Top 3 actions for technologists to help maximize the value of your business’ cybersecurity insurance
I recently had the privilege of organizing a knowledge-sharing webinar, where we brought together a panel of cybersecurity insurance (CSI) experts. Our discussion revolved around the present and future state of the industry, and I gained a wealth of valuable insights along the way that inspired this blog.
One of the prevailing themes during the discussion and my research was that the CSI landscape is evolving rapidly. Recent events and trends such as high-profile data breaches, the sophistication of cyberthreats, and regulatory compliance requirements have resulted in:
- Premiums rising dramatically or not being renewed at all
- Increased scrutiny on cybersecurity control requirements
In this blog, I will focus on the role of the IT and security professional (a.k.a. technologist) in helping their businesses address these challenges and more.
The role of the technologist in CSI evaluation phases
While the CSI evaluation process can vary depending on factors like business complexity, size, and industry, there is typically a common set of activities where technology professionals can contribute their expertise.
Below are some common examples of the typical phases and common tasks that can be performed by technologists.
One of the key phases where technology is almost always engaged is in the completion of the CSI questionnaire. In this blog, I will focus on this particular phase.
Most CSI questionnaires tend to focus on a standard set of security controls. The diagram below covers the common cybersecurity controls you may find in a CSI questionnaire.
As this is an IAM blog, I will zoom in on access management and multi-factor authentication (MFA), but the same approach can be applied to all the other controls. Let’s start by looking at some examples of the types of questions you will commonly see in a CSI questionnaire regarding MFA.
Can you please confirm your use of Multifactor Authentication (MFA) for:
1. % of remote access connections: _________ %
2. % of email accounts: _________ %
3. % of privileged accounts (internal & remote access): _________ %
4. If there are exceptions to the above, please detail how extensive these exceptions are and why they are made:
Have you disabled remote desktop protocol (RDP)?If No, have you implemented MFA on RDP
As a technologist who understands MFA, you may be surprised by how overly simplistic these questions appear, which actually brings to light some of the underlying challenges with CSI. Here are the key ones:
- Traditional insurers looking to expand into cybersecurity do not have the experience, experts, or data
- Technology, in particular software, moves and evolves much faster than traditional areas that insurers have been successful in.
The result: Insurers can’t do what they do best, attain a deep understanding of risk. Insurers must invest in developing a deep understanding of the risks associated with the industries they serve. This involves staying updated on emerging technologies, evolving cyberthreats, and regulatory changes. Only by understanding the unique risks faced by businesses can insurers accurately assess and underwrite policies that provide appropriate coverage.
Let’s continue on with the MFA example. As IAM enthusiasts, we know that not all MFA is created equal from a security risk perspective. This Factor Assurance article describes it well. We also know that MFA needs to continue to evolve to counter the evolving threats. For example, Okta recently introduced Phishing-Resistant Multi-Factor Authentication to help our customers defend against more sophisticated socially engineered phishing attacks.
In terms of an assessment of risk, it could be argued that adopting a higher assurance MFA strategy and utilizing modern MFA authenticators significantly lowers risk and, in turn, should be rewarded with a better premium. In reality, if you made this argument today, most brokers and CSI providers would probably be staring at you blankly.
So, now that we understand the challenges, it’s time to get your business future-ready. Here are some calls to action.
Work with your business and help source and interview CSI brokers and providers that specialize in cybersecurity
One of the more straightforward yet impactful recommendations for your business is to consult with CSI brokers who possess a strong understanding of technology. These brokers typically collaborate with specialized cybersecurity insurers. By engaging technology-savvy brokers, you can benefit from their in-depth experience in bridging technology and insurance discussions. They are also more inclined to negotiate on security controls, providing valuable guidance tailored to your specific needs and better premiums based on your organization’s cybersecurity posture.
A CSI controls discussion is an opportunity to discuss risk, educate the business, and access funding
Utilize discussions on CSI controls to educate internal stakeholders and identify areas where investments can be made to enhance your organization’s security posture. By making strategic investments in security, you can improve your overall protection and potentially obtain better value from your insurance coverage. The savings achieved through improved insurance terms can then be reinvested in strengthening your security tools and overall security posture.
Prepare now for what is coming in the CSI industry
All the work you do in the above two actions will serve you well. Here is some of what to expect.
- Insurers are likely to implement increasingly intricate coverage terms, requiring organizations to showcase stronger security controls. Merely checking the box for MFA may no longer be sufficient to secure the best value or obtain insurance coverage.
- Insurers may adopt advanced techniques for risk assessment and quantification to gain a deeper understanding of an organization’s cyber risk profile. This evaluation will influence the provision of coverage and its associated cost.
- Insurers may establish partnerships or mandate third-party cybersecurity services to complement insurance coverage.
In summary, as technologists, we, more than most, understand that CSI does not replace the importance of implementing advanced, modern security controls. Nonetheless, your businesses will most likely be required to evaluate or reevaluate CSI, as a tool for risk mitigation and financial protection. As the market matures, IT and security will need to play a leading role in preparing your business for the future and ensuring that it is well equipped to obtain the best value and protection. Hope this blog offers some insights and guidance and helps you along this journey.