Demystifying Cyber Insurance: 7 Key Security Controls Every Organization Should Have

7 Key Security Controls Every Organization Should Have

In 2017, a global food manufacturing company was hit by NotPetya malware. While the virus was originally believed to have originated as a Russian nation-state attack against Ukraine, it quickly hit companies around the world.

At Mondelez International, parent company to well-known brands such as Ritz and Oreo, the attack quickly spread throughout its infrastructure rendering nearly 2,000 systems inoperable, affecting some 24,000 laptops, and ended up costing the company more than $100 million in damages. 

What does this real-world cyber-attack incident have to do with cyber insurance? Some argue this event has played a significant role in reshaping cyber insurance as we know it today.

Why? After it became clear how extensive the damages were, the company filed a claim against its traditional property and casualty insurance policy. But that claim was denied.

Cyberattacks are common in today’s connected economy. Security Magazine reports “more than two-thirds (67%) of companies with fewer than 1,000 employees have experienced a cyber-attack, and 58% experienced a breach.” 

The company’s insurer, Zurich American Insurance, said that because the incident was caused by a nation-state actor, it was an act of war and therefore as part of its exclusion clause was not covered by that policy.

Mondelez ultimately sued Zurich. The two entities reached a settlement in late 2022, but details have not been made public. 

Why Cyber Insurance Matters

The NotPetya incident highlights why it’s important that organizations of all sizes understand their insurance policies and coverages, and more specifically, why organizations need to take out cyber insurance policies that cover incidents traditional policies won’t touch.

First, what is cyber insurance?

Cyber liability insurance protects organizations from a range of risks including security, privacy, service, and operations. 

Exactly what these risks are and what they look like vary depending on your organization’s unique characteristics; however, when thinking about investing in cyber liability coverage, it’s important to seek a policy that complements your overall security program and elevates your security posture.

Unfortunately, many organizations struggle with these types of risk assessments, often overlooking critical risks that lead to inadequate planning and a lack of protection when a disruption like a cyber breach occurs.

So, if you’re considering getting your first cyber liability policy or you’re interested in shoring up your existing coverage, how do you effectively assess your risks, so you know which cyber liability coverage is right for your organization?

To begin, consider these key areas when assessing risk for policy coverage: 

Security

• Errors and omissions
• Contractual liabilities
• Aggregation of cyber risk

Privacy

• Network vulnerabilities (malware, ransomware)
• Data breach (PII, PHI, PCI, etc.)
• Confidential data (e.g., CUI, third-party data)

Service

• Consumer-related issues (collection, storage, and usage)
• Regulatory (GDPR, CCPA, NY Shield. etc.)

Operational

• Technology reliance (automation)
• Cloud adoption
• Enterprise systems (ERP, CRM, billing, scheduling, etc.)

From a risk perspective, your organization should seek coverage that supports your unique and specific operational needs. 

Key Trends and Challenges

As we’ve seen an uptick in cyber insurance claims in the past two years, it’s not surprising to see the industry evolving into a hard market. Insurers are not putting out as many policies as they once did, which has been the case for at least the past two years.

On top of that, cyber insurance application forms are increasingly more in-depth, asking for a growing list of requirements for coverage consideration. This is a far cry from where we were just a few years ago when these same applications may, at best, had five to seven questions organizations had to answer.

Why is this happening? As we’ve seen an increase in breaches and breach attempts, cyber events are evolving risk concerns for organizations. To further complicate matters, each organization must think about risk posture and appetite uniquely while insurers are trying to align their policies to meet needs and demands as they’re analyzing what’s actually affecting organizations in the wild.

Insurers are certainly becoming more aware of pain points. While we’re starting to see some harmony in the industry about how to manage those risks, it’s likely this will continue to evolve as the threat landscape continues to expand.

According to a Forbes report, 43% of cyberattacks are aimed at small businesses and only 14% say they are prepared to protect their business if faced with an issue. On a larger scale, according to Munich Re Global Cyber Risk Insurance Survey 2022, 83% of all C-level respondents globally say their organizations are not adequately protected against cyber threats.

So, it’s not surprising to see the Council of Insurance Agents & Brokers (CIAB) report that cyber insurance premiums increased by an average of 28% in the first quarter of 2022 compared to the last quarter of the previous year. 

Changing Cyber Insurance Requirements

Rising premium increases are due in part to heightened awareness of cybersecurity risks and the volume and complexity of events occurring. As such, insurers are imposing increased scrutiny and stricter underwriting requirements. Active defenses such as multifactor authentication (MFA), spam filtering, privileged access management (PAM), and other security controls are now mainstream and expected.

