The rise in the costs of data breaches, ransomware, and other cyber attacks leads to rising cyber insurance premiums and more limited cyber insurance coverage. This cyber insurance situation increases risks for organizations struggling to find coverage or facing steep increases.
Some Akin Gump Strauss Hauer & Feld LLP's law firm clients, for example, reported a three-fold increase in insurance rates, and carriers are making "a huge pullback" on coverage limits in the past two years. Their cybersecurity practice co-head, Michelle Reed, adds, "The reduced coverage amount can no longer shield policyholders from cyber losses. A $10 million policy can end up with a $150,000 limit on cyber frauds."
The cyber-insurance situation is so concerning that the U.S. Treasury Department recently issued a request for public input on a potential federal cyber-insurance response program. This request is in addition to the assessment led conjointly by the Federal Insurance Office (FIO) and the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) to determine "the extent to which risks to critical infrastructure from catastrophic cyber incidents and potential financial exposures warrant a federal insurance response."
This is a direct result of the evolution of the nature of cyber-attacks that mirrors the evolution of digital environments and the cryptocurrency crime facilitation effect. On the cybercriminal side, DIY malware kits and Malware-as-a-Service platforms have removed the cybercrime barrier of entry and made launching complex attacks affordable for wannabe criminals lacking tech-savviness.
Cyber insurance coverage used to cover only business interruption, data recovery, and infrastructure damage. Today, they are also expected to cover cyber extorsion costs, reputational risks, non-compliance fines, and third-party liability risks, a growing field as interconnectivity between organizations keeps expanding.
A cyber-insurance underwriter's classical premium evaluation tools are adherence to best practices assessment and penetration testing. However, the limits inherent to these approaches are problematic on multiple levels.
- Limits of best practices-based evaluation:
- Not all best practices are relevant to every organization.
- Even adherence to best practices provides limited protection.
- Some best practices, such as comprehensive patching, are unattainable. Even limiting patching to vulnerabilities with a CVSS score above 9 is unrealistic. Of the 20184 new vulnerabilities uncovered in 2021, 1165 scored above 9.
- Limits of penetration testing
- The validity of the results depends on the tester's ability and tooling.
- It lacks continuousness. As a pinpoint test, it provides a snapshot of the organization at a single point in time: agile development, emerging threats, and interconnectedness limit penetration testing lifetime relevancy.
Continuous security validation techniques such as Breach and Attack Simulation, Attack Surface Management, and Threat Exposure Assessment that optimize security programs, minimize exposure and provide quantified KPIs that can be monitored over time are game changers. Switching from a defensive, reactive perspective of evaluating the insured party's threat exposure implies moving toward assessing the actual damage attacks would cause across the entire MITRE ATT&CK TTPs matrix.
When negotiating with a cyber-insurance underwriter, a company that can provide quantified, documented assessments performed with security validations technologies can lead the discussion by demonstrating how it:
- Reduces risks beyond best practices – Comprehensive assessments measure the security posture of the organization based on its actual resilience to attacks instead of a theoretical projection of the security obtained through abidance to best practices.
- Quantifies risk – Quantified risk scores based on the percentage of attack emulation detected and prevented by the defensive tool stack provide an instantaneous evaluation of the actual cyber defense efficacy. Advanced security validation technologies include full kill chain assessments and lateral movement capabilities that provide an exact measure of the extent of the potential damage a successful breach would achieve.
- Prevents security drift – As attack simulation automation enables continuous re-assessment of in-context resilience, security gaps resulting from new deployments or emerging threats are flagged without delay and can be addressed before jeopardizing the security posture.
- Opens new cyber-insurance underwriting avenues - The continuous nature of security validation can be leveraged to define a policy post-binding phases. Offering continuous or periodic re-evaluation of the security posture health determined by the security score to measure the evolution of the security posture over time provides valid negotiation ammunitions to the insured party.
An insurance contract could include elements such as requirements to correct variance from agreed-upon baselines within a reasonable time frame, an obligation to regularly share automatically generated assessment reports, or a linkage between the coverage extent and abidance to baseline variance.
Security validation is becoming a compliance route for compliance regulation, such as the recent PCI DSS v4.0 update. Incorporating security validation in cyber-insurance underwriting processes could go a long way to address the current cyber-insurance situation and shore up the cyber-resilience of organizations that would have an additional incentive to implement such a proactive approach in their environments.
Note — This article is written and contributed by By Andrew Barnett, chief strategy officer at Cymulate.