In the face of increasingly frequent and severe cyber attacks, organizations with strong cybersecurity maturity are working hard to manage and mitigate their risk, while recognizing that these may no longer be enough.
Today, more organizations are investing in a cyber insurance policy to help build business resilience if a major cyber incident impacts their operations. In the twelve months between 2021 and 2022, for example, direct written premiums increased 47.6%, to $9.7 billion USD, according to the National Association of Insurance Commissioners. Like other kinds of liability insurance, cyber insurance is a way for organizations to transfer part of their risk over to an insurance carrier in the event of a cyber incident or breach. Depending on the policy, the carrier may cover costs related to remediation, negotiation and payments of ransoms, or damages associated with stolen or leaked data.
However, as more organizations seek policies, insurers have begun to increase their underwriting requirements, meaning IT and security leaders must increase internal resources and coordination to decode the new coverage requirements and controls being instituted by these insurance providers.
Making sense of these shifting requirements can be a tall order for often overtaxed and understaffed security teams, and it can be even more of a challenge to understand the proactive solutions they need to put in place in order to secure the most comprehensive coverage at the lowest possible premium. However, through our extensive partnerships with leading cyber insurance providers, Arctic Wolf has gained insights into the risk categories underwriters slot organizations into, and the controls insurance companies consider when organizations apply for coverage.
We’ve identified three major risk profiles that cyber insurers slot organizations into, which we’ve dubbed:
- Basic
- Premium
- Elite
Slotting into any of these three risk profiles grants an organization access to a cyber insurance policy. However, the policy available to someone in the elite profile tier will provide more comprehensive coverage and a lower policy premium than the policy available to an organization in the basic profile tier.
But just what elements are being evaluated when cyber insurers decide on an organization’s cyber risk profile?
The major evaluation occurs when looking at an organization’s security controls — the tools, technology, solutions, and staffing dedicated to proactive and reactive cybersecurity. As more organizations seek policies, and as the rate and cost of attacks continue to climb, insurers are expecting more from organizations seeking coverage. They want to see robust efforts being made to protect data, rather than simply relying on insurance to step in and clean up the inevitable mess.
Let’s take a closer look at some of the controls underwriters expect to see in each of the three risk profiles, what these controls do, and how organizations can optimize and operationalize them most effectively to not only secure a strong cyber insurance policy, but proactively harden their environments.
Basic Tier: The Core Controls
Organizations in this risk profile tier have advanced far enough along their security journey to implement what have now come to be seen as table stakes security controls in the modern threat landscape:
Multi-factor Authentication
Multi-factor authentication (MFA) is a form of access control that acts as an additional security measure to a user login. It’s defined as two or more forms of verification factors that are needed to gain access to an application or network by a user. Usually, it involves something you are, something you know, and something you have. MFA adds a layer of protection to access, which is one of the main parts of access and identity security. However, while MFA is one major piece of the identity security puzzle, it’s not enough on its own.
Patch Management
Patching is one part of vulnerability management, and having a regular patching process in place can make a major difference in your cybersecurity architecture, reducing the risk of a breach. However, the reality is you can’t patch every vulnerability that appears, and a large share of cyber attacks come from other attack vectors like social engineering, misconfigurations, and compromised credentials, meaning that patch management is an essential aspect of strong cybersecurity, but not a silver bullet.
Systems and Database Backups
It is essential to perform, maintain, and test backups of important data, software, and configuration settings — not only for cyber insurability, but cybersecurity best practices. By conducting this activity regularly, you give your organization confidence in its ability to preserve critical business information and intellectual property while minimizing business disruptions. In the case of a data breach or system compromise, it may be necessary to recover critical information from a backup to an agreed point of restoration. And underwriters want to see you’re proactively protecting the data you’re asking them to insure.
Additional controls underwriters will likely expect to see in an organization looking to gain entry to the basic risk profile tier are:
- A vulnerability management program that regularly eliminates critical-severity vulnerabilities from your environment
- An incident response plan that includes a strategy for how to respond to early stages of an incident, and identifies a response team as well as stakeholders and their roles
Premium Tier: Addressing Human Risk
Insurers are looking at two key things when they review an organization’s existing security controls: how the technology will reduce the frequency of an attack and, more importantly, how that technology will reduce the severity of an attack.
Controls in the premium tier begin to move beyond defending your data and restricting access to your environment — the core controls that comprise any defensive security posture in the modern age. When underwriters are considering organizations for this risk profile, they want to see that proactive efforts are being made to not just defend against an attack but stop them from occurring in the first place.