Yet, that doesn’t mean meeting cyber insurance requirements—or even understanding them—is getting any easier. In terms of cyber insurance standards to manage these risks, essentially right now there aren’t any.  

These issues are generally handled by the organization, and not guided by a specific framework or control set. There are some benefits here. For example, your organization has some flexibility on which frameworks to implement and you can do so based on your organization’s industry and unique attributes.

However, there are some basics you can do in terms of mitigating risks for your organization, and cyber insurers are calling on their clients to adopt industry-recognized best practices. 

Yet, it’s not just about saying you’ve got these controls in place. Insurers are giving increased scrutiny and many now require clients to demonstrate they’re effectively doing what they say they are, even for security controls not listed on the cyber insurance application.

If you’re managing your controls and frameworks via spreadsheets and word-processing documents, it can be incredibly difficult to demonstrate your program maturity, especially in real-time. This is where a SaaS-based cybersecurity framework management platform can help.

With a platform like Apptega, you can see exactly where you are in framework implementation and can even get insight into more than one framework at a time—and you can crosswalk multiple frameworks with the Harmony tool.  

If you manage multiple frameworks that meet different areas of your insurance requirements, with Apptega, all that data is in one place. You can even get insight all the way down to individual controls and sub-controls. You can also use the platform to export data about your controls and frameworks to submit with your cyber insurance application.

The benefit here? If you can demonstrate to your insurer that you’re doing what they require and more, you may get more brokerage coverage, more exposure to carriers, and potentially additional discounts or services because you can prove you’re effectively doing what you say you are.

The point here is that when it comes to cyber insurance, you should always approach it with an open mindset, one that takes into consideration ways to establish and mature your cybersecurity program instead of doing just the minimum to pass an audit or secure coverage.

The Threat Landscape

Cyber insurance overlooks an evolving threat landscape. Now, post-pandemic, we must take into consideration increased risks, such as those created by remote workforces. This landscape is evolving and increasing exponentially.

Now that we have more workers out of the office and out from underneath the watchful eye of company policies and procedures, we’re seeing a growing number of organizations victimized by social engineering such as phishing and malicious link engagements.

This changing threat landscape requires additional training and employee education, something that’s often overlooked, especially for small- and mid-sized businesses (SMBs) that may have limited resources and capabilities. Yet, this is an important area that needs attention, especially for cyber insurance coverage.

Some important stats to reflect upon:

•     47% of individuals fall for phishing scams while working from home. 
•     500,000 people globally are impacted by breaches through video conferencing software.
•     Cyberattacks using new malware are up from 20% pre-pandemic to 35% post-pandemic.

Education and good cyber hygiene are becoming mandatory parts of getting cyber coverage and beyond that, it’s just good business practice to have both. 

Continuous Risk Monitoring

While you may be risk-focused while pursuing cyber insurance coverage, you can’t stop there. Mature cyber programs require continuous risk monitoring. 

In fact, if you want the opportunity for better coverage and potentially better rates, don’t wait until you get an insurance application to think about what you need to implement or improve.

The better way to do this is to have your answers long before an insurer mandates security requirements. Again, if you use a cybersecurity management platform like Apptega, you can easily and quickly cull all the data you need to demonstrate what you’re already doing and be more effective in answering additional security questions along the way. 

Written cyber insurance premiums have increased since 2017 and average loss ratios doing the same. Some of the largest insurers are seeing loss ratios at 130% percent. With loss ratios this great, it’s easy to wonder what new requirements are coming so these companies can ensure they’re insuring the right customers with the right security posture. 

Organizations that implement best practices, combined with continuous checks and evaluations, are likely to be more mature compared to those doing these things on a limited basis, or worse yet, haven’t done it at all. Organizations should consider conducting internal security audits at a minimum of annually, but ideally whenever your environment or organization changes. This may make you more appealing to carriers. 

Remember, you should always take into consideration the capabilities your insurer requires, but never rely on that exclusively for adequate and appropriate coverage. 

Understanding Cyber Insurance Policy Coverage 

When seeking out cyber insurance, consider both first- and third-party coverage. Here is a quick overview of each and how they may benefit your organization:

First-party Coverage

First-party coverage can provide reprieve on certain types of services provided or covered by the insurer; however, it can be challenging to find a specific insurer that can provide all of the services you need to align to all of the risk types your organization is focused on. Unfortunately, as of now, there is no standard cyber liability policy out there from an insurance perspective. 

