As the average cost of a data breach reaches a record high of $4.24 million, one successful zero-day exploit or ransomware attack has the potential to take down a business completely. Having cyber insurance, or cyber liability insurance coverage (CLIC), in place is an integral piece of a proactive risk mitigation strategy. And while it can’t protect your organization’s most valuable data and systems, a cyber insurance policy can help minimize post-incident business disruption, speed recovery efforts and curb related costs to your organization — and in some cases, impacted partners and customers downstream.
Cyber Insurance: A Hefty Price Tag for Peace of Mind and a “Sure Thing” No Longer
During the unprecedented year that was 2020, the number of enterprises electing to adopt new cyber insurance policies nearly doubled from 26% to 47%, according to the U.S. Government Accountability Office (GAO). It only takes a handful of high-profile attacks to wipe out the billions generated via premiums by cyber insurance companies, as payouts for the attacks have been so extortionately high that providers have undergone massive direct-loss ratios for standalone policies. As pandemic-driven cyber risks persist, demand continues to grow.
In response to these market changes, insurance premiums have risen sharply across the board. Underwriting standards, policy terms and payout conditions are also getting much stricter — in some cases, limits are being slashed in half. Last month, Reuters reported that AIG has increased its pricing by nearly 40% globally, while implementing tighter terms to address increasing cyber loss trends.
Feeling the strain, some insurance brokers are refusing coverage altogether. After filling out a policy application or annual renewal questionnaire — once relatively easy steps to take — some organizations are being turned away flat out. The ones that are not turned away are seeing much more stringent pre-audit requirements, demanding for a stronger security posture both in terms of controls, as well as incident response plans. The inability to meet these new requirements can result in increased rates of up to 300%. Unless these organizations make immediate changes to step up their security controls — often within a 60-day window — they risk losing their existing coverage completely. The urgent need to roll out controls and demonstrate risk reduction quickly is driving many organizations to explore SaaS-delivered security solutions that provide rapid time-to-value.
Be Prepared: What to Expect When Applying for Cyber Insurance
Since the cyber insurance landscape is changing so rapidly, it’s important to understand the latest requirements and enter the process with eyes wide open. Here are some things you can expect, along with steps you can take to maximize coverage and minimize costs.
Whether your organization is considering cyber insurance for the first time or is up for a policy renewal, you’ll have to fill out a questionnaire about your existing cybersecurity tools, controls and processes. Your organization’s ultimate evaluation “score” helps the insurance broker quantify your level of risk and overall security posture. It’s a lot like buying health insurance: the “healthier” you are, the lower your rate is likely to be.
While each insurance broker’s evaluation process differs, there are certain security controls that are almost always required for an organization to obtain, and keep, cyber insurance coverage.
Such mandates often involve Identity and Access Management (IAM) controls and best practices in alignment with industry standards put forth by the Center for Internet Security, CISA and others.
For example, since many of today’s most damaging attacks stem from compromised privileged credentials, most carriers require Privileged Access Management (PAM) controls to protect privileged accounts — those that unlock access to high-value systems and data. Least privilege controls, for instance, may be required to strengthen ransomware defenses, protect sensitive data in cloud environments and address compliance concerns.
Insurers also want assurance that multi-factor authentication (MFA) is being utilized to bolster security and authenticate administrative access to those privileged accounts. Recent attacks have shown that if your authentication systems are protected by passwords alone, it’s not a question of if you’ll be compromised, but when. Failure to implement MFA elevates your risk level, and in turn, your premium rates. And in the age of hybrid work, insurers’ MFA requirements are extending to remote network access and remote email access as well. They are also increasing security requirements around privileged access for third-party vendors to minimize supply chain risk.
Leading Insurers Recognize CyberArk for Ability to Effectively Reduce Cybersecurity Risk
The insurance industry will continuously improve its approach to addressing the systemic nature of cyber risk. As part of this, insurers are coming together help their customers navigate the cybersecurity marketplace and implement more effective tools and processes.
The Cyber CatalystSM program, created by Marsh, a global leader in insurance broking and risk management, this year recognized CyberArk for its ability to effectively reduce cybersecurity risk. CyberArk was the only Privileged Access Management vendor to receive this distinction — further validating the importance of PAM to an overall cybersecurity strategy, along with our security-first approach to delivering integrated authentication, authorization, access and audit along every step of the Identity Security lifecycle.
The program’s rigorous evaluation process involved participating insurers assessing the ability of cybersecurity solutions to address prominent risks including ransomware, supply chain and vendor management, cloud migration and management, social engineering, and privacy regulation and data management. In their evaluation of the CyberArk Identity Security Platform, the insurers had this to say:
- “One of the best identity access management solutions and timely, given emerging regulatory concerns regarding visibility of data. Helps meet the requirement for improved control and oversight of access to data based on user role.”
- “A comprehensive solution for privilege access management and simplifies the local admin access problem. Targets the key ways attacks happen and looks closely at unauthorized actions, rather than standard indicators of compromise.”
Privileged Access Management remains at the heart of a successful cybersecurity strategy, offering organizations the peace of mind that their most critical assets are protected.
Our industry-leading SaaS-delivered solutions can help your organization jump-start privilege-related risk reduction and realize rapid time-to-value. And if you’re currently focused on a “sprint” to close security gaps within the 60 period to get — or keep — a cyber insurance policy, the CyberArk Blueprint outlines practical steps for implementing controls that help address the most urgent requirements in the shortest time possible. Adhering to incident response best practices recommended by leading authorities, this framework is designed to defend against three common moves nearly every attacker makes to steal data and disrupt systems and secure access to the most frequently targeted privileged accounts and identities.
Have specific questions or concerns about meeting cyber insurance requirements? Get in touch to learn how our team can help you prepare, potentially save on premiums, reduce risk and securely move your business forward.