Endpoint Detection and Response (EDR)
Developed to overcome the limitation of antivirus, the original endpoint security tool, endpoint detection and response (EDR) records critical activity like process executions, command line activity, running services, network connections, and file manipulation on endpoints to observe behaviors and flag suspicious ones that fall outside the normal behavior. However, identity-based attacks have taken hold in the modern world of the cloud and hybrid work models. And, while it is true that every cyber attack will eventually end up on an endpoint, we no longer live in a world where they all begin there, making EDR a valuable, but incomplete, solution for protecting your entire environment.
Vulnerability Management
Vulnerabilities fall into four main categories — network, operating system, process, and human — and are classified based on how severe of a threat they could pose to an organization. Because every organization has different security and business needs that can change, the goal with vulnerability management should not be to eliminate every possible vulnerability, but to take a risk-based approach that reduces risk over time.
Employee Security Training
Security awareness training is a standardized process that provides employees, contractors, vendors with cybersecurity education. It is designed to prepare users to recognize and neutralize social engineering attacks and human error. Security awareness training is a core pillar of proactive security operations, with the goal of changing behavior through education and reducing the risk of identity-based attacks like phishing or other forms of social engineering.
Additional controls underwriters will likely expect to see in an organization looking to gain entry to the premium risk profile tier are:
- Privileged access management (PAM), which is the processes and technologies used to secure privileged accounts and access, as well as the monitoring of access to these privileged accounts by users.
- Additional remote access controls beyond MFA that protect user credentials and activity, such as a single sign-on (SSO) solution or a virtual private network (VPN).
Elite Tier: 24×7 Comprehensive Proactive Protection
To earn the elite risk profile — and, in turn, the most comprehensive policies and affordable premiums — organizations need to go even further, investing in 24×7 monitoring, detection, and response for their entire environment, as well as active engagement with an incident response provider who can mitigate the damage and cost of a cyber attack.
Managed Detection and Response (MDR)
MDR supplies managed log aggregation, continuous monitoring of multiple sources, including endpoint, network, cloud, and identity, and threat triaging, as well as 24×7 access to a skilled security team. The MDR approach provides threat detection and associated response actions as a managed service. Some MDR solutions are more product-focused, where managed services are offered on top of tools. Others are service-focused, which offer detection and monitoring of the existing security stack. The main differentiator for MDR is the human element, which provides 24×7 monitoring with a human team that can respond to potential threats as they occur.
Threat Intelligence Services
Threat intelligence allows organizations to understand threat risks, current or perceived, by providing security and operational insights that can inform short-term and long-term decision making. On one end of the spectrum, threat intelligence can help an organization determine what tools and security operations to invest in, how to staff their IT department, and how cybersecurity fits into their business operation goals. On the other end of the spectrum, if a breach occurs, threat intelligence can help the IT staff act quickly and effectively, as well as help in restoration and remediation.
Incident Response Engagement
In evaluating an organization’s risk profile, insurers take a good amount of solace in knowing that the business has fast access to a team of response and remediation experts who can help with everything from backup restoration to digital forensics to threat actor negotiations, if needed. This kind of full-featured incident response mitigates the damage, and therefore mitigates the cost the insurer may be asked to cover. Because of this, if an organization has IR services on retainer, they just might find themselves in the elite risk bucket, with access to the best policies and premiums available.
Additional controls underwriters will likely expect to see in an organization looking to gain entry to the elite risk profile tier are:
- Centralized log monitoring, which allows for in-depth correlation and contextualization of security source logs from across your entire environment, bringing a holistic approach to threat detection, response, and recovery
- Email and web filtering, which scans inbound and outbound email and web traffic to sort the good from bad, and block the bad
As more organizations seek policies, and as the rate and cost of attacks continue to climb, insurers are expecting more from organizations seeking coverage. They want to see robust efforts being made to protect data, rather than simply relying on insurance to step in and clean up the inevitable mess. Organizations need to determine which risk profile tier they wish to slot into and then begin the work to install, optimize, and consistently manage the solutions that match that tier so they can secure the most robust coverage possible at the lowest cost.
Discover how coverage is evolving with the current cyber threat landscape and get insurance insights directly from cybersecurity leaders in The Cyber Insurance Outlook.
Download our Best Practices for Cyber Insurance data sheet and learn the most common controls insurers are looking for, and the five first steps you can take on your way to getting the best policy possible.
