Mark Logan at One Identity argues that, against a backdrop of rising cyber-crime, insurers have become unexpected authorities in cyber-security, playing a significant role in shaping cyber-security standards and budgets
For decades, regulators and industry bodies have kept a vigilant eye on enterprise IT operations with an emphasis on security. Unexpectedly, a new player may step into the arena to raise the bar for cyber-security: the cyber-insurer.
Insurance companies live and die by their ability to accurately quantify risk – no surprise here. Actuarial science powers a global market of insurance premiums worth 7 trillion USD yearly. This is a centuries old sector, and even the first cyber-insurance policies are decades old now.
But in the last couple of years cyber-insurance was completely upended by the one-two punch of cryptocurrencies and ransomware. For the first time in history, attackers could enjoy direct, mostly anonymous, and untraceable financial gain from a breach, using relatively simple, premade, scalable and cheap attack tools.
The wave of cyber-crime triggered by this new incentive structure almost broke the cyber-insurance market, with insurers forced to take gigantic losses on a series of successful breaches. As a result, cyber-insurance premiums have surged by 50% just in the last year.
By the end of 2023 we can consider the market stabilised – premiums are still growing, but YoY growth is in the single digits according to the new report by the Council of Insurance Agents and Brokers. This is accompanied by a renewed increase in insurance capacity, and a welcome return of competition to the market.
With the market rebounding, insurance companies are gearing up to refine their models and gain a better understanding of the growing and attractive cyber-security market. The other side of the coin is that policy costs stabilised at extraordinarily high levels, with no expectation that rates might return to pre-ransomware levels.
The ransomware wave showed that the traditional tools of actuarial science have shortcomings when it comes to cyber-security. Therefore, it is important to understand what blind spots exist in cyber-insurance and take appropriate steps to address them.
One such specificity is the modelling of risk associated with industry and organisation size. Take healthcare, where cyber-security is often perceived as lacking compared to other sectors, while confidentiality and availability (two components of the CIA triad) are considered absolutely critical to the sphere.
This makes organisations such as hospitals attractive targets: under protected, with a large amount of sensitive data, leaving them vulnerable to ransomware and extortion tactics. And since risk is ultimately the product of probability and impact, scoring high on both scales makes this sector very expensive to insure.
The other blind spot for insurers is accurate risk assessment at the time of applying for an insurance policy. Underwriters use self-assessment questionnaires which are getting more detailed as they seek to understand the applicant’s security posture, from the finer details of multifactor authentication (MFA) to exact group policy rules for Active Directory (AD) administrators.
A fundamental misunderstanding by applicants is to treat these assessments as a mere formality, allowing inaccuracies or outright misrepresentations in the hope of obtaining better premiums offered.
This approach can lead to critical consequences, as happened to one technology firm that was denied a large payout by Travelers last year due to inaccurate self-assessment, particularly ‘MFA-attestation’.
This precedent creates a new environment in cyber-insurance. Being able to tick a box on a cyber security self-assessment is just the first step a CISO has to consider. The next step is being able to prove the claimed capability. To be clear: failure to document preventive measures is almost as bad as not having those preventive measures.
The current state of the cyber-insurance field offers some important actionable opportunities to security decision makers.
First, by proving a level of cyber-security, they need to break the link of ‘vulnerable-by-association’ to show their organisation as a positive example in their industry. The CISO must be able to prove their organisation’s cyber-maturity is better than the rest which will result in better terms at contracting or renewing the policy. This is particularly critical in sectors considered most vulnerable, such as healthcare or services.
Second, cyber-insurance self-assessment is more powerful than one might initially perceive. The terms outlined in the assessment serve as the cyber-security benchmark against which the organisation will be evaluated in the event of a cyber-insurance claim.
A substantial claim is likely to prompt a comprehensive investigation by the insurer, during which all promised controls will be enumerated and scrutinised for effectiveness. Failing this examination will inevitably lead to the denial of the payout, like in the case with Travelers. Thus, merely checking a box on a cyber-security self-assessment is just the first step a CISO has to consider. The next step is to be able to substantiate the claimed capability.
The cyber-insurance market is stabilising and becoming increasingly price competitive. This will lead to the normalisation of policy costs, along with a push for standardisation and transparency. The market is ready for cyber-insurance companies to start enhancing transparency in pricing, providing much-needed clarity on which cyber-security factors impact premiums the most, and detailing the specific savings certain security measures can bring.
Armed with this key information, CISOs will finally be able to make accurate return-on-investment calculations for security investments, while furthering their organisations’ cyber-resilience.
Mark Logan is Chief Executive Officer of One Identity
Main image courtesy of iStockPhoto.com
© 2024, Lyonsdown Limited. teiss® is a registered trademark of Lyonsdown Ltd. VAT registration number: 830519543