Is it Time to Update Your Cyber Insurance Strategy?

If anything, 2020 was about preparing for – well, everything. This includes cyberthreats, which have risen sharply in the pandemic era. In 2021, rethinking your cyber insurance strategy should be a top priority for CISOs and executive leadership.

The elevated risk landscape is driving growing demand for cyber insurance: Nearly four out of five organizations have acquired coverage – up from 34 percent in 2011 – to protect themselves from these threats, which inevitably prove costly. The FBI cites $3.5 billion in cybercrime losses reported in 2019; before COVID-19.

This is a staggering figure, but one that could easily increase when 2020 data is compiled, taking into account the intrusions, data exposure and other fallout from organizations’ rapid shift to remote work on the fly. Importantly, the cost of incidents includes many nested issues – from immediate business disruptions caused by destroyed or ransomed files, to the ongoing costs of rebuilding IT assets, loss of intellectual property, negative publicity and potential regulatory fines or litigation. These consequences are in addition to the fallout from breaches of major software, security and IT infrastructure providers that, in essence, provide deep pathways into government and enterprise environments.

Businesses have faced similarly complex issues with nested, wide-ranging impacts – like factory fires, natural disasters or product recalls – for years. Yet, unlike hard-hat safety sweeps of factory floors, or forecasting patterns from decades of meteorological data, cybersecurity risk can be difficult to conceptualize and measure, with many factors often overlooked as businesses rapidly evolve and executives summon various legal, operations and board stakeholders for policy discussions. For its part, cyber insurance is a relative newcomer to its industry, and still evolving in terms of what is covered and what is not; how to reduce risk to limit incidents and losses and lowering claims for carriers and premiums to customers.

With this in mind, based on conversations with risk professionals, here are four lessons learned about threats and cyber insurance in 2020, that can help chief information security officers (CISOs) and their organizations make informed, cost-effective decisions moving forward.

Cyber Insurance is a Double-Edged Sword

Coverage can simultaneously be necessary for – and encourage – cyberattacks.

It’s an unfortunate, but unavoidable, outcome of widespread cyber insurance coverage: Cybercriminals assume that, if a company they attack is insured, the victim will get paid. So it’s not surprising that ransomware has emerged as the most common cybersecurity incident cited in reported claims (41%) and the average ransom demand has increased from an estimated $230,000 in the first quarter of 2020 to nearly $339,000, according to research from Coalition, a top cyber insurance provider. In our team’s experience, it is common for ransomware demands to reach into the millions of dollars. Coalition ranks fund transfer fraud #2 at 27 percent and email compromises #3 at 19 percent, in comparison.

Investigators are even seeing scenarios where criminals are compromising companies, obtaining their insurance coverage information as part of their vulnerability assessment, and then aligning their ransomware demands to the policy details. By doing so, criminals reason, they increase the probability of payment, since the victim knows their insurer will ultimately pay for the ransom.

Outsmarting Ransomware Attacks

Beating ransomware to the “tipping point” helps keep risk (and ideally, premiums) manageable.

Of course, organizations have layered security controls, but cyber insurance equations focus on what happens when these are inevitably defeated or bypassed. How would you spot an intrusion, and regain the upper hand against laterally-moving malware stealing, wiping or ransoming files? The alternative is an attacker making it to your most sensitive data and software handling the most sensitive crossroads of access control, credentials and system administration. When the latter are compromised, incidents can rapidly cascade out of control, putting victims in the uncomfortable position of having to contemplate paying ransoms or moving forward without irreplaceable data.

No two organizations are the same, but our experience shows that domain controllers are the crucial high ground to defend and hold. Your domain controller acts as the enterprise gatekeeper for security authentication requests, and allow network/user account access. In our research, we’ve found that up to 99 percent of large-scale ransomware events spread through domain controllers. Therefore, it makes good business sense to invest in continuous monitoring, penetration testing and vulnerability scanning of the domain controller environment to thwart these attacks. Such initiatives will lessen, if not entirely eliminate, ransomware incidents and, subsequently, lower insurance premiums.

Cyber Insurance Policy Basics

It’s critical to know exactly what’s covered

Cyber insurance is still an evolving market. In two high-profile lawsuits contesting denial of coverage over the 2017 NotPetya attacks, pharmaceutical giant Merck is seeking $1.3 billion from multiple insurers, and multinational food company Mondelez International claims it is owed $100 million from Zurich Insurance. In both disputes, the insurance providers cite “war and terrorism” exclusions to deny the claims. (In October 2020, the U.S. indicted six members of the Russian military in the attack.)

Fortunately, we’re seeing insurers opting to pay out more often than deny claims. But there are plenty of gray areas – if a state actor launches a hack, for example – or, more importantly, if an incident appears that way, does that purported linkage constitute an “act of war?” Enterprise security and risk leaders must completely understand where threats are likely to come from, and make sure the potential losses are included in policies. Since terms such as “act of war” are still being defined, companies should also require that any exclusions impacting needed coverage be removed.

Unlike wars of the pre-digital world, the ramifications of attacks go beyond companies in a few regions. When researchers at the Cyentia Institute reexamined the 100 largest cybersecurity incidents of the last five years, totaling $18 billion in losses, they discovered that NotPetya ransomware, alone, accounted for 20% of losses.

Pick Your Defense Partners

Enlisting a digital forensics partner is an often-overlooked step that’s crucial for helping companies both buy the right coverage and provide factual bases for claims.

A digital forensics and incident response (DFIR) firm partners with customers to reduce the likelihood of a cybersecurity attack in advance, swiftly contain incidents and conclusively restore systems after an attack occurs. It will deploy managed detection and response (MDR) and managed security service platforms to search networks 24/7/365, find suspicious activity and launch effective mitigation/prevention measures. This decreases the number of days, weeks or even months that a threat can stay hidden within a network and compromise/steal data, known as “dwell time.”

With a DFIR partner in place, companies demonstrate to insurers that they are taking proactive, responsible steps to pursue comprehensive defense strategies. In turn, they greatly lower their risk profile which, again, can reduce insurance premiums. What’s more, if a compromise occurs, a DFIR partner will serve as the trusted representative of its customer and work with the provider to deal with the recovery process. This leads to far better results than “starting from scratch” in the aftermath of a breach.

The only certainty about cybersecurity threats is uncertainty, and COVID-19 has amplified that foreboding reality. The acquisition of cyber insurance is intended to minimize this uncertainty, and establish a lasting sense of comfort. To get there, however, organizations must proactively work to block suspicious activity as it occurs, focus on critical assets – such as the domain controller – and perform penetration and vulnerability testing to stay a step ahead of the bad guys. In most cases, this includes working with MDR and a DFIR partner. By combining vigilance with an insurance policy which covers all potential risks – acts of war and otherwise – leaders can be confident their teams are ready for whatever 2021 brings.

Avatar photo

Mariana Swann

Mariana Swann is Program Director, Legal and Insurance at cybersecurity firm Pondurance.

mariana-swann has 1 posts and counting.See all posts by mariana-swann