As a result of a significant increase in claims and heavy losses incurred by the insurers caused by ransomware attacks on their customers in 2021, insurers have significantly raised the bar on the security standards required to purchase cyber insurance, leaving little time for organisations to catch up.
Understandably, many organisations are currently struggling to meet these new cyber security requirements, even in sectors which have a reputation for excellent cyber security standards. Insurers’ expertise on cyber risk has also developed significantly in recent times, to the extent that in many ways the Insurers themselves are now seen as one of the key drivers for improvement in enterprise cyber security.
In addition to an already hardening insurance market, failure to comply with these new requirements can lead to marked increases in premiums, reduced coverage and in some cases, insurers declining to quote or provide renewal terms. This at a time when businesses and organisations are increasingly becoming aware of the scale of the cyber exposures they face and are seeking to insure against them.
Understanding insurers’ current requirements is therefore essential for those seeking to obtain cyber insurance.
Some of the key risk controls that insurers are focusing on at present include:
- Very low number of domain administrator user and service accounts (with disabled interactive login).
- Tight control on open ports (some insurers analyse these prior to providing a quotation).
- Multifactor authentication for all remote users and access to cloud-based services, such as Microsoft Office 365.
- Multifactor authentication for all privileged accounts (both outside and within network).
- Critical software and firmware security patching less than 14 days (less than 7 days is preferable).
- Advanced Endpoint Detection and Response (EDR) protection.
- Network segmentation.
- Offline or immutable data backups.
- Web Application Firewalls (WAFs) for higher risk websites, such as customer online sales or login areas providing access to sensitive information.
- No legacy and/or out of support systems, or strong mitigations where these are present.
- Social engineering tests conducted.
At the very least, failure to comply with the above will usually result in risk improvement requirements. For some insurers non-compliance with the above can result in them declining to provide any level of cover.
In addition to the above, and dependent upon the size and type of cyber risk exposure, the following may also be put forward as requirements by the insurer:
- Security Operations Centre (SOC).
- Security Incident Event Management (SIEM) systems.
- Data Loss Protection (DLP).
- Network Access Control (NAC)
- In-house cyber security specialists.
- Intrusion Detection and Prevention Systems (IDS and IPS).
- Application whitelisting.
- Cyber incident response plan.
- Dark web intelligence.
- Assurances on controls relative to specific software weaknesses, such as most recently Log4j.
Insurers generally expect the following to already be in place as standard:
- IT Security and Data Protection Policies.
- Clear sight of number of PII and PCI records.
- Least privilege access management.
- Penetration testing.
- Vulnerability scanning.
- Firewalls and DMZs.
- Anti-malware protection.
- Staff training.
- Business Continuity Plans.
- Defined Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs).
Again, failure to have the above in place can result in risk improvement requirements imposed, or refusal by insurers to provide terms.
If you or your organisation is interested in obtaining further information on solutions PMD sell for data protection and backup, please email firstname.lastname@example.org