Getting and holding a comprehensive cyber insurance policy can be an intensive process, but for most, it is essential. Cyber insurance is a critical risk management and resilience tool.
Perhaps the most important factor is that carriers are still refining how they measure and assess risk. In the ever evolving world of cybersecurity, threats are always changing – making it difficult to keep up. Premium increases continue, though they have slowed from the hard market of 2021. As part of the maturing risk identification process, underwriters continue to ask for more sensitive information as they price and issue policies.
In this complex marketplace, how can you get (and maintain) the best cyber insurance terms?
First: Be Aware of the Biggest Risk Factors
Cybersecurity is a team effort. While you and your team understand your organization’s security posture, you’re only as strong as your weakest link. Insurers have increased their focus on strategic risk from large-scale industry impacts and identified two big risk factors.
Organizations understanding larger security concepts – like the principle of least privilege – but not how often it is compromised in specific processes.
Underestimating the combination of the threat landscape and a vulnerability becoming targets of opportunity.
As a cybersecurity professional, you understand this. But how do the insurance carriers? While they are admittedly still learning, Meredith Schnur, Managing Director, U.S. and Canada Cyber Brokerage Leader of Marsh USA says they navigate and direct their clients based on 12 key controls. Second: Know the 12 Key Security Controls According to Marsh, the adoption of certain controls has now become a minimum requirement of insurers, with organizations’ potential insurability on the line. Schnur says organizations should think of these controls as buckets. Within each bucket there are a bunch of questions that equate to a lot of underwriting.
It’s important to note that there isn’t a single category that is considered to be the most important. In fact, it’s quite the opposite – these controls work together. If your organization can answer these questions, fill these buckets, you’re in good shape.
Multifactor authentication for remote access and admin/privileged controls
Endpoint Detection and Response (EDR)
Secured, encrypted and tested backups
Privileged Access Management (PAM)
Email filtering and web security
Patch management and vulnerability management
Cyber incident response
Cybersecurity awareness training and phishing testing
Hardening techniques, including Remote Desktop Protocol (RDP) mitigation
Logging and monitoring/network protections
End-of-life systems replaced or protected
Vendor/digital supply chain risk management
Underwriters are getting more comfortable with their procedures and experience in identifying and underwriting cyber risk and Marsh has express cautious optimism in their latest market update. In addition to making sure your organization meets the above requirements, here are a few tips from the experts on how to prepare for the underwriting process.
Start early. Without positive responses in the top 5 control categories, coverage offered and insurability may be in question.
Evaluate your cybersecurity maturity by completing a cyber self-assessment.
Expect more rigorous underwriting and more detailed questions from underwriters.
Cyber insurance is just one topic the ACSC is covering this year as part of our objective to share integrated strategies and partnerships for cyber talent and technology with our members. Stay tuned for more information and guidance.