Is it Possible to Lower Cyber Insurance Costs – Without Compromising on Policy Quality

Delinea’s latest State of Ransomware Report showed a startling reduction of ransomware in 2022, with t just 25% of the surveyed IT decision makers saying they fell foul to ransomware attacks – down from 64% in the previous 12 months.

However, these encouraging statistics only tell part of the story, and those that are hit with ransomware attacks are only too aware of the devastating consequences. In 2022, more organisations reported financial loss (56%) and lost customers (50%) compared with the previous year. In the UAE, eight out of ten companies have experienced email-based phishing attacks, with 44% leading to financial loss.

So, it’s clear that cyber insurance is still a must-have for many companies – and lots are realising this, with a Delinea report finding that around 70% of respondents have applied for cyber insurance. And with nearly 80% of businesses with cyber insurance having had to use it (often several times) – there’s no getting around the fact that many UAE companies are considering having this in place.

But it’s not always that simple, with insurers assessing each company individually to get an understanding of their particular risks and potential consequences – as well as investigating how well a company is protected against potential attacks. This means that some businesses are still likely to find it difficult to obtain affordable insurance. Consequently, some may decide to divert funds from other areas of the business, some will accept a coverage reduction or an increase in the excess just to pay a lower price, and others will give up and remain uninsured.

Is it all doom and gloom?

Companies should move away from doing “just enough security” to tick the boxes to get a policy and take a more strategic approach to improve their posture with security investments that cover critical aspects and are future-proof.  As Marsh noted in 2022 UK analysis “As insurer competition increases, insureds with favourable risk profiles and effective cyber controls may start to see pricing reductions.” With this in mind, here is what organisations should start considering.

1.      Identify risks and educate employees

Insurers want clients to understand their risks and have established risk management processes, potentially including a cybersecurity risk assessment. Identifying vulnerabilities also helps gauge any company’s cyber risk tolerance.

Insurers also want to see regular cybersecurity training beyond simple online tests or signoffs on security policies. Make cybersecurity awareness training part of the corporate culture and include it any time company-wide or departmental training is conducted.

2. Track assets and privileged accounts

Organisations should have an inventory of all devices, software, and privileged accounts that attackers can target, including those used by remote workers. Identify all threat vectors and determine the value and scope of the assets to insure.

Discovery tools for Active Directory accounts and passwords, service accounts, and local accounts and applications make this much easier.

3. Automate passwords and use MFA

Using manual spreadsheets for password management is a red flag to insurers. Implement a privileged password management solution such as a password vault to track credentials and generate and rotate complex passwords so people don’t have to type or remember them. Use automation to apply policies consistently and avoid human error.

Multi-Factor Authentication (MFA) adds another layer of security. Show insurers the right steps have been taken to counter credential-based cyber-attacks by using MFA both at login and at privilege elevation.

4. Implement PAM and defence-in-depth

Hackers often conceal their activities under the guise of a legitimate administrative user. A comprehensive PAM solution helps control access to systems and data and comply with regulations. Look for software that can automate the identification and analysis of risk to privileged accounts, along with vaulting, continuous monitoring, and session recording.

Demonstrate that additional measures are taken to protect from malware attacks by implementing defence-in-depth. This includes implementing and enforcing least privilege access, restricting, or removing local admin rights, and layering in threat intelligence and endpoint protection solutions.

5. Backup accounts and use endpoint security

When disaster strikes, it’s critical to recover quickly. Make sure all secrets (passwords and other credentials) aren’t tied to a single location and can be moved to a safe space. A successful password management or PAM solution should have infrastructure redundancy for break-glass access.

An endpoint security tool also makes identifying and responding to attacks easier. Choose a solution with comprehensive monitoring, alerting and reporting capabilities for privileged behaviour on workstations and servers. IT security teams should be able to identify unexpected behaviour and conduct forensic analysis if a breach occurs.

6. Monitor credential usage

Keep an eye on employees’ credential usage: 82% of data breaches involve the human element, including social attacks, errors and misuse, according to Verizon’s 2022 Data Breach Investigations Report.

Leverage a PAM solution that can monitor remote sessions, extend remote monitoring to cloud sessions, and uses Privileged Behaviour Analytics to look at what digital identities access to detect anomalies and stop attacks.

7. Create an incident response plan

An incident response plan can stop a cyber breach becoming a catastrophe. It helps IT operations, security, and incident response teams to form a united front against an attack, coordinate a rapid response, and maintain business continuity.

Use a customisable template to create an incident response plan. Include a checklist of roles and responsibilities and actionable steps to measure the extent of a cybersecurity incident and contain it before it damages critical systems. Conduct incident simulations to identify areas for improvement and demonstrate that response readiness is more than theoretical.

Of course, cyber insurance should never replace a robust, evolving cybersecurity program. But it is a key part of any program to help protect against the evermore severe effects of attacks such as ransomware. And the stronger your cybersecurity plans, programs and policies are, the cheaper cybersecurity insurance will be and the simpler it will be to get.