Boards of directors and top brass at companies sometimes look at cyber insurance as a way to plug gaps in their security schemes. That’s going to be a lot harder from now on because insurance companies have started tightening up their cybersecurity requirements for initiating and renewing policies.
What’s more, some industry verticals that received a break on their cybersecurity policies because they had lower threat profiles than their peers in other industries are seeing those breaks disappear because of the changing attack landscape.
In the past, when data breaches were considered the top cyber concern, there were industry verticals—like manufacturing, distribution, warehousing, and transportation—that were considered lower risk because they held less personally identifiable information (PII) than other kinds of businesses.
Generally, that’s true for those industries, especially compared to their peers in verticals like healthcare and financial services, which have experienced loads of very costly PII data breaches.
But as the threat landscape changed, the significant discounts given to those PII-light verticals have begun to disappear. That’s because ransomware actors aren’t as concerned about how much PII information a company holds—although that’s changing, too—as they are about the willingness of companies to pay off their attackers to avoid lengthy business disruptions.
Here's how to get your security controls in order to stay ahead of hardening cyber insurance standards.
Focus on access controls
As the cyber insurance market hardens, insurers are scrutinizing their portfolios and looking for clients with security controls that more closely align to a higher standard. They are asking clients for their strategies to ensure that their backups are available in the event of a ransomware incident and the approaches being used to monitor for threat actor activities.
Another key area of focus is around Identity Access Management (IAM) controls. This this year’s edition of the Verizon Data Breach Investigation Report reported that credentials are the number one data type stolen by threat actors and hacked credentials lead to 61 percent of all breaches.
As a result of the rising street cred of credentials among hackers, insurers have begun asking more questions about companys' access control schemes.
For example, they want to know to what extent Privileged Access Management (PAM) is being used within the organization’s networks and if a PAM tool is being used on all servers and workstations.
They also want to know the number of users with access to privileged accounts and how many have been integrated into the PAM tool, as well as how many have domain access, server accounts, and persistent privileged accounts.
What's the process for decommissioning accounts of terminated employees is another query insurers are posing to cyber insurance seekers.
Insurers also want to know what kind of telemetry an organization has into the use of its privileged access credentials.
They're interested in how many users are in the organization's Domain Administrators group and the number of service accounts in the group.
They're also delving into specifics about service accounts in the Domain Administrators group. For example, they want to know if the DA requires domain administrator entitlements, the size of its footprint, and if it's logging into devices outside a domain controller.
And they want to know what types of logons the group uses, and the steps the organization has taken to mitigate any exposure the service account config creates which could result in credential harvesting.
Multifactor authentication is key
Insurers are also beginning to demand that companies seeking to renew their cybersecurity insurance policies implement multifactor authentication. "MFA is no longer adequate simply for user accounts, but is now a requirement for all endpoints, all privileged accounts and even remote access," Alliance Support Company CTO Paige Francis explained in Forbes.
While not a traditional requirement for cyber insurance renewals and by no means a cybersecurity silver bullet, MFA is a key defense to the threat of compromised passwords. Insurers view it as a best practice, and are starting to ask more questions around MFA when placing or renewing cyber insurance. For example, one insurer’s questionnaire stated that an organization must answer yes to all of the following questions concerning MFA:
Is multifactor authentication required for all employees when accessing email through a website or cloud-based service?
Is multifactor authentication required for all remote access to the network provided to employees, contractors, and third party service providers?
In addition to remote access, is multifactor authentication required for the following, including such access provided to third party service providers:
All internal and remote admin access to directory services (Active directory, LDAP, etc);
- All internal and remote admin access to network infrastructure components (switches, routers, firewalls); and
- All internal and remote admin access to the organization’s endpoints/servers.
Please describe any circumstance where MFA is not used and any mitigating controls in place. If MFA is not in place, what is the timeline for full deployment of MFA on all applications?
What percentage of applications are not using MFA?
- Are any of these applications critical?
MFA is no longer a security control just for privileged user accounts, but is now a requirement for all endpoints, critical applications, and all user access. By requiring MFA, cyber insurers can drastically cut their exposure to cyber risk. That's why organizations that want to renew their cyber liability insurance are scrambling to close MFA gaps in their access controls.
By requiring MFA, cyber insurers can drastically cut their exposure to cyber risk.
At a recent Cybersecurity Summit hosted at the White House, President Biden told insurance executives: “The federal government can’t meet this challenge alone. You have the power, the capacity and the responsibility, I believe, to raise the bar on cybersecurity.”
Are you ready?
Insurers seem ready for the challenge. For example, Resilience, one of four major cyber insurance underwriters at the event, made the following commitment: “Resilience, a cyber insurance provider, will require policyholders to meet a threshold of cybersecurity best practice as a condition of receiving coverage."
"The insurance industry is uniquely positioned to have a mutual stake in the fight against ransomware," it continued. "We want our companies to be stronger, more cyber resilient, when partnered with us. If our clients get hit, the insurance pays that loss. Our client’s cyber risk is our cyber risk.”
Make sure you are on track for with your security controls, or you could be exposed.
Keep learning
Get up to speed on Zero Trust security with TechBeacon's Guide.
Understand why API security needs access management with this Webinar.
Learn how how privilege and policy management improves your cyber resiliency in this Webinar.
Find out why Zero Trust means rethinking your security approach.
Answer this question: Is your environment adaptive enough for Zero Trust? Get this free white paper.