Ensuring that your company or organization is protected against malicious cyber-attacks has never been more critical, especially now in the age of remote work due to the pandemic. According to CyberTalk.org, “data breach costs increased from $3.86 million to $4.24 million in 2021, the highest in the past 17 years … while the average cost of a data breach increased by $1.07 million due to remote work, where more attack vectors [are] made available to hackers, such as phones, tablets, and PCs.”
It is not just the companies themselves who have been adversely affected by these cost increases. Cyber liability insurance carriers have also borne the brunt of covering business interruptions and data recovery caused by cyber-attacks. They have only recently begun to realize they may not have adequately planned for the severity of ransomware in particular.
As such, these carriers have reassessed what cybersecurity control requirements must be in place and must be actively monitored and corrected when necessary for both new and existing policyholders. Premiums have increased — as much as 300 to 400 percent higher than previously — and minimum security thresholds are now mandatory before carriers originate or renew a customer’s policy, which in turn has caught many companies unprepared.
Several causes can lead to a successful cyber attack and data breach. Still, in our experience with incident response, the consistent theme is missing controls on the back end: lack of two-factor authentication, poor backups, and lack of patching and real-time process correcting. While we realize a company’s goal is to control costs, it is important to note that every one of these security controls is reasonable and, more to the point, are fundamental things that companies should be doing.
Two- or Multi-Factor Authentication
Over the past two years, many of the attacks we have seen were driven by identity theft and loss of credentials that allowed access to sensitive environments. Thus, the top of almost every cyber insurer’s list as an absolute requirement is the implementation of two- or multi-factor authentication. Generally speaking, TFA/MFA can apply to VPN access — remote access to environments — but it is also becoming required for email and other similar services. Some insurance carriers want their customers to have it on every externally accessible service, and many are even requesting it internally, especially if you’re an administrator or someone with access to sensitive customer information and or regulated data.
Many incidents that Vancord responded to occurred because customers had no multi-factor authentication in place. We suggest these improvements regularly. While it can be costly for those who are in the process of renewing a policy, overall, it is a net positive and a perfectly reasonable business expense.
Robust Backup Capabilities and Risk Assessment
A significant issue with many companies has been the lack of disaster recovery planning and robust data backup capabilities. Insurance carriers are now starting to mandate specific time frames for which a company needs to keep data and how the data is controlled and managed.
Ransomware incidents involve attacks against backup infrastructure, and how well this area is protected directly relates to how quickly a business’ data can be recovered and restored. Business restoration factors into many cyber liability insurance policies, and the longer the recovery time frame, the more it costs the insurer. Unfortunately, the costs will inevitably be passed on to the customer at some point via higher premiums.
Another interesting new development among cyber liability insurers is that many are now measuring and assessing risk by proactively scanning a client’s cybersecurity capabilities and processes before issuing a policy.
Insurance carriers have always faced considerable exposure, and more than ever, they have taken the position of making specific minimum requirements to prospective customers. This change is notable for the industry, and carriers are taking it upon themselves to scan a customer’s cybersecurity capabilities, identify gaps or weaknesses, and request that corrective measures are implemented to help prevent or mitigate future incidents.
Endpoint Detection Response
Another area where change has occurred is Endpoint Detection Response (EDR), or Managed Detection Response (MDR), the managed side of the modern-day EDR antivirus. Many companies have a traditional antivirus (AV) protection in place; however, with insurance carriers’ more stringent requirements, these AV systems may need to be replaced since they do not meet the threshold of an EDR.
Insurance carriers are now more concerned about detecting attacker behavior and possibly having data to backtrack to see what systems an attacker has touched. How a system was compromised and what protections were in place (or not) at the time of the attack could very well affect how a company’s cyber liability policy will get covered or not.
Identity is the mechanism for most attacks these days. Taking advantage of the authorized capabilities of a company employee (user) stolen by an attacker is very easy to detect and analyze if one has a tool like an EDR platform in place.
Rigorous Process, Regular Risk Management, Corrective Measures
Perhaps the strictest and most unexpected new requirements (to companies already covered) are many insurers’ demand for rigorous process and evidence that this process is documented and adhered to on a regular basis. Implementing vulnerability management practices, measuring risk on a cyclical basis, fixing issues with corrective actions by either patching or removing them from the environment are all components of the process insurers want to see. They want to make sure it has been regularly documented. If a company can not provide proof of this, it could very well affect their coverage.
Meeting this last requirement could prove tricky for many organizations due to policy renewal timeframe constraints and unforeseen expenses. For example, even simply deploying EDR and multi-factor authentication could require months for implementation, depending on a company’s size, along with employee training and culture changes that new cybersecurity systems would demand.
These new infrastructure requirements will be very challenging for many organizations to meet in a timely manner and what exact changes an insurer requires are not consistent across every carrier. There is no standard checklist of protective measures that will guarantee a company’s coverage.
The Bottom Line
In today’s cybersecurity world, there is simply no question that a company should be adopting the new stringent requirements of the cyber liability industry. Changes that include multi-factor authentication across various locations, utilizing an EDR, ensuring high-quality backups, and handling patches and vulnerability management. If proactive changes are not completed, it will affect a company’s ability to get a new policy, or a renewed policy could be limited. Insurance coverage is going to be more expensive, that’s the reality. If a company wants to be in a position to make a claim and have that claim honored, they need to ensure those protective changes are safely in place.
Planning and allocating time for a successful rollout is crucial to system upgrades, so knowing what your organization needs and how long it will take to implement are paramount. Equally important is finding an insurance carrier that meets your business needs and the flexibility required to do so, and for this, we highly recommend using an insurance broker.
We would be happy to guide you through this process and discuss case studies of the different ways clients have implemented these controls. Feel free to reach out to us at 860-652-0450, or click on the link below for more information.
And, as always, stay vigilant, stay resilient.
