The rise of ransomware is having an impact on many aspects of business, which includes cyber insurance. As discussed in a recent blog by Anil Bamzai, Identity’s Role in Address Ransomware Attacks, identity-based security can be a key component in minimizing the negative consequences of these attacks.
Insurers in 2020 began experiencing significant losses due to cybersecurity attacks. A “perfect storm” that led to an increase in total losses, an increase in the number of losses, and an increase in the number of organizations that took out cyber insurance policies. As the number of ransomware attacks went up, the number of organizations interested in purchasing ransomware insurance increased.
At that point, the easy decision for insurers to make was to raise premiums. The amount of the premiums would need to be raised to compensate for the cost of attacks in the current year, as well as predicted attacks in the future.
However, insurers realize that raising premiums is not the only lever that can be pulled. Eventually, the premiums will be so high that it won't be worth it for organizations to purchase coverage. An alternative to raising premiums would be to get involved in helping customers put in place a framework that helps prevent cyberattacks from happening in the first place.
While there is no shortage of established security frameworks, through examination of the most impactful attacks in recent memory and with supporting research from the Identity Defined Security Alliance (IDSA)—79% of organizations have suffered an identity-related attack in the past two years—cyber insurers are adopting identity-focused frameworks.
Policies for cyber insurance are now being written more clearly. They are providing guidance to clients about the identity security-focused steps they need to take to better protect themselves against costly attacks—for example, taking proactive steps such as implementing multi-factor authentication (MFA) for all, including employees, customers, and privileged accounts, removing administrative rights by adopting the principle of least privilege (security outcomes published by the IDSA), and protecting data backups.
These requirements are expected to help decrease the impact of ransomware attacks or prevent them entirely, which will help keep losses—and premiums—from continually rising and will represent change for organizations looking to get cyber insurance coverage. Taking out a policy used to be a matter of providing some basic information and then getting the policy. Now it’s going to include these additional requirements.
And the process is no longer a matter of checking off boxes for which security outcomes are in place. Clients can expect to meet with underwriters who need assurances that requirements are being met. Perhaps a certain identity-related outcome is not in place at that moment but is planned for deployment soon.
In short, the client organization and the underwriter will work together to make sure the organization has everything it needs in place to protect itself against attacks that lead to ransomware and other cybersecurity threats. The goal is to put in place foundational security controls that mitigate risks that do not affect operational efficiency, and the process will be guided by three key questions:
- Are we providing sufficient security mechanisms that demonstrate measurable risk reduction?
- Can we ensure that these mechanisms will not take anything away from an operational standpoint or change users’ workflow?
- Can we now be compliant not only with cybersecurity insurance requirements but with other regulations as they go forward?
Organizations can work directly with their cybersecurity insurance carrier, as well as their technology vendors, to develop a plan to make sure the answer is “yes” to each of these questions.
Many organizations will find that it makes far more sense to bolster their security programs than to leave well enough alone and count on insurance claims in the event of a ransomware or other attack. Payouts for cyber damages were much quicker and less complex in the past than they are today.
Now, these incidents are much more highly scrutinized. Insurers are more thorough in examining what is covered and what is not. They devote more time and resources to analyzing the incident itself and how prepared the client was to defend itself. That means it takes more time for the client to find out whether or not damages are covered.
For sure, organizations need to do much more than they are doing to protect themselves against identity-related attacks that lead to ransomware and other threats. The rise in these attacks and the dramatic increase in payouts have changed the cybersecurity insurance market. It might be increasingly difficult to get cyber coverage in the future because of the changing threat landscape.
CISOs and other security executives, as well as their technology and business colleagues, need to keep this in mind as they formulate strategies to enhance their cybersecurity programs to be identity-focused.There is an upside to what's going on with cybersecurity insurance. It’s serving as a clarion call for organizations to shore up their identity security foundation. The cost of cybersecurity losses continues to rise, and what better time to stop and evaluate where security organizations are in terms of readiness and make improvements where needed.