According to Fitch Ratings, a financial market analyst firm, the cost of cyber insurance premiums increased by 178% from 2017 to 2022, with a year-on-year increase of 51% in 2022 alone. Fitch said costs are expected to fall in the coming quarters as margins and competition impact pricing, and clients adapt to their own circumstances by improving cybersecurity measures or ditching cyber insurance as part of their risk management strategies. For some high-risk organizations, the cost has become prohibitively expensive, while for others, they may not be able to make a decision because the insurance company outright refuses to cover them. Still others may find that certain insurances are no longer available. This is Lloyd's of London (Lloyd's'S of London) at the end of 2022, when the company announced that it would ask its insurers to exclude damages related to state-sponsored cyberattacks.
These developments in cyber insurance may be frustrating for customers, but they are to be expected as part of the maturity of relatively new insurance products in a highly volatile market. As threat actors have become more sophisticated and aggressive, underwriters have learned the hard way, forcing them to take a more active advisory role in their clients' risk management by providing guidance aimed at improving security. As Robert Parisi, head of North American network solutions at Munich Re, a major reinsurer, told Wall Street**, "The underwriting business is actively shifting to 'how can we get deeper, more insightful observations.'" ”
For example, insurance company Marsh McLennan Agency lists 12 security controls that the company offers to help inform its customers' cybersecurity policies, including warnings that failure to provide evidence of the first five controls could result in disqualification of coverage. On the other hand, adopting and effectively using all 12 methods will not only improve your organization's overall risk profile, but will most likely reduce cyber insurance costs. Marsh reports that by adopting and documenting its recommended controls, 14% of customers have enjoyed lower premiums in the past year, despite higher fees paid by their peers.
For the curious, these twelve controls include:
Multi-factor authentication (MFA) for remote access and management Privileged control Endpoint Detection and Response (EDR) Secure, encrypted, and tested backups Privileged Access Management (PAM) Email Filtering and Cybersecurity Patch Management and Vulnerability Management Cyber Incident Response Planning and TestingCyber Security Awareness Training and Phishing Testing Hardening Techniques including Remote Desktop Protocol (RDP) Mitigation Logging and Monitoring Cyber Protection: Replacement or Protection of End-of-Life Systems Digital Chain Risk Management in General, the controls on this list represent excellent defense-in-depth and should be part of every security policy. It makes good business sense to invest in cybersecurity and risk management to not only reduce cyber insurance premiums, but also minimize the risk of costly data breaches. But with increasing threats and an increasingly complex and dynamic composition of typical enterprise technology assets, this task is easier said than done.
Take a step forward or step back
A big step towards achieving this must be to gain complete asset visibility across the network. A common lament among CISOs these days is that they have a responsibility to protect every asset that is relevant to and runs in the business, whether they know they are there or not. Details help address security vulnerabilities. For example, if a device is operating outside of the IT operations view, how do you know if the device has reached its end-of-life? How do you perform patch and vulnerability management on systems that you don't know are connected to the network? If a vulnerable asset operates in the shadows, how do you segment it?
The brutal truth of today's IT and security operations management is that virtual services, the Internet of Things (IoT) and mobile devices, and operational technology (OT) are common phenomena in the IT industry. Up to 20% of these assets are invisible to CISOs, and any one of them could be a step in the attack vector or threat actor's path to the targeted destination. As a result, any one of them is unaccounted for, and the opportunity to detect, prevent, or contain an ongoing attack is lost.
That's why the 13th control – full IT asset visibility – should be added to the Marsh list. Because you can't protect what you can't see, investing in tools that enable real-time asset visibility across your network is critical to maximizing security, minimizing risk, and protecting your business from threats like ransomware. By going beyond providing proof of visibility and control, lower cyber insurance premiums will be the icing on the cake.