If the phrase “Great Scott!” in this blog’s title resonated with you, you might be a fan of the 1985 movie Back to the Future. It centered on Marty McFly and his pal, Doc Brown (the guy who shrieks “Great Scott” a lot, but it’s funny). Marty travels thirty years back to the past in Doc Brown’s time machine and spends the rest of the movie trying to get—yes—back to the future. See it if only for the gull-wing DeLorean, the most stylish way imaginable to travel through time.
Segue alert. Cyber insurance is a lot like a time machine. Ideally, it provides a reset, so that even if your organization suffers a breach, collecting on your cyber insurance policy gives you the chance to fix the damage and get back to business quickly. But while we avoid giving spoilers on this blog, sometimes, in the realms of time travel and cyber insurance, you don’t end up back where you started, not exactly. That’s all we’ll say about the movie. But cyber insurance: Why wouldn’t it be the perfect slate-cleaner? For one thing, getting a cyber insurance policy, and collecting on it, involves some hurdles. As the Compliance OS masters, our team at Anecdotes will talk about cyber insurance requirements, and why a solid Compliance posture is essential whether or not you decide to purchase (or collect on) cyber insurance.
Risk, Redux: Understanding Cyber Insurance in Regards to Risk
We’ve talked about risk before, but here’s a quick refresher. There are four main ways to respond to business risk, each with their pros and cons, and businesses generally use a mix of these approaches:
- Avoidance: Hard to pull off when your risk involves a component or process that’s essential to running your business.
- Acceptance: You might accept all risks as a small startup because you have no customers and therefore no customer data. Beyond that point, a risk that exceeds your organization’s established risk appetite needs a different approach.
- Mitigation: Mitigating risk is the core of what a Compliance team does: help build controls, test that they’re actually working, and measure the ROI of your risk-mitigation measures.
- Transfer: Why is cyber insurance important in the first place? Because your risk register indicates that one or more risks are beyond your organization’s risk appetite and too big even to mitigate. Cyber insurance is the solution, in theory, to manage catastrophic risk where the costs of making your organization whole would otherwise be too great. Your organization pays premiums, and in the event of a catastrophe, it gets a payout, in theory, that covers financial losses and the costs of digital forensic investigations and lawsuits. Cyber insurance does not cover all losses (which we’ll discuss further, below). Cyber coverage insurance can be in the form of a first-party contract or a third-party contract. What is the difference between cyber insurance first-party vs. third-party? First-party coverage protects your company’s data, including employee and customer information. Third-party coverage generally protects you from liability if a third party brings claims against you.
The Importance of Cyber Insurance — and Why it’s Getting Harder to Get the Coverage you Need
As cyber insurance payouts have soared, insurers have raised premiums — which increased by 53% globally in the third quarter of 2022. Cyber insurance policies have become difficult to obtain because insurers have also increased exclusions. In addition, insurers are imposing stricter underwriting cyber insurance requirements, demanding more evidence that an applicant for cyber insurance has strong security measures — and if not, an insurer may charge a higher premium, exclude ransomware and other events and items from the policy, or just turn down the applicant. And buying coverage against ransomware attacks doesn’t guarantee the insurer will pay up.
The lack of proper controls can be fatal, as seen in the case of Travelers Property Casualty Company of America v. International Control Services, Inc. (No. 22-cv-2145). There, a policyholder’s multi-factor authentication (MFA) turned out to be incomplete, contrary to its statement on its application — thereby leaving the organization exposed to a known vulnerability which was exploited by a threat actor. The result: The policyholder could not collect.
Finally, in the event of a cyber attack, what does cyber insurance cover? It covers a direct financial loss. However, if a policyholder who suffers a ransomware attack does manage to collect, they won’t necessarily be compensated for the reputational hit.
The cyber coverage insurance gap is significant enough that the US Treasury Department considered a national cyber insurance program as a backstop to cover “catastrophic” attacks that involve critical infrastructure.
But with cyberattacks becoming more frequent, severe, and expensive, the benefits of cyber insurance remain an important element of loss recovery measures in case of a cyberattack.
{{banner-image}}
Preparing for Cyber Insurance Requirements
If your organization wants to get cyber insurance, it should take certain steps to prepare for the process. Without getting mired in details, here’s an overview of what to look for in cyber insurance coverage:
- Perform a detailed cyber risk assessment with the help of an expert, and identify relevant cyber threats.
- Shop around for reputable insurers.
- Discuss with your shortlist of potential insurers which cyber threats should be covered.
- Review the plan carefully, especially exclusions.
- Negotiate.
Your company should also consider the type and cost of the coverage it requires. Make sure your policy has enough coverage for your organization’s ever-changing needs. And at the risk of repetition, know exactly what your policy covers and excludes, including the triggers, limits, and conditions that affect coverage, to avoid unwelcome surprises later.
