Meet Your New Cybersecurity Auditor: Your Insurer

As businesses deal with the fallout of massive ransomware waves, from Lapsus$ to Cl0p/MOVEit, an unlikely new entity is joining the regulatory bodies to raise the bar for cybersecurity: the cyber insurer. These experts do more than just process claims in the aftermath of an attack. Their coverage requirements and metrics-driven approach to risk put organizations not meeting cyber-hygiene basics on notice. How can chief information security officers (CISOs) prepare to work with this important power player?

Understand Your Cyber Insurer

Cybersecurity risk has increased exponentially due to the changing and complex cyber-threat landscape, particularly ransomware attacks. As a result, cyber-insurance premiums have surged by 50% just in the last year, which could have a significant impact on risk management budgets. Facing pressure from all sides, CISOs have the unenviable challenge of proving to their cyber insurer that their organization is properly set up to withstand cyber-risk. To make their case, CISOs must thoroughly understand cyber-insurance companies' role and key priorities.

Insurance companies live and die by their ability to accurately quantify risk, and cybersecurity is no exception. Actuarial science powers a global market of insurance premiums worth $7 trillion annually. Due to the profound disruption caused by a surge in simple but scalable cybercrime, organizations have endured financial blow after financial blow. Most organizations recognize their cybersecurity strategy must change, and cyber insurers that make decisions about coverage using advanced statistical methods play a pivotal role in determining what that change entails.

The year 2022 was rough for the cyber-insurance market; premiums skyrocketed due to ransomware attack frequency. This means it is more important than ever to get right with your cyber insurer. With the market rebounding, insurance companies are refining their actuarial models and gaining a better understanding of cyber-risk.

Right-Sizing Security Priorities

Self-assessment questionnaires are getting more detailed as underwriters seek to understand the applicant's security posture, from the finer details of multifactor authentication (MFA) to exact group policy rules for Active Directory (AD) administrators. Most organizations can say they have some of these strategies in place, but rarely can they tick every box. Therefore, they must make investments in tools or headcount to make up the difference. Failing to invest might mean denial of cyber-insurance coverage or significantly more expensive premiums.

On the other hand, investing in those requirements means qualifying for cyber insurance will be easier and potentially less expensive at renewal. By working with brokers and underwriters, CISOs can build multiple scenarios corresponding to different cybersecurity investments. Then, to get CFO and board buy-in, CISOs can use the cyber-insurance requirements as metrics to track security goals and correlate their risk register with their insurance premiums. It is a unique opportunity to attach dollar values to cyber investments and push for maximum ROI in clear and persuasive ways.

Audit Before You're Audited

The current state of cyber insurance offers some actionable opportunities for security decision-makers.

First, don't underestimate the power of an accurate cyber-insurance self-assessment, which is how cyber insurers judge organizations during the auditing and claims processes. Current self-assessment surveys ask surprisingly challenging questions and cover a wide set of fields from backups to AD security to MFA. It is important not to treat this as a formality and to ensure that information is entirely accurate; insurers are more than willing to decline coverage and even sue if an enterprise falsely claims, for example, that it has MFA protection across all its digital assets. Failure to document preventive measures is nearly as bad as not having those preventive measures in the first place.

Therefore, the second step is for CISOs to prove they have the capability they have on those forms. Luckily, this is a landscape familiar to seasoned CISOs. Creating and maintaining detailed records, building reporting systems, documenting all relevant business and security processes, and creating tamper-proof data for cyber forensics are all possible with sophisticated cybersecurity tools. The only change here is that CISOs now need to be able to make this cybersecurity posture visible to insurers (and be able to back up their statements).

Finally, an ugly truth: Organizations are in competition with each other for coverage, and a CISO must be able to prove their organization's cyber maturity is better than the rest. This is especially critical in verticals considered highly vulnerable (like healthcare, financial services, or federal contracting), so it is important to protect that competitive edge. Whether it is full compliance with NIST regulations, control over the software supply chain, or a board with a regimented, proactive plan for cyber events, CISOs should play to their organizations' strengths while being transparent about its vulnerabilities.

With the cyber-insurance market stabilizing and becoming increasingly competitive, the rules are becoming more standardized and transparent. It's vital to get clarity around which cyber-risk factors influence pricing the most and what areas of cyber defense need to improve. Of course, the primary goal is for enterprises to be better protected against cybercrime, ransomware, and breaches by strictly adhering to cyber-defense best practices. By transparently partnering with insurers and auditors, CISOs will be able to make accurate security investments while furthering their organizations' cyber resilience.