Shopping for cyber insurance? Six questions to ask before calling the insurer

Article
by
Yubico
Asia
Pacific
and
Japan
vice
president,
Geoff
Schomburgk.

Shopping for cyber insurance? Six questions to ask before calling the insurer


Article
by
Yubico
Asia
Pacific
and
Japan
vice
president,
Geoff
Schomburgk.

The
cyber
threat
landscape
has
always
been
worrisome,
but
today
there
are
many
more
CISOs
noticing
new
grey
hairs
in
the
mirror,
given
an
anticipated
uptick
in
cyber-attacks
from
nation-states
and
other
bad
actors.

Ransomware
attacks
and
other
forms
of
account
compromise
continue
to
grace
the
news
every
month,
with
malicious
actors,
state-sponsored
or
otherwise,
potentially
costing
companies
millions
in
downtime
and
lost
opportunity.
There
are
also
serious
reputational
risks
for
vendors
who
might
see
customers
flock
to
a
competitor
after
a
publicised
attack.

These
attacks
have
broken
the
old
cyber
insurance
risk
models
because
it’s
become
too
easy
for
an
attacker
to
steal
credentials
and
work
from
the
inside.
They
use
relatively
simple
technology
but
can
cause
serious
damage
through
days
of
downtime,
even
more
than
a
classic
breach
or
reputation
damage.
These
developments
have
far-reaching
implications
across
the
entire
insurance
industry,
from
the
insurers
to
the
brokers,
to
the
insured
themselves.

Due
to
a
heightened
risk
profile
caused
by
recent
events,
cyber
insurance
premiums
have
skyrocketed,
going
up
by
150-300
per
cent
in
some
cases.
So,
it’s
no
surprise
that
this
increased-threat
environment
has
inspired
a
quick
uptick
in
cyber
insurance
interest
as
firms
either
consider
signing
up
for
the
first
time
or
seek
to
increase
liability
coverage. 

The
cyber
insurance
industry
is
still
developing
in
response
to
all
the
new
threats
coming
from
novel
sources.
However,
the
basic
tenet
of
insurance
still
holds:
Those
companies
at
the
highest
risk
will
pay
the
highest
premiums

or
might
not
qualify
at
all. 


Asking
the
right
questions

What
can
companies
do
as
their
“homework”
before
approaching
cyber
insurance
providers?
How
do
they
put
themselves
in
the
best
position
to
negotiate
reasonable
premiums
on
a
policy
that
will
pay
out
if
the
worst
happens?
It
is
worthwhile
going
through
this
checklist
first
before
investing
in
a
policy: 


1.
What
are
the
minimum-security
requirements
of
the
insurer?

Most
quotes
for
cyber
insurance
will
come
with
a
cyber
risk
vulnerability
report.
It
will
be
billed
as
a
report
beneficial
to
assessing
the
risk,
but
of
course,
it’s
in
the
insurer’s
interest
to
find
any
glaring
weak
links
in
an
organisation’s
armour.
While
minimum
requirements
will
vary,
they
will
likely
closely
mirror
what
is
included
in
the
Australian
Cyber
Security
Centre’s
(ACSC)
Essential
Eight.

These
are
eight
strategies
to
mitigate
cyber
security
incidents,
and
implementing
them
effectively
helps
achieve
a
baseline
cybersecurity
posture.
One
of
the
eight
strategies
calls
for
the
implementation
of
phishing-resistant
MFA
authentication.

You
can
be
sure
that
simple
password
authentication
isn’t
going
to
be
enough
to
meet
cyber
insurers’
minimum
requirements
because
the
risk
is
too
high
for
them.
So
before
asking
for
a
cyber
insurance
quote,
it
makes
sense
for
companies
to
grade
themselves
against
the
Essential
Eight
first. 

In
the
past,
a
signed
attestation
from
the
company’s
CISO
that
minimum
standards
were
in
place
was
sufficient.
However,
for
high-liability
or
high-risk
policies,
some
insurance
firms
may
now
need
proper
due
diligence
to
go
any
further.


2.
How
fast
can
organisations
implement
more
robust
authentication?

If
cyber
insurance
is
something
an
organisation
needs
immediately,
it
may
not
have
the
time
to
wait
for
a
full
cycle
of
security
upgrades.
It’s
worth
asking
what
security
practices,
hardware-based
authentication
or
increased
employee
training
they
can
do
today
to
make
their
security
profile
more
attractive
to
cyber
insurers? 


