I recently had the privilege of organizing a knowledge-sharing webinar, where we brought together a panel of cyber security insurance (CSI) experts. Our discussion revolved around the present and future state of the industry, and I gained a wealth of valuable insights along the way which inspired this blog.
One of the prevailing themes during both the discussion and my research was that the CSI landscape is evolving rapidly. Recent events and trends such as high-profile data breaches, sophistication of cyber threats and regulatory compliance requirements has resulted in:
- Premiums rising dramatically or not being renewed at all
- Increased scrutiny on cyber security control requirements
In this blog we will focus on the role of the IT and Security professional (a.ka. Technologist) in helping their businesses address these challenges and more.
The role of the technologist in CSI evaluation phases
While the CSI evaluation process can vary depending on factors like business complexity, size, and industry, there is typically a common set of activities where technology professionals can contribute their expertise.
Below are some common examples of the typical phases and common tasks that can be performed by technologists.
One of the key phases where technology is almost always engaged, is in the completion of the CSI questionnaire. In this blog, I will focus on this particular phase.
Most CSI questionnaires tend to focus on a standard set of security controls. The diagram below covers the common cyber security controls you may find in a CSI questionnaire:
Source: https://www.kroll.com/en/insights/publications/cyber/10-essential-cyber-security-controls
As this is an IAM blog, I will zoom in on access management and MFA, but the same approach can be applied to all the other controls. Let’s start by looking at some examples of the type of questions you will commonly see in a CSI questionnaire in regards to MFA.
| Sample questions |
| Can you please confirm your use of Multifactor Authentication (MFA) for: 1. % of remote access connections: _________ % 2. % of email accounts: _________ % 3. % of privileged accounts (internal & remote access): _________ % 4. If there are exceptions to the above, please detail how extensive these exceptions are and why they are made: |
| Have you disabled remote desktop protocol (RDP)?If No, have you implemented MFA on RDP |
As a technologist who understands MFA, you may be surprised by how overly simplistic these questions appear, which actually brings to light some of the underlying challenges with CSI. Here are the key ones:
- Traditional insurers looking to expand into cyber security do not have the experience, experts and data
- Technology, in particular software, moves and evolves much faster than traditional areas that insurers have been successful in.
The result, insurers not being able to do, what they need to do best, attain a deep understanding of risk. Insurers must invest in developing a deep understanding of the risks associated with the industries they serve. This involves staying updated on emerging technologies, evolving cyber threats, and regulatory changes. Only by understanding the unique risks faced by businesses, can insurers accurately assess and underwrite policies that provide appropriate coverage.
Let’s continue on with the MFA example. As IAM enthusiasts, we know that not all MFA is created equal from a security risk perspective. This Factor Assurance article describes it well. We also know that MFA needs to continue to evolve to counter the evolving threats. For example, Okta recently introduced Phishing-Resistant Multi-Factor Authentication to help our customers defend against more sophisticated socially engineered phishing attacks.
In terms of an assessment of risk, it could be argued that adopting a higher assurance MFA strategy and utilizing modern MFA authenticators, significantly lowers risk and in-turn should be rewarded with a better premium? In reality, if you made this argument today, most brokers and CSI providers would probably be staring at you blankly.
So now that we understand the challenges, it’s time to get your business future ready. Here are some calls to action.
Top 3 actions – You can start doing today to make a difference.
Work with your business and help source and interview CSI brokers and providers that specialise in cyber security
One of the more straightforward yet impactful recommendations for your business is to consult with CSI brokers that possess a strong understanding of technology. These brokers typically collaborate with specialised cyber security insurers. By engaging technology-savvy brokers you can benefit from their in-depth experience in bridging technology and insurance discussions. They are also more inclined to negotiate on security controls, providing valuable guidance tailored to your specific needs and better premiums based on your organisation’s cyber security posture.
A CSI controls discussion is an opportunity to discuss risk and educate the business and access funding!
Utilise discussions on CSI controls to educate internal stakeholders and identify areas where investments can be made to enhance your organisation’s security posture. By making strategic investments in security, you can not only improve your overall protection but also potentially obtain better value from your insurance coverage. The savings achieved through improved insurance terms can then be reinvested in strengthening your security tools and overall security posture.
Prepare NOW for what is coming in the CSI Industry
All the work you do in the above 2 actions will serve you well, here is some of what to expect:
- Insurers are likely to implement increasingly intricate coverage terms, requiring organisations to showcase stronger security controls. Merely checking the box for multi-factor authentication (MFA) may no longer be sufficient to secure the best value or obtain insurance coverage.
- Insurers may adopt advanced techniques for risk assessment and quantification to gain a deeper understanding of an organization’s cyber risk profile. This evaluation will influence both the provision of coverage and its associated cost.
- Insurers may establish partnerships or mandate 3rd party cyber security services to complement insurance coverage.
In summary, as technologists, we more than most understand that CSI does not replace the importance of implementing advanced, modern security controls. None the less your businesses will most likely be required to evaluate or reevaluate CSI, as a tool for risk mitigation and financial protection. As the market matures, IT and Security will need to play a leading role in preparing your business for the future and ensuring that it is well-equipped to obtain the best value and protection. Hope this blog offers some insights and guidance and helps you along this journey.
