Latest News

Cash and controls: Qualifying for cyber insurance in 2022

Written on Apr 14, 2022

By Eric Wright, CPA, shareholder at Schneider Downs 

Republished with permission from Schneider Downs 

As cyber insurance premiums continue to climb, insurance providers are getting increasingly selective about who and what they’ll cover. 

Cyber criminals are only getting better—a fact reflected in their increasingly sophisticated attacks. And with the heightened frequency, scale and impact of these attacks comes higher cybersecurity insurance premiums for businesses. Many organizations are finding that the cost of cyber insurance has increased dramatically in the past few years. 

But premiums aren’t the only costs that are rising. The price of admission to even be considered for coverage is going up as well. If a business wants to qualify for cyber insurance, there are several security controls they need to have in place before an insurance company will consider underwriting the policy: 

Multi-factor authentication: When it comes to any remote access or accounts with administrative privileges, it is critical that businesses require users to identify themselves with something more than just a username and password. The second form of identification needs to be something you are or something you possess. 

Endpoint Detection and Response (EDR): Businesses need to make sure that their employees’ devices are protected by second generation anti-virus and anti-malware software. The solutions that only look for a virus’ “fingerprint” are no longer acceptable. 

Secured, encrypted and tested backups: To protect their data, businesses need to ensure that their backups are both encrypted and stored in a secure location. Many of the underwriters are defining “secure” as: the backups are either offline or immutable. 

Privileged access management: Businesses should make sure that access to highly privileged accounts (including system accounts) are protected and managed using an encrypted password vault. 

Email filtering and web security: The easiest way for a cybercriminal to access an organization's system is to take advantage of human curiosity. Automatically interrogating emails for suspicious content (attachments and links) before the designated recipient has a chance to open them can help reduce the risk of falling for a phishing attack.  

These are the five controls that are most important to insurance companies right now. In the coming years however, organizations can expect these additional controls to come into play: 

Patch management and vulnerability management: Businesses should make sure they are continuously patching their applications, databases and operating systems . 

Incident response plan: It is critical that organizations have a formalized plan for how to respond if something goes wrong. It is equally important that this plan is periodically tested and modified as needed.  

Required cybersecurity awareness training: While technology can help reduce the risk of cyber-attacks, your employees are still the easiest path to compromise. Mandatory security awareness training, with a focus on phishing, for all employees is a critical component of improving your overall cyber security profile. 

Network device hardening standards: Organizations should have configuration standards defined to improve the security of network devices by eliminating non-essential services and minimizing vulnerabilities. 

Login and active monitoring of network devices: This is not as simple as monitoring the network traffic that enters and leaves the system. Organizations must also be cognizant of the traffic that flows between their internal network devices. Logs should be aggregated, and analytics should be used to identify and alert management of suspicious activities. 

Management of end-of-life systems: When an organization’s technology is no longer receiving updates or support services from vendors, the end-of-life systems must be replaced or isolated from the rest of the network through segmentation. 

Robust third-party risk program: Companies must have protocols in place to assess the controls of vendors that have access to their systems or data. 

Going forward, businesses can expect the cyber insurance landscape to remain pricey and more difficult to obtain the desired coverage. Given the cost and frequency of today’s cyber-attacks, more companies are looking to outsource some of the risks as part of their mitigation strategy. Continuously monitoring and investing in their cybersecurity can help organizations improve their chances of obtaining the cyber coverage they desire.