Why securing cyber insurance coverage is becoming more challenging

16 March 2022 Consultancy.com.au

Faced with the very real threat of falling victim to a cyberattack, increasing numbers of Australian businesses are evaluating the worth of insurance policies. However, this is easier said than done, writes Scott Hesford, Director of Solutions Engineering, Asia Pacific and Japan at BeyondTrust.

Cybersecurity insurance is designed to protect a business from the potentially dire implications of an attack on their IT infrastructure. These could range from significant financial losses to long-term reputational damage.

The cover offered by insurance providers has gained increased attention during the Covid-19 lockdowns. With many of their staff working from home, businesses are realising their pre-pandemic security measures are no longer providing the level of protection they require.

Scott Hesford, Director, BeyondTrust

A reliance on firewalls and other on-premise measures are simply insufficient. Home-based workers – thanks to insecure WiFi, unpatched personal devices and generally poor cyber hygiene – are more susceptible to everything from phishing campaigns to ransomware attacks and more.

These concerns come at a time when the number of high-profile attacks is on the rise. Breaches such as Colonial Pipeline, JBS Meats, Nine Entertainment and Kaseya captured headlines and caused massive disruption for the victims.

Meanwhile, the ransomware scourge continues to grow. Last October, the Federal Government's Ransomware Action Plan noted that there had been a 15 per cent increase in the number of ransomware attacks reported to the Australian Cyber Security Centre in the prior 12 months with CrowdStrike indicating the average Australian company payout in ransom payments to be $1.25 million.

Underwriting requirements tightening

This increase in cyberattack numbers and payouts is having a direct impact on the cyber insurance market. To stay solvent and viable, many insurers are significantly increasing premiums, dropping coverage, or exiting the cyber insurance market altogether.

Indeed, a report issued by Aon last month found that the cost of cybersecurity insurance increased more than 113 per cent in the past year with renewals likely to be at least 70 per cent more expensive in the next quarter alone.

Insurers are also tightening underwriting guidelines and mandating their customers have certain security controls in place, such as privileged access management (PAM).

They are also becoming more selective about who they are willing to cover. Just as a driver who is involved in multiple accidents may be dropped by their insurer, the cyber insurance market is no different. From an insurer’s standpoint, not every applicant is a good candidate.

Qualification for cyberattack coverage is being carefully assessed and potentially denied based on the answers of prospective and current customers to comprehensive security questionnaires. Insurance companies are also increasingly hiring security professionals to help them navigate the path to insuring qualified customers and denying those who don’t qualify or otherwise pose too big a risk.

Another development in the market is the focusing of insurance policies on particular cyber risks. An insurer may offer a client coverage for malware and spyware but refuse to cover events when ransomware is involved. In fact, there is an argument to be made that ransomware attackers will retarget businesses who have paid previously thanks to cyber insurance.

Boosting your cyber insurability

Organisations need to consider that, if they are not taking robust precautions to protect against cyber threats, they cannot assume that cyber insurance will bail them out after an attack.

Insurers will increasingly hold firms accountable for their cybersecurity programs and levels of protection. They expect their customers to adequately uphold their end of the bargain with regard to mitigating risk, reducing attack surfaces, and having mature IT security strategies.

Also, if a business does fall victim to an attack, their insurance company may require proof that they had the agreed upon security measures in place. Absence of a control, even on a single endpoint or application, may give the insurer the leeway it needs to deny a claim in the court of law.

Implementing and managing PAM security controls ranks as one of the best ways a business can not only proactively reduce its cyber risk but also improve its ability to obtain cyber insurance coverage at the best possible rates.

Indeed, multiple security controls are now commonly required by cyber insurers. These controls include enforcing least privilege (including removing admin rights) across both human and machine accounts.

Some insurers also require businesses to apply multi-factor authentication for remote access to their core network by employees and third parties. They may also demand the business has the ability to identify and remediate indicators of compromise (IoCs).

It’s clear that the cyber insurance market is changing rapidly. Businesses may find it increasingly difficult to secure coverage and, if they do, it may not be as comprehensive as has been the case in the past.

Indeed, company management need to consider long term strategies not just to meet the specific compliance requirements of their own industry but also those based on the ever-evolving threat landscape and insurance environment.