3.
Has
the
pandemic
weakened
a
company’s
security
profile
because
more
people
log
in
from
home? 

Many
companies’
pre-pandemic
focused
security
efforts
had
the
office
locations
set
as
the
boundaries.
But
as
so
many
remote
workers
now
either
work
permanently
remotely
or
in
a
hybrid
manner,
tightening
the
organisation’s
grip
on
security
has
become
a
lot
more
complicated.

There
is
more
risk
because
there
are
many
attack
vectors,
and
cyber
insurers
are
acutely
aware
of
this.
It
is
not
enough
to
focus
on
firewalls,
web
proxies,
and
data
protection

today,
robust
MFA
for
those
logging
in
remotely
must
be
part
of
the
picture. 

Attackers
aren’t
breaking
in,
they’re
logging
in,
and
compromised
credentials
are
at
the
root
of
65
per
cent
of
cybersecurity
incidents,
according
to
the
Office
of
the
Australian
Information
Commissioner’s
(OAIC)
Notifiable
Data
Breaches
Report
for
July-December
2021.
Raising
the
security
bar
for
user
authentication
beyond
passwords
is
imperative.
 


4.
Will
a
policy
payout
when
something
bad
happens? 

This
is
a
legal
question
and
still
developing
but
keeping
up
with
court
cases
that
lay
down
precedent
on
these
issues
is
key.
It’s
no
secret
that
insurance
companies
stay
in
business
by
NOT
paying
out
when
they
don’t
have
to
or
by
keeping
their
payouts
low.
Therefore,
it
is
important
to
carefully
document
all
downtime
and
losses
from
the
first
day
of
a
breach
or
other
incident.

Some
good
news
is
a
recent
ruling
on
a
$1.4
billion
attack
on
the
global
pharmaceutical
company
Merck
from
Russia.
Even
though
the
attack
was
pointed
at
Ukraine
in
2017
(a
grim
reminder
of
the
physical
invasion
to
come),
the
court
ruled
that
it
was
not
an
“act
of
war
or
terrorism,”
Therefore,
a
payout
could
not
be
excluded.

Insurance
companies
will
try
to
limit
their
losses
by
breaking
up
covered
items
into
categories.
For
example,
losses
due
to
downtime,
hardware
and
systems
replacement,
ransomware
payout
and
identity
protection
for
affected
customers
may
have
been
covered
in
a
single
bundle
before,
but
today
they
are
likely
to
be
itemised.
That
makes
policies
more
complex,
requiring
brokers
to
shop
around
for
reinsurers
to
spread
the
risk. 


5.
Have
we
done
a
full
cybersecurity
review
recently?
If
not,
how
do
we
do
it? 

Risk
assessments
should
be
carried
out
on
a
standard
schedule,
including
both
internal
and
external
threats.
It
can
start
with
a
comprehensive
review
of
user
access,
which
identity
access
management
(IAM)
system
an
organisation
uses,
and
what
kind
of
anti-phishing
user
education
they
have
employed
or
plan
to
employ.
A
review
should
look
closely
at
privileged
users,
critical
staff
and
admins,
but
it
should
not
exclude
users.
The
safest
end
goal
will
be
to
at
least
start
on
a
path
toward
strong
MFA
authentication
for
all
users. 

Organisations
should
review
their
cybersecurity
posture
in
line
with
the
Essential
Eight.
They
can
bring
this
information
into
conversations
with
insurance
brokers,
which
will
put
them
in
a
stronger
bargaining
position
when
they
negotiate
cyber
insurance
premiums. 


6.
Is
the
cyber
policy
specific
about
what
is
covered
and
what
will
be
paid
out? 

Boilerplate
policies
are
never
good
because
each
firm
will
have
specific
threat
vectors
and,
most
likely,
scenarios
for
how
an
attack
would
happen.
Businesses
taking
out
a
cyber
policy
should
make
sure
there
are
enough
specific
references
to
the
organisation’s
vulnerabilities
and
that
they
are
satisfied
with
how
third-party
liability
is
considered.

In
general,
the
more
specific
it
is
in
terms
of
what
falls
under
covered
attacks,
the
better.
Note:
This
is
when
having
a
proper
legal
advisor,
preferably
with
cyber
insurance
experience,
would
help.
What
we
say
here
shouldn’t
be
taken
as
legal
advice
to
follow. 

These
six
questions
are
only
a
starting
point
for
cyber
insurance
research,
but
it’s
a
good
foundation
to
consider
how
to
get
the
best
deal
on
premiums
and
the
most
comprehensive
protection
for
the
years
ahead.

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.