the rise of ransomware and business email compromise (BEC), many insurance providers are taking on bigger losses than they had initially anticipated
To right the ship, insurers are looking at three main options:
For some, it’s already happening with premiums doubling or tripling and has created confusion and frustration for companies looking to renew or acquire cyber insurance
Cyber liability insurance is a type of insurance that provides protection against risks related to losses involving a company’s digital assets. This could include irreversible damage or loss of company data due to ransomware, loss of time or productivity due to an attacker damaging network infrastructure, or loss or breach of customer data.
happen, they will use that data to better inform their policies and requirements. In the future, cyber insurance providers will continue to require critical controls that prevent breaches — or they will provide incentives in the form of significant discounts. Security information and event management (SIEM) can significantly reduce the risk of a cyberattack, for example, so insurers may give discounts to organizations that have implemented a SIEM, which can even potentially offset the cost of the SIEM altogether.
The lack of regulation in the cyber insurance industry has created issues around clients misrepresenting their infrastructure. Travelers Insurance recently filed a lawsuit claiming that its client that experienced a ransomware attack misrepresented their use of MFA. Issues such as these will likely encourage insurance companies to look more closely at their customers’ tech stack.
Organizations with a cyber insurance policy, or considering a policy, should get in front of these changing requirements. By implementing these now, they can avoid expensive, low-quality, last-minute implementations when an insurance renewal is due. Usually renewals come on short notice and delivering a quality implementation of new security controls is not possible in those timelines.
An MSP would want cyber liability insurance to protect their own business from cyberattacks. However, an MSP’s insurance needs to go beyond cyber liability insurance. An MSP’s actions could potentially create a situation where one of their customers experiences a cyber incident, which may not be covered under an MSP’s cyber liability insurance. Or a threat actor could use an MSP’s remote management and monitoring (RMM) software to run a ransomware attack against their clients. An MSP should consider the benefits of Tech Errors & Omissions insurance, which would provide protection against mistakes that may result in a loss to a customer.
Insured customers would also have access to better specialized IT resources in the event of an incident, which can prevent the MSP from being overworked — especially in the event of a widespread incident that may impact multiple customers in a short period of time. Cyber insurance may also provide reimbursement to an MSP for emergency or after-hours labor required to recover from an incident.
Today, insurers have specific security controls that are a must-have. These sometimes are required directly via documents that lay out the must-have controls. In other cases, the insurer will price the policy prohibitively high if organizations don’t have the required security controls in place.
For example, they may not directly require MFA, but they may triple the price of the policy if MFA is not in place to protect access to high-risk systems. Year over year, renewals of the same policy tend to have more strict requirements in order to qualify for renewal.
Some of the most common security controls that insurers ask for include:
An EDR solution continuously monitors endpoints to detect malicious behavior. It’s often a requirement for cyber insurance because it enables organizations to proactively and reactively hunt for indicators of compromise (IoCs).
While traditional antivirus solely relies on signaturebased detection, NGAV uses modern techniques such as AI and behavioral-based detection to block threats.
Employee training is becoming increasingly important to insurers, especially because phishing is one of the most common ways an attacker infiltrates an environment.
Backups are crucial for ransomware recovery, since it can be an indicator of whether or not a company can recover quickly from the event. However, backups that are separate from where the information is initially stored is even better. Many cyber insurers also require encrypted backups to ensure the integrity of the data remains intact.
A SIEM collects and converges data from different parts of an IT environment for the intent of security monitoring. This helps an organization — and an insurance company — determine what happened (and when) in the event of an attack. Today’s SIEMs commonly have detection and response capabilities, making the solution even more valuable for proactive protection.
These controls are not just important for cyber insurance, but they can also help to meet compliance requirements and improve your overall security maturity.
Some policies may not cover legal or forensics costs, and some may have limits on how much of these services would be covered. The legal and forensics costs can be very high, and some companies find that those costs eat away at a significant portion of the policy, leaving little for things like possible ransom payments.
It is very important that you understand the costs of a cyber incident, especially if you would consider paying a ransom using an insurance policy.
Insurance policies may have a limit based on the total ransomware coverage. So, for example, if a total ransomware coverage limit is $1 million and the ransom is $1 million, then an insurance provider will not pay anything except for the initial ransom payment.
It’s important to consider that the total cost of a ransomware incident often stretches beyond the cost of the initial ransom; it can include legal fees, forensic experts, potential penalties and fines, remediation costs, and more.
Organizations should understand a policy’s specific coverage details before entering into an agreement with an insurance provider or renewing a contract.
What happens when you experience a suspected incident, and you carry cyber liability insurance? Each policy varies, but here’s a general idea of what you can expect when working with a cyber insurance company
During this time, the legal team will start to advise you on next steps, including internal and external communication. Inadvertent disclosures of your suspected incident at this time can cause complications as the legal team works to minimize your exposure to the various impacts of a breach or other similar incident.
The legal team will assist you in only taking required actions, and going no further beyond that point. Your specific policy may also have allowances for costs you may incur for notification, and in some cases offering free credit monitoring to impacted individuals.
In some cases, the legal obligations following a data breach depend on the number of people, customers, or records breached. Without comprehensive logs available, the insurer may need to assume that the entire network is breached, and undergo much more expensive forensics and legal services in response.
Lack of sufficient logging may also lead to an expensive or complicated public relations issue for the company
Like with logging, an insurance company wants to know as much information as possible about an incident. When an organization retains data for at least 90 days — or even better, six months to a year — an insurance provider can determine how long an attacker was in an environment. Data retention also expedites the recovery and restoration process after a breach or ransomware incident, helping with business continuity.
In addition to being long-term, log retention should also be immutable, meaning that they cannot be changed or deleted. This is important because attackers commonly clear logs to hide their tracks. Organizations should store logs outside of their own environment to prevent attackers from doing this.
Having effective threat detection can greatly limit an insurer’s financial obligations if an attacker can be eliminated from the network within hours of their initial entry. Breaches that took more than 200 days to identify and contain resulted in 35% higher cost for organizations, at $4.8 million on average, according to IBM’s Cost of a Data Breach report.
Without early detection, organizations can suffer from longer breach lifecycles, resulting in a negative impact to their bottom line and therefore an insurer’s bottom line, making a provider less likely to provide comprehensive coverage.
Blumira can help organizations of any industry meet log monitoring, audit trail, data retention, detection and response requirements for cybersecurity insurance policies and other compliance regulations, such as HIPAA, PCI DSS, FFIEC, NIST, CMMC and more
Blumira’s cloud SIEM is a good fit for many companies that want to improve their security posture while qualifying for cost-effective cyber liability insurance. Pricing of insurance policies depends on many factors, but the use of a SIEM often has a noticeable impact on policy pricing.
Not only is using a SIEM the right thing to do, but the cost of a SIEM may be partially or completely offset by lower insurance costs.
FifthWall Solutions is a cyber insurance wholesaler with near-global access to 40+ carriers. That’s about as deep as anyone can get. With our cross-industry insights, we’re able to find the best choice for each client regardless of industry, revenue, or past issues with cyber incidents. FifthWall can help your MSP and all of your clients every step of the journey with: