Security Think Tank: Now is the time to think about cyber insurance
This article was first published in Computer Weekly
The increase in remote working during and after the pandemic has greatly increased cyber vulnerabilities. With the cost of cyber breaches growing (globally, the average cost of a serious breach was $3.9m in 2019, investing in cyber insurance is key. Despite this, only 11% of UK businesses have adequate cyber insurance. So, why are so few protected?
Lack of clarity about cyber insurance is a key concern. Premiums are often inconsistent, expensive and vague about the extent of cover, due to the relative immaturity of the market. This has made it difficult for chief information security officers to trust cyber insurance to pay out in the event of a breach or to be sure they are meeting the insurer’s auditing requirements.
One of the biggest challenges, however, is around quantifying cyber risk. Although approaches and frameworks such as NIST CSF, CIS 20, NCSC Cyber Essentials and ISO 270001 help develop cyber security capabilities, they don’t provide the tools to quantify the risk. Therefore, leaders tend to overestimate their cyber maturity and underestimate cyber insurance premiums. And when the insurer recommends ways to make cover more affordable, the disruption and investment can be unpalatable.
Cyber criminals are exploiting organisations’ uncertainty about cyber security, realising they can tailor attacks to the risk appetites of their targets. In an increasingly popular type of ransomware attack, the criminals research their victims to assess how amenable they might be to paying. These criminals know that if the targets see their demands as more affordable and less disruptive than restoring systems, then they’ll often prefer to pay the ransom.
The ethics of negotiating with criminals are questionable, and the business impacts will be substantial. It’s only a matter of time before regulators, private equity firms and shareholders start to call out such tactics.
New developments in the cyber insurance market can help organisations take a better approach. Leading providers are offering innovative cyber insurance options tailored to the individual needs of the organisation, bringing in cyber security experts to assess cyber maturity.
However, many organisations are reluctant to let a company with a product to sell run such a large-scale investigation into their inner workings. That’s when it can be helpful to have an independent review of your internal risk.
What can CISOs and buyers put in place to meet stringent levels of auditing?
That review can help with the audit and compliance requirements of insurance policies and focus on the key areas where organisations need to seek assurance. The first is around process – that means understanding the risks in IT operational policies, processes and controls, and making sure roles and responsibilities are well defined.
Then there needs to be effective backup management and recovery procedures from operational failures. This should include managing the particular risks around maintenance and support by controlling changes introduced to the IT infrastructure and application landscapes.
This should be reinforced by work on security controls to make sure management publishes a complete set of policies and procedures that support the information integrity objectives of the organisation. That includes processes to control the adding, change or removal of user access, as well as manage data access requirements and regular review of that access. At the same time, the risks to critical data at the operating system level need to be assessed, as well as checking physical security measures.
There are a number of approaches that can be used to address these challenges, ranging from zero-trust models to multi-factor authentication (MFA) and end-point detection and response (EDR and XDR). Protective monitoring, encryption applied along the most critical aspects of your network and patch management processes can also provide the assurance insurers will be looking for.
The difficulty is that typically these processes are siloed, and reporting their results can be haphazard. What is needed is to bring these policies and controls together into a central repository. This kind of integrated risk management (IRM) creates a central place to manage all auditing requirements, whether for cyber insurance, ISO compliance or broader statutory audit requirements. This then allows you to streamline your response and reduce the pressures on already-pressed in-house resources.
IRM platforms can also highlight the risks that have the greatest impact on your operations so you can address them in order of priority, allowing spending to be optimised and resources used more efficiently.
In addition, they provide a real-time view of compliance, with a risk-based approach that is consolidated, consistent and aggregated across the entire business. Further efficiencies in the IRM system can be gained through workflow automation.
By consolidating your risk management processes, you can ensure that controls remain effective in delivering their objectives and demonstrate compliance with policies, standards and regulations with reduced impact on your daily operational demands. All of this will make it easier to meet the requirements of cyber insurers and enable organisations to have confidence that their policy will protect them when they need it.