Download Trend Micro's Guide to Cyber Insurance
Just a decade ago, it seemed like the only requirement from cyber insurance carriers was the need for a policy; the application process was easy, and the questionnaire was simple. But as ransomware attacks grew in popularity and damage, carriers were forced to tighten the reigns to keep a balanced book. In 2020, we witnessed the cyber insurance market harden for the first time ever. Since then, carriers continue to adapt their application requirements in line with threat trends and emerging security capabilities.
To help CISOs and security leaders strengthen their cybersecurity strategy, I’ve put together four predictions for changes to cyber insurance requirements in 2023.
Cyber Insurance Requirements Predictions
Prediction #1: Cloud misconfigurations will lead to more cyber insurance claims
Cloud misconfigurations will continue to grow as a threat vector due to increased adoption rates and poor security policies. In early 2022, Forrester predicted that cloud-native adoption would rise to half of all enterprise organisations following previously observed trends. Furthermore, Gartner predicted that by 2025, 99% of cloud security failures would be the customers’ fault, suggesting that misconfigurations will continue to be a serious issue.
Not only are cloud misconfigurations the third most common attack vector for data breaches, but Microsoft found that over 80% of ransomware attacks can be traced to common configuration errors in cloud services. Considering that ransomware is the leading cause of cyber insurance claims – and continues to grow – it’s plausible that carriers will require more stringent security controls and policies to contain this threat vector.
Security leaders will need to strengthen their cloud security posture to show carriers that they can minimise misconfigurations. This starts with choosing a cloud-native security solution that can automate security and compliance.
Read more: Hybrid Cloud Management Security Tools
Prediction #2: Carriers will consider organisations with XDR less risky
The name of the game for organisations is to show the cyber insurance underwriter that they have effective cybersecurity policies and countermeasures in place that make them less risky. For quite some time, endpoint detection and response (EDR) has been one of the baseline cyber insurance requirements that underwriters look for when evaluating risk.
Unfortunately, EDR just isn’t enough in today’s threat landscape. Not all threats originate at the endpoint. Web applications and email are the top two vectors for breaches according to Verizon’s 2022 Data Breach Investigations Report. In fact, 94% of malware originates in email – and over 30% of breach cases involve some type of malware.
Enter: extended detection and response (XDR), the evolution of EDR. It goes beyond the single-vector approach by collecting and correlating data in real time across multiple security layers like email, server, cloud workload, network, and endpoint. This provides security teams with a full understanding of the chain of attack, enabling faster detection, response, and remediation which leads to lower cyber risk.
Requiring XDR makes sense for organisations and cyber insurance carriers. The logic is simple: XDR = lower cyber risk. Lower cyber risk = less claims. Less claims = less money spent for cyber insurance carriers and customers. A win-win if I’ve ever seen one.
Read more: Guide to Better Threat Detection and Response
Prediction #3: Vulnerability prioritisation capabilities will become crucially important
Most businesses have a patching strategy in place; at least they should after witnessing the destruction left behind by Log4j. Given that flaws can be exploited in mere minutes, vulnerability prioritisation is key to an effective strategy. Come game time, organisations can’t waste valuable time deciding what needs to be patched first. And with supply chain attacks on the rise, taking stock and prioritising open-source repositories is critical to limiting the scope of an attack.
If we take it a step further, the very act of prioritising vulnerabilities is a great indicator to insurers that you have comprehensive visibility across the attack surface. An underwriter will look kindly upon organisations that can demonstrate that they have the right security solution in place for centralised, proactive, and defragmented monitoring, tracking, analysis, identification, and detection of vulnerable areas.
Read more: Software Patch Management Policy Best Practices
Prediction #4: Businesses will be required to have a “second set of eyes” to contain policy costs
Think of managed solutions like a copyeditor for a novelist. It’s a second set of expert eyes that can address security gaps and augment teams with low resources and staff. Forrester notes that “[Managed detection and response] acquisitions can give insurers: high-value data about attacker activity to refine underwriting guidelines; 2) unparalleled visibility into policyholder environments; and 3) the ability to verify attestations.”
Going a step further, look for a vendor that converges MDR and incident response (IR) services within a single solution. IR services enable faster time to contain and limit the scope of an attack, therefore lowering any associated financial damages.
When renewing a policy, carriers need assurance that an organisations’ security posture has evolved with the threat landscape to minimise cyber risk. Managed solutions are part of this evolution, which is why I predict they will join XDR and vulnerability prioritisation and new cyber insurance requirements.
Read more: Cyber Security Managed Services 101
For more information, check out our cyber insurance resources.