With Chief Strategy Officer servco securitySecurity industry entrepreneur, board advisor, investor and author.
With the constant onslaught of costly ransomware and other attacks, cyber insurance is more important than ever for businesses. A company may implement appropriate security controls and meet regulatory mandates, but breaches still happen – and when they do, cyber insurance can be a vital tool to help a business recover quickly. Is. However, achieving this is becoming more expensive, complex and challenging.
According to Fitch Ratings, cyber insurance is the fastest growing segment of the US property/casualty insurance market. However, claims and payouts have increased with that growth, causing insurers to be more precise in what they expect from policyholders.
Between 2018 and 2021, Fitch found that the number of cyber insurance claims made by policyholders increased by 100% and the number of claims paid out by insurers increased by 200%. Although the costs of cyber insurance premiums have come down somewhat, they are still increasing. According to insurance broker Marsh, average cyber insurance prices were up 11% in the first quarter of 2023 after a 28% jump in the last quarter of 2022.
Obtaining cyber insurance may once have been a straightforward process. Nevertheless, the growth and sophistication of the cyber landscape has changed the process, and companies wishing to qualify for cyber insurance at reasonable rates have a substantial burden of proof. They must demonstrate to insurers that they have strong security controls in place and are complying with cybersecurity mandates.
Although there are many ways to demonstrate strong security controls, three areas stand out. Those areas include security assessment, breach and attack simulation, and asset intelligence.
Security assessments are a great mechanism to leverage experts to penetrate, evaluate, and measure the effectiveness of your security controls. They can also effectively measure how well your incident response team works and how well their processes work in the face of an incident. The results obtained from these assessments can help you uncover and prioritize potential issues in your talent, techniques, and technology that may hinder the effectiveness of an organization’s security controls.
breach and attack simulation
Third-party penetration testers as well as in-house Red, Blue, and Purple teams can use breach and attack simulation solutions to validate the effectiveness of security controls ranging from endpoint security and network firewalls to email security and SIEM. Engineered for. They carry out real attacks such as data exfiltration and malware execution to determine whether security controls prevent the attacks from succeeding.
They can also ensure whether attacks are detected or not, and they generate alerts for hundreds or thousands of types of attacks. The resulting output accurately maps successful attacks to failed security controls, while instructionally offering adjustments that can be made – thus ensuring that optimized and validated controls are in place.
Asset intelligence can provide abundant evidence-based, enforceable data where regulatory compliance and cyber insurance meet. This is an area where auditors spend a substantial amount of time because when evaluating a system, it is extremely important to understand the entire spectrum of an organization from a risk perspective. You get that understanding right away because auditors often deal with regulators and insurance companies simultaneously.
From a security perspective, asset intelligence built on evidence-based security data rather than simply taking inventory of devices and software can help organizations comply with regulatory standards. After all, those standards are designed to ensure that specific security controls are in place. Insurers also look for this data while making cyber insurance policies.
For organizations, the benefits of asset intelligence include:
• Risk reduction, which is an important discipline in compliance and some of the best data you can have when applying for cyber insurance.
• Rapid identification of security gaps, which is an essential step in the risk reduction chain of vulnerability identification and mitigation as well as another important factor for regulatory requirements and insurance confluence.
Undisputed evidence-based data that shows an organization is taking a proactive approach to risk management can translate to more favorable terms for cyber insurance, including lower premiums and other elements such as policy length. With car insurance, if you can show the insurer that you live in an unknown location and your nearest neighbor is 50 miles away, you will pay less for insurance. With cyber insurance, the data you receive is worth dollars and cents.
It could also benefit insurers by making them more competitive. Having a better understanding of a company’s security posture allows insurers to not only offer lower rates, but also allows them to customize policies – tailoring them to the specific needs and risks of the business.
Cyber insurance is vital for businesses operating amid growing threats and the potential for costly, reputation-damaging breaches. A company that can assess its own security, simulate a breach and attack, and offer a clear view of its enterprise should receive more favorable terms on insurance.
The Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs, and technology executives. Am I eligible?