Seek out first-party cyber coverage that will protect your organization’s data, including employee and customer information. Specific areas of first-party coverage to look for: 

•     Legal counsel to determine notification and regulatory obligations
•     Customer notification and call center services
•     Crisis management and public relations
•     Forensic services to investigate a breach
•     Recovery and replacement of lost or stolen data
•     Lost income due to business interruption
•     Cyber extortion and fraud
•     Fees, fines, and penalties related to a cyber incident

Third-party Coverage

Third-party cyber coverage generally protects your organization from liability of third-party

claims against the organization. Think of it as a separate level of protection. If you get third-party coverage, you may have the ability to offset some of the limitations you have to deal with related to a breach.

Look for third-party coverage that includes:

•     Payments to consumers affected by the breach
•     Claims and settlement expenses related to disputes or lawsuits
•     Losses related to defamation and copyright or trademark infringement
•     Costs for litigation and responding to regulatory inquiries
•     Other settlements, damages, and judgments
•     Accounting costs

Key Areas of Preparedness

While your organization may consider implementing specific controls or frameworks to obtain cyber insurance coverage, the reality is these requirements are often core elements of a mature cybersecurity program. 

Your organization can develop stronger compliance practices and better understand cybersecurity preparedness by focusing on these six key areas:

Incident response

1. Has your organization established proper incident response protocols?

Training

1. Has your organization established proper education and training protocols?

Vendor management

1. How does your organization conduct various degrees of due diligence on all your vendors?

Governance and risk assessments

1. Have you evaluated cybersecurity risks? What is your organization’s level of awareness and communication?

Access rights and controls

1. How does your organization manage controls onsite and offsite related to access to systems and data?

Data loss prevention

1. How does your organization monitor outbound communication and data at rest, in transit, and in use?

Critical Prevention Controls

Likewise, critical prevention controls will likely be required for your coverage and your organization should develop processes to review and evaluate all of these areas on a continuous basis: response, detection, and prevention.

The frequency of reviews may vary depending on the specific area, but always approach it from a risk-based mindset. Some of these items you should evaluate at least annually; some will be more frequent and others less. Not all of these critical prevention categories carry the same weight. Consider:

Prevention

•     Training and awareness
•     Web/spam/email filtering
•     Access control
•     Endpoint security
•     Data loss prevention
•     Patch management
• Mobile Device Management (MDM)

Detection

•     Managed detect and respond (MDR)
•     Vulnerability management
•     Security information and event management (SIEM)
•     Configuration management
• Threat hunting

Response

•     Preparation: Process definition, data classification, tabletop exercises
•     Monitoring and detection: Receive notifications from business unit, IT
•     Breach investigation: Determine if a data breach has occurred
•     Data flow containment: Ensure that data leakage is stopped
•     Notification and remediation: External notifications and remediation
•     Lessons learned: Varies with the incident  

7 Key Security Controls Every Organization Should Have

Cyber insurance is not a one-size-fits-all solution. Your organization will need to consider many factors including size, risk tolerance/posture, industry, and other specifics. 

While different insurers require different security controls to obtain and maintain coverage, there are some general best practices to consider. Here are seven key recommendations to start with: 

1.     Multifactor authentication (MFA)
2.     Network segmentation/segregation
3.     Backup and recovery strategy
4.     Endpoint detection and response (EDR)/malware prevention
5.     Sender policy framework (SPF)
6.     Remove or secure remote desk protocol (RDP)
7.     End-user security training

Managing Cybersecurity and Cyber Insurance with Technology

When it comes to cyber incidents, cyber insurance is the last safety net you need to protect your business. These controls and processes are things your organization should already have in place to secure and protect your data.

Even if you’re not seeking cyber insurance right now, it’s a best practice to go ahead and get these controls and/or frameworks in place. It will help when you’re ready to seek cyber insurance coverage, but more importantly, it may help prevent a cyber event from happening. And as a bonus, you might just end up getting better cyber insurance at a better rate.

Using technology to manage your cybersecurity program and cyber insurance requirements is a no-brainer. With the right platform, supported by the right industry experts and advice, you can do this successfully—with fewer resources, even if you don’t have your own CISO or CTO.

Apptega provides a total package you can lean on, whether you need to outsource your cyber program fully or need support to supplement your existing security and compliance teams.

For perspective, think about this: When it comes to frameworks, controls, and requirements, all of these can be viewed as separate projects, and many have hundreds of elements to implement and track. Whether it’s something you need to tackle one time, or it needs continuous monitoring, you can use Apptega to do this more efficiently. And you can do so with real-time insight into your maturity, as well as a look back over time, so you can more effectively communicate with your C-suite and key stakeholders and meet all of your cyber insurance demands.

Need help breaking down the complexities of cybersecurity by simplifying some of your existing practices? Schedule a custom tour. Learn more on how Apptega can simplify day-to-day cybersecurity and compliance management for your clients.

Watch our latest webinars on cyber insurance to hear from industry experts.