The rise in the costs of data breaches, ransomware, and other cyber attacks leads to rising cyber insurance premiums and more limited cyber insurance coverage. This cyber insurance situation increases risks for organizations struggling to find coverage or facing steep increases.
Some Akin Gump Strauss Hauer & Feld LLP’s law firm clients, for example, reported a three-fold increase in insurance rates, and carriers are making “a huge pullback” on coverage limits in the past two years. Their cybersecurity practice co-head, Michelle Reed, adds, “The reduced coverage amount can no longer shield policyholders from cyber losses. A $10 million policy can end up with a $150,000 limit on cyber frauds.”
The cyber-insurance situation is so concerning that the U.S. Treasury Department recently issued a request for public input on a potential federal cyber-insurance response program. This request is in addition to the assessment led conjointly by the Federal Insurance Office (FIO) and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) to determine “the extent to which risks to critical infrastructure from catastrophic cyber incidents and potential financial exposures warrant a federal insurance response.”
This is a direct result of the evolution of the nature of cyber-attacks that mirrors the evolution of digital environments and the cryptocurrency crime facilitation effect. On the cybercriminal side, DIY malware kits and Malware-as-a-Service platforms have removed the cybercrime barrier of entry and made launching complex attacks affordable for wannabe criminals lacking tech-savviness.
Cyber insurance coverage used to cover only business interruption, data recovery, and infrastructure damage. Today, they are also expected to cover cyber extorsion costs, reputational risks, non-compliance fines, and third-party liability risks, a growing field as interconnectivity between organizations keeps expanding.
A cyber-insurance underwriter’s classical premium evaluation tools are adherence to best practices assessment and penetration testing. However, the limits inherent to these approaches are problematic on multiple levels.
Continuous security validation techniques such as Breach and Attack Simulation, Attack Surface Management, and Threat Exposure Assessment that optimize security programs, minimize exposure and provide quantified KPIs that can be monitored over time are game changers. Switching from a defensive, reactive perspective of evaluating the insured party’s threat exposure implies moving toward assessing the actual damage attacks would cause across the entire MITRE ATT&CK TTPs matrix.
When negotiating with a cyber-insurance underwriter, a company that can provide quantified, documented assessments performed with security validations technologies can lead the discussion by demonstrating how it:
An insurance contract could include elements such as requirements to correct variance from agreed-upon baselines within a reasonable time frame, an obligation to regularly share automatically generated assessment reports, or a linkage between the coverage extent and abidance to baseline variance.
Security validation is becoming a compliance route for compliance regulation, such as the recent PCI DSS v4.0 update. Incorporating security validation in cyber-insurance underwriting processes could go a long way to address the current cyber-insurance situation and shore up the cyber-resilience of organizations that would have an additional incentive to implement such a proactive approach in their environments.
** Note —** This article is written and contributed by By Andrew Barnett, chief strategy officer at Cymulate.
Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.