Cyber Insurance Coverage goes Hand-in-Hand with Compliance
A company seeking cyber insurance can benefit from having strong Compliance. That may not seem obvious: Isn’t cyber insurance supposed to mean that you’re (mostly) covered when bad things happen? So why is Compliance still important?
The obvious answer: Whether it has cyber insurance or not, an organization that has adopted ISO, SOC 2, etc., will still need to show that it complies with those frameworks. But for a company seeking cyber insurance, a strong Compliance posture — one that reflects the presence of effective controls — can also do the following:
- Make it more likely that the applicant will meet cyber insurance requirements and will be offered cyber insurance,
- Reduce the applicant’s cyber insurance premiums,
- Reduce the likelihood that it falls victim to a cyberattack, and
- Avoid what happened in the Travelers case, in which the policyholder’s inadequate controls allowed the insurer to rescind the policy.
In fact, insurers are more frequently asking applicants whether and how frequently they undergo third party audits, including SOC reports and HITRUST certification.
Cyber Insurance and Compliance
Here are five Compliance-related cyber insurance tips that could help you get cyber insurance, as well as strengthen your defenses:
- Business continuity planning (or, backing up data isn’t enough).* The best defense against having to pay up if ransomware hits: backing up data. But data doesn’t help if it’s unusable. So make sure the data you back up is uncorrupted. Store it wisely. And regularly test your data recovery ability. Sometimes companies learn from adversity. A Minnesota trucking company that had to pay ransomware in 2018 was struck again in early 2022. This time, though, they credited “quick action, training and cloud-based backups” with allowing them to resume 90% functionality quickly and avoid paying a ransom.
- The human element: train users to recognize phishing attacks.** But try not to use “gotcha” training—phishing simulation programs that fool employees into clicking and make them feel incredibly stupid (and angry) for falling for the trick email. Gotcha training tends to embarrass people and doesn’t necessarily drive them to learn to recognize phishing emails. Instead, use effective training methods with measurable results, so you know that they are building users’ resistance to being attacked. In a Swiss study published in December 2021 of a simulated phishing program, crowd-sourced phishing detection was found effective and practical, while embedded phishing training did not increase security.
- Invest in reliable endpoint detection and response (EDR).*** If ransomware or other malware gets on a laptop, EDR will detect it and respond appropriately. What if a user forgets all their training and clicks on a phishing link? With EDR, their laptop detects that malware before it gets to your production environment.
- Use MFA.**** MFA is an additional strong defense in case a user clicks on a phishing email that would otherwise give attackers access. Almost half of all data breaches in the first half of 2022 began with stolen credentials.
- Look to your Compliance for assurance that your company is as secure as you think. Are your security controls working as you think they are? That’s where Compliance comes in — to validate that the controls you need are in place and effective. Did an engineer disable the EDR tool on their laptop? You should have a control that can tell you that and will disable the laptop until the EDR is re-enabled.
How Compliance is the Key to Achieving Cyber Insurance Requirements Plus More
OK. It’s not a time travel movie. Still, the goal of cyber insurance is to get your company back in business as soon as possible in case of a cyberattack. But why not aim higher? Robust Security Compliance is a business’s best chance of meeting cyber insurance requirements, and getting it at better rates, without an exclusion for ransomware — while reducing the likelihood of being the victim of a cyberattack in the first place. Because really, you want that cyber insurance policy in case all your precautions fail – but wouldn’t you prefer to avoid having to collect on it, and face the disruption of a ransomware attack? When your Compliance posture helps you prevent bad things from happening, you can live happily ever after.
Using a Compliance operating system can scale up your risk and Compliance posture, enabling you to fulfill those cyber insurance requirements quickly and seamlessly. Get in touch today to discover how.
---------
*Compliance requirements around business continuity planning include:
- SOC 2 - CC7.5, CC9.1
- CIS - 11
- ISO 27701 - 6.14.1.2
- NIST CSF - ID.BE-5, PR.IP-9, RC.RP-1
- HIPAA - 164.308(a)(7)(ii)(B), 164.308(a)(7)(ii)(C), 164.310(b)GDPR - Art 32.1, Art 32.2
**Compliance requirements around security awareness training for phishing include:
- SOC 2 - CC1.1, CC1.4, CC1.5
- CSA CCM - HRS-01, HRS-02, HRS-03, HRS-04
- NIST 171 - NFO - PS-1
- NIST CSF - PR.IP-11
- PCI DSS 4.0 - 12.2, 12.2.1, 12.7, 12.7.1
- GDPR - Art 32.1, Art 32.2, Art 32.4
***Compliance requirements around EDR include:
- CSA CCM - UEM-07
- ISO 27701 - 6.9.6.2
****Compliance Requirements around MFA include:
- CIS - 6.3, 6.4
- CSA CCM - IAM-14
- ISO 27701 - 6.8.1.2
- NIST 171 - 3.5.3
- NIST CSF - PR.AC-7
- PCI 4.0 - 8.2.3, 8.4, 8.4.2, 8.4.3, 8.5.1
- NYDFS - 500.12