According to financial market analyst firm Fitch Ratings, cyber insurance premium costs increased 178% from 2017 to 2022, including a 51% year-over-year increase in 2022 alone. Fitch says costs are expected to moderate in the coming quarters as profits and competition influence pricing, and as customers adjust to their own situations by improving cybersecurity measures, or abandoning cyber insurance as a part of their risk management strategy. For some high risk organizations, costs have become prohibitively expensive while, for others, the decision may be out of their hands as insurers deny them coverage outright. Still others may find that certain coverage is no longer available. That was the message Lloyd’s of London sent in late 2022 when it announced that it would require its underwriters to exclude coverage for damages related to state sponsored cyberattacks.
These evolutions in cyber insurance may be frustrating for customers, but they are to be expected as a part of the maturation of a relatively new insurance product in a highly volatile market. Underwriters have learned hard lessons as threat actors have become more sophisticated and belligerent, forcing them to take a more active and consultative role in their customers’ risk management by providing guidance aimed at improving security. As Robert Parisi, North American head of cyber solutions for the large reinsurer Munich Re told the Wall Street Journal, “The underwriting is aggressively moving toward, ‘How can we get a deeper, more insightful look.’”
For example, insurer Marsh McLennan Agency has a list of twelve security controls the firm provides to help inform its customers’ cybersecurity strategies, including the caveat that a failure to provide proof of the first five controls is likely to be a coverage disqualifier. Adoption and effective use of all twelve, on the other hand, will not only improve the organization’s overall risk profile, but it may well result in lower cyber insurance costs. Marsh has reported that by adopting and documenting its recommended controls, 14% of its customers enjoyed lower premiums in the past year even as their peers paid more.
For the curious, those twelve controls include:
- Multifactor authentication (MFA) for remote access and admin/privileged controls
- Endpoint detection and response (EDR)
- Secured, encrypted, and tested backups
- Privileged access management (PAM)
- Email filtering and web security
- Patch management and vulnerability management
- Cyber incident response planning and testing
- Cybersecurity awareness training and phishing testing
- Hardening techniques, including remote desktop protocol (RDP) mitigation
- Logging and monitoring/network protections
- End-of-life systems replaced or protected
- Vendor/digital supply chain risk management
In total, the controls on this list represent excellent defense-in-depth and should be a part of every security strategy. And an investment in cybersecurity and risk management that provides a return both in a lower cyber insurance premium and in minimizing the risk of a costly data breach makes good business sense. But how easy is it to accomplish this task at a time when threats are on the increase, and the makeup of the typical enterprise’s technology estate is increasingly complex and dynamic?
Step Forward or Step Aside
One big step toward achieving this goal has to be in gaining complete asset visibility across the network. A common lament among CISOs today is that they are responsible for protecting every asset connected to and operating in their enterprise whether or not they know it is there. Granular details help address security gaps. How can you know, for example, if a device has reached its end-of-life cycle if it is operating outside the view of IT operations? How can you execute patch and vulnerability management on systems you aren’t aware are connected to the network? How can you segment vulnerable assets if it is operating in the shadows?
The hard truth of IT and security operations management today is that virtual services, Internet of Things (IoT) and mobile devices, and operational technologies (OT) are endemic to the IT estate. As many as 20% of those assets are invisible to the CISO, and any one of them could be an attack vector or a step along a threat actor’s path to their target destination. Consequently, any one of them that is unaccounted for is a lost opportunity to detect and prevent or contain an attack in progress.
That is why a 13th control–complete IT asset visibility–should be added to the Marsh list. Because you can’t secure what you can’t see, an investment in tools that enable real-time asset visibility across the network is vital to maximizing security, minimizing risk, and protecting the enterprise from threats like ransomware. And by going above and beyond to provide proof of that level of visibility and control, lower cyber insurance premiums are icing on the cake.