By Dr. Mehran Basiratmand, Former Chief Technology Officer & Executive Director, Florida Atlantic University | CIO Strategic Advisor, Enabling Technologies Corp
The cyber security insurance market is in flux, and this has created a new set of challenges for IT leaders. Many organizations have experienced substantial increases in their premiums, while others have been asked to harden their security postures significantly to qualify for coverage.
All of this is a direct result of the level of sophistication bad actors are now deploying to access corporate data. One area that has become more vulnerable is backup repositories. The traditional ransomware attack consists of encrypting “live data” and requesting some form of untraceable cryptocurrency payment to provide a decryption key to reverse the data file encryption process. Today’s attacks now include deploying tools to access backup files and attempt to encrypt them.
IT leaders have mixed views on ransomware payments, generally aligned with a cost-benefit analysis of an extended downtime to recover vs. payment to restore systems to a good state. A primary reason for purchasing cyber security insurance is to have the insurance company handle these payments on a timely basis and assume the risk as part of the policy. Cyber insurance providers have also reached a level of maturity in this market. They have built safeguards into their policies to deny payments. These safeguards include, but are not limited to, the organizational security posture, patch management strategies, a data governance model, end-user security awareness programs, and data encryption in transit and at rest.
The cost of cyber security insurance premiums has increased each quarter since 2019. Based on a report from the Arthur J. Gallagher & Co. insurance brokerage, the cost of premiums in the first quarter of 2022 increased by 37%. While the cost is increasing, insurance companies have also opted to reduce coverage, increasing their deductibles and setting a lower payment cap per incident to minimize their liability. In some cases, the reduction is close to 80% of the coverage traditionally offered.
In this article, we outline two key areas for IT leaders and other executives to evaluate as they consider renewing an existing cyber insurance policy or purchasing a new one.
The first area requires engaging a vendor with expertise and experience in the cyber insurance marketplace. Such brokers generally shop for a solution that fulfills your regulatory requirements and fits your budget. A good everyday world analogy would be the traditional travel agency that investigates and evaluates options and negotiates discounted fares for cruises, hotels, and airlines, and travel packages on behalf of its clients. Finding a policy that suits you is time-consuming and requires an in-depth understanding of the various offers. It is highly recommended that you negotiate the cyber insurance broker fee in advance and pay the broker directly as your agent. Many of these brokerage firms are paid by the insurance companies in the form of a finder’s fee. This is problematic because the broker should be representing your interests, not the insurance company’s bottom line. During the selection process, it would be prudent to have a third-party technology company participate in the discussion to offer candidate feedback on the feasibility of the technical recommendations of both the insurance company and the brokerage firm. This facilitates a better holistic approach that reduces your risk and will likely lead to a higher discount. This additional resource offers an objective assessment of the cyber security position of your organization and provides you with best practices and tangible actions to reduce your exposure during your cyber insurance selection journey.
The second area is to embark on hardening activities related to the cyber security state of your enterprise. In many cases, your additional technical resource could also undertake this engagement. This is a five-phase approach that consists of the following:
- Understanding current policies and practices
- Addressing and prioritizing technical deficiencies
- Modifying existing policies and procedures
- Providing comprehensive user training
- Anchoring organizational change management for continuous improvement
Phase I of this process would be best accomplished by conducting a security gap analysis. This entails reviewing the cyber insurance requirements and comparing them to the existing state of cyber security artifacts around patch management activities, end-node device security policies, encryption, data loss prevention, backup, previsioning cloud usage, and a process for decommissioning unsupported application versions.
Phase II builds a plan to bring devices, servers, and applications, including cloud-based resources, to the latest patch levels, and enforces your technology life-cycle policy. This could be automated by utilizing one of the mature products in the marketplace that supports multiple end-node devices and operating systems. For example, Microsoft365 Defender, combined with Purview, offers a series of tools to assess and automate patches, provides enterprise defense protection, and delivers an analysis of security configuration and compliance.
Once the systems and software packages are brought up to the latest security or patch level, the need to modify existing policies, which constitutes Phase III, is paramount. Many enterprises struggle with modifying existing policies or developing new ones due to a lack of adequate inventory of services and software packages in use. In some cases, application adoption has occurred organically without prior knowledge of the IT team. As a rule, a new policy should be drafted and subsequently adopted to address the procedure for adding a new service (such as MS Teams, SharePoint, OneDrive, MFA, etc.). This eliminates the need to allocate significant resources annually to review and propose policy gaps. To ensure the organization is not reverting to the old habit of falling behind in patches, it would be prudent to establish a regular review process that ensures patches are up to date. This would also reduce the potential for hacking and improve the possibility of achieving more favorable rates.
Phase IV involves user training, which is as vital as any of the technical safeguards. It is imperative to educate users on phishing, impersonation, password selection best practices, and other social engineering techniques used by cyber threat actors (CTAs), as well as help users understand the regulatory compliance, where applicable. A formal training program from a reputable vendor that provides an employee scoring system should be implemented. Insurance companies generally have vendors of choice that provide added value for security awareness programs. This would also serve as another pillar to reducing cyber insurance costs.
It is crucial in Phase V to adopt organizational change management methodologies to continually review the state of security, risk management, regulatory compliance, and awareness and effectively communicate policies and procedures to the users. These steps require a top-down commitment by the entire organization. It is beneficial to seek technical expertise and advice from an outside entity with no preconceived notions that can objectively assess the various offers.
An ongoing candid conversation between all parties, consisting of your team, the proposed cyber insurance company, your insurance broker, and external technical resources, will yield a positive result. This ensures that subject matter experts will protect your investment while endorsing the best cyber security policy premium for your organization. The investment in both an insurance broker and an outside technical firm is well worth the cost, and it will facilitate a smoother ride through the maze of the cyber insurance journey.
Dr. Mehran Basiratmand is a member of Enabling Technologies Corp CIO Strategic Advisory team. He has well 30 years of broad experience leading innovation in complex technology enterprises in higher education institutions as well other public entities such as healthcare, state government and more. Prior to joining Enabling Technologies Corp, he served as Chief Technology Officer at FAU supporting technology infrastructure, data center, voice and data services, business intelligence and analytics, cloud services, SaaS, high performance computing, Enterprise Resource Planning and user services. In addition, he serviced as the Chairperson of Policy Board at NWRDC, the largest public data center in the State of Florida for well 10 years. Mehran has authored several publications addressing technology modernization and adoption. Enabling Technologies Corp has 30 years of extensive technology experience and expertise in delivering solutions to its customers as a primer Microsoft partner.