Cyber threats, like ransomware and data breaches, are growing at a rapid rate, and the need for cyber insurance to protect against these evolving threats has never been greater.
Recent research found that the percentage of first-time cyber insurance buyers has almost doubled over the last five years. This rise in demand has also led to an increase in insurance premiums.
Vendors and cyber insurance providers must work together
According to The Council of Insurance Agents & Brokers, cyber insurance premiums increased by more than 25% for five consecutive quarters.
But today’s cyber insurance policies are not necessarily looking at the correct factors when understanding a company’s security posture.
Vendors and cyber insurance providers must work together to reevaluate how cyber insurance understands a company’s security posture in order to better underwrite cyber insurance policies (see How to Reduce the Impact of Cybercrime?).
Consider another form of insurance: life insurance. When setting up a life insurance policy, insurers often request a medical exam with bloodwork to determine an individual’s risk for disease or illness.
This is the path cyber insurance should follow to underwrite policies for organizations battling today’s cyber threats to determine how at risk they are and what measures they have in place to protect themselves (see about Ransomware Insurance and Cyber Risk Landscape).
The way cyber insurance policies are underwritten
Currently, the way cyber insurance policies are underwritten highlights a lack from a technical evaluation standpoint. Insurers will look at revenue, number of employees and global footprint, but that’s not an accurate measure of an organization’s security posture.
An organization can have a small headcount but still have a lot to protect like a hedge fund, or can have a very large headcount, which may be a bloated startup that took on way too much funding.
Luckily, a lot of brilliant people working on both sides of the aisle, both vendors and cyber insurance providers, who could converge on what factors need to be evaluated to properly underwrite a cyber insurance policy.
To set up what an organization’s DNA should look like, cyber insurers should consider creating policies based on meaningful metrics that are demonstrative of the maturity and resilience of an organization’s cybersecurity posture. 3 areas in particular that should be examined.
Email Security Posture
An organization’s email security posture can say a lot about the state of the company’s security posture, especially as more than 90% of an organization’s threats come in via email. Companies that properly invest in email security improve their overall cybersecurity posture by establishing processes, tools and training that defend against malicious threats like phishing, spam and malware.
Quantifying an organization’s email security posture is nontrivial as there are multiple facets to this issue.
The primary factors that should be worked into this math include employee resilience as measured not only by overall susceptibility to phishing emails but more so by the ratio of employees’ ability to successfully identify and report suspicious emails to their vulnerability to the same.
Additionally, the number of email attacks identified on a weekly or monthly basis and the time to resolve are key. The latter is probably the most important factor in the risk calculus, as a lot of organizations rely solely on their secure email gateways for protection while attacks continue to circumvent those on a frequent basis.
Having effective email threat detection and removal technologies and processes is paramount.
Endpoint Security Controls
From continued trends of remote work and ongoing digital transformation, endpoint security is essential in protecting all devices that make up an organization, thus protecting the entire organization from a slew of malicious threats.
Reports from cyber attack and breach simulation exercises that demonstrate the efficacy of endpoint solutions to known and emerging threats can be a strong indicator of the organization’s last line of defense (see about Ransomware Attacks in the United States).
Maturity Of Security Operation Centers
A mature Security Operation Center is built with the proper team, processes and tools that all align with a business’s overarching goals. With a SOC that isn’t fully developed, organizations are more vulnerable to cyber threats, putting their critical data and assets at risk.
There are multiple SOC maturity models available that focus on various aspects of security operations and speed of detection/response.
While not originally intended for cybersecurity, one of the long-standing models that has been adapted and widely used to measure the overall maturity of an organization’s SOC is the “Capability Maturity Model Integration,” otherwise known as CMMI.
This model categorizes an organization into one of five levels based on the maturity, standardization, iterative management of processes, automation, quantitative controls and continuous optimization and development of staff, resources, processes and service management.
In the grand scheme of things, cyber insurance is still a young industry and has a way to go.
As the demand continues to change as the cybersecurity landscape evolves, both cyber insurers and cybersecurity vendors must put their heads together to build strategies for underwriting policies that reflect an organization’s true security posture.
AUTHOR: Rohyt Belani – cofounder and CEO of Cofense, Forbes Councils Member
Fact checked by Oleg Parashchak