Cyber Insurance Requirements: The Next Frontier

Cyber insurance buyers can expect stricter underwriting standards in the face of evolving cyberattacks. Cybercriminals are bypassing existing layers of security using advanced tactics and continuously adapting their techniques. At the same time, they are launching increasingly sophisticated cyberattacks to advance their strategic priorities, according to Microsoft’s 2022 Digital Defense Report.

Why it matters: Many companies are still navigating the last wave of insurer requirements, but they must adapt to changing requirements to avoid punitive terms in the future. Cyber insurers expect companies to demonstrate continual improvement and investment in security to protect against this dynamic digital threat. Carriers will be asking more detailed questions about each company’s security controls and how they are used to protect the enterprise.

7 Ways to Boost Cybersecurity Controls

These seven controls are best practices to help bolster companies’ cybersecurity and to effectively differentiate their risk to cyber insurers:

1. Phishing-Resistant Multifactor Authentication (MFA)

Not all forms of MFA are created equal, and attackers are exploiting the weaker versions. Companies ought to implement phishing-resistant forms, according to the Cybersecurity & Infrastructure Security Agency’s October 2022 guidance. In line with CISA guidance, insurers are favoring stronger authentication technologies, such as hardware tokens and smartphone apps, over SMS, email, or voice-based MFA. Insurers will also expect additional MFA protections, such as limiting the number of attempts and features like Microsoft’s “number matching.”

2. Expanded Privileged Access Protections

Previously, insurers only required a privileged access account to be separate from a user’s standard login, MFA to access, and logging of all account activity. Going forward, insurers are also expecting companies to:

• Know what privileged accounts they have
• Restrict privileged rights for users and service accounts wherever possible
• Use password vaulting with check-in/check-out procedures
• Leverage automated password rotation after each use

3. Frequent Security Awareness Training

User behavior remains a critical part of information security. Cyber insurers are expecting more than one annual security awareness webinar to train and educate users on cyber threats, such as monthly or quarterly assessments and training. Companies should also curate the content for their users and provide access to on-demand resources for continued learning.

4. Rapid Patching for Critical Vulnerabilities

Companies have been expected to maintain a formalized patch management program, but insurers are expecting an accelerated response as software exploitation attacks continue. Companies must be capable of deploying patches for zero-day vulnerabilities within 24 or 72 hours, even on holidays and weekends.

5. Extended Detection and Response (XDR)

Endpoint detection and response (EDR) allows companies to analyze, observe, and quickly contain threats on their endpoints before they spread. Insurers are beginning to expect the use of extended detection and response (XDR) tools, which can expand EDR capabilities beyond endpoints to the entire security infrastructure (e.g., cloud, mobile devices, and third-party data) and provide accelerated investigation and threat analysis.

6. 24/7/365 Security Monitoring

Rapid response is critical to minimizing the impact of a security event. Companies must have continuous security monitoring coverage, which for smaller security teams may mean leveraging outsourced security operations center (SOC) teams. SOC teams should be leveraging security information and event management (SIEM) solutions to collect and analyze event log data to enhance their visibility and effectiveness.

7. Isolated and Immutable Backups

Immutable backups are backup files that cannot be altered in any way, even by administrators seeking to modify or delete data. Isolated and immutable backups are an effective recovery tool to mitigate the impact of a ransomware attack that compromises production systems. Many companies set an immutability period for their backups—such as a minimum of seven days before the backups can be changed or altered.

What If We Don’t Have These Controls in Place Today?

Companies that don't have these controls in place should evaluate what compensating controls they do have in place to manage these different areas of risk and communicate this to their carriers. Cyber insurers recognize that each company’s cybersecurity program is dynamic, and that new tools and processes require budget, headcount, and time to implement. It’s just as important to inform cyber insurers about where your program is heading as it is to describe where it is today.

Cyber insurance buyers may feel that cybersecurity requirements are like a moving target. Unfortunately, the risk is ever-changing, which forces security professionals and insurers to regularly reevaluate what is an effective defense.

For more insights into cyber insurance coverage, be sure to check out these Woodruff Sawyer resources:

• Cyber Liability Insurance Buying Guide
• Cyber 101: Understand the Basics of Cyber Liability Insurance
• 6 Things Underwriters Look for in Your Ransomware Protection