Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyber Insurance

Seeing is Believing… and Securing

Because you can’t secure what you can’t see, having real-time asset visibility across the network is vital to maximizing security, minimizing risk, and protecting the enterprise.

Devices connected to network

According to financial market analyst firm Fitch Ratings, cyber insurance premium costs increased 178% from 2017 to 2022, including a 51% year-over-year increase in 2022 alone. Fitch says costs are expected to moderate in the coming quarters as profits and competition influence pricing, and as customers adjust to their own situations by improving cybersecurity measures, or abandoning cyber insurance as a part of their risk management strategy. For some high risk organizations, costs have become prohibitively expensive while, for others, the decision may be out of their hands as insurers deny them coverage outright. Still others may find that certain coverage is no longer available. That was the message Lloyd’s of London sent in late 2022 when it announced that it would require its underwriters to exclude coverage for damages related to state sponsored cyberattacks.

These evolutions in cyber insurance may be frustrating for customers, but they are to be expected as a part of the maturation of a relatively new insurance product in a highly volatile market. Underwriters have learned hard lessons as threat actors have become more sophisticated and belligerent, forcing them to take a more active and consultative role in their customers’ risk management by providing guidance aimed at improving security. As Robert Parisi, North American head of cyber solutions for the large reinsurer Munich Re told the Wall Street Journal, “The underwriting is aggressively moving toward, ‘How can we get a deeper, more insightful look.’”

Everything Under (12) Controls

For example, insurer Marsh McLennan Agency has a list of twelve security controls the firm provides to help inform its customers’ cybersecurity strategies, including the caveat that a failure to provide proof of the first five controls is likely to be a coverage disqualifier. Adoption and effective use of all twelve, on the other hand, will not only improve the organization’s overall risk profile, but it may well result in lower cyber insurance costs. Marsh has reported that by adopting and documenting its recommended controls, 14% of its customers enjoyed lower premiums in the past year even as their peers paid more.

For the curious, those twelve controls include:

  1. Multifactor authentication (MFA) for remote access and admin/privileged controls
  2. Endpoint detection and response (EDR)
  3. Secured, encrypted, and tested backups
  4. Privileged access management (PAM)
  5. Email filtering and web security
  6. Patch management and vulnerability management
  7. Cyber incident response planning and testing
  8. Cybersecurity awareness training and phishing testing
  9. Hardening techniques, including remote desktop protocol (RDP) mitigation
  10. Logging and monitoring/network protections
  11. End-of-life systems replaced or protected
  12. Vendor/digital supply chain risk management

In total, the controls on this list represent excellent defense-in-depth and should be a part of every security strategy. And an investment in cybersecurity and risk management that provides a return both in a lower cyber insurance premium and in minimizing the risk of a costly data breach makes good business sense. But how easy is it to accomplish this task at a time when threats are on the increase, and the makeup of the typical enterprise’s technology estate is increasingly complex and dynamic?

Step Forward or Step Aside

One big step toward achieving this goal has to be in gaining complete asset visibility across the network. A common lament among CISOs today is that they are responsible for protecting every asset connected to and operating in their enterprise whether or not they know it is there. Granular details help address security gaps. How can you know, for example, if a device has reached its end-of-life cycle if it is operating outside the view of IT operations? How can you execute patch and vulnerability management on systems you aren’t aware are connected to the network? How can you segment vulnerable assets if it is operating in the shadows?

The hard truth of IT and security operations management today is that virtual services, Internet of Things (IoT) and mobile devices, and operational technologies (OT) are endemic to the IT estate. As many as 20% of those assets are invisible to the CISO, and any one of them could be an attack vector or a step along a threat actor’s path to their target destination. Consequently, any one of them that is unaccounted for is a lost opportunity to detect and prevent or contain an attack in progress.

Go Above and Beyond

That is why a 13th control–complete IT asset visibility–should be added to the Marsh list. Because you can’t secure what you can’t see, an investment in tools that enable real-time asset visibility across the network is vital to maximizing security, minimizing risk, and protecting the enterprise from threats like ransomware. And by going above and beyond to provide proof of that level of visibility and control, lower cyber insurance premiums are icing on the cake.

Advertisement. Scroll to continue reading.
Written By

Danelle is CMO at Ordr. She has more than 20 years of experience in bring new cybersecurity technologies to market. Prior to Ordr, she was CMO at Blue Hexagon (acquired by Qualys), a company using deep-learning to detect malware, and CMO at SafeBreach where she helped build the marketing organization and define the Breach and Attack Simulation category. Previously, she led strategy and marketing at Adallom, a cloud security company acquired by Microsoft. She was also Director, Security Solutions at Palo Alto Networks, driving growth in critical IT initiatives like Zero Trust, virtualization and mobility. Danelle was co-founder of a high-speed networking chipset startup, co-author of a Cisco IP communications book and holds 2 US patents. She holds an MSEE from UC Berkeley.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn about active threats targeting common cloud deployments and what security teams can do to mitigate them.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Cyber Insurance

Cyberinsurance and protection firm Boxx Insurance raises $14.4 million in a Series B funding round led by Zurich Insurance.

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.

IoT Security

An innocent-looking portable speaker can hide a hacking device that launches CAN injection attacks, which have been used to steal cars.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

IoT Security

Hikvision patches CVE-2023-28808, a critical authentication bypass vulnerability that exposes video data stored on its Hybrid SAN and cluster storage products.

Cybersecurity Funding

Internet of Things (IoT) and Industrial IoT security provider Shield-IoT this week announced that it has closed a $7.4 million Series A funding round,...

IoT Security

Researchers at offensive hacking shop Synacktiv demonstrated successful exploit chains and were able to “fully compromise” Tesla’s newest electric car and take top billing...