Shifts in the threat landscape have caused cyber insurance providers to rethink how they offer and price their coverage. The result has been stricter underwriting requirements, more exclusions within coverage, and a dramatic increase in premiums. Tougher underwriting requirements have also put pressure on security and risk leaders to more thoroughly validate their security controls as enterprises are applying for, or renewing, their coverage.
In this post we’ll look at the current realities of cyber insurance and how breach and attack simulation (BAS) can help enterprises better position their organization to be approved for coverage and potentially reduce their premiums.
Changing Threat Landscape Created Turmoil for Insurers and Enterprises
Though some form of cyber insurance has existed since the late 1990s, the market did not really begin to gain traction until after 2015. In the days before cyber attacks became pervasive, policies focused on protecting against losses due to business interruption, data recovery, and damage to infrastructure. As frequency and severity of cyber security incidents accelerated, enterprises increasingly looked to insurance carriers to share the risk. Today, businesses expect their policy to cover cyber ransom, risks to brand/reputation, fines, and third-party liability risks from their digital supply-chain.
When demand for cyber insurance began to grow, more insurers recognized the revenue potential and offered overly broad policies and competitive pricing to quickly gain market share. However, they didn’t fully recognize, or price in, how large and expensive cyber losses could be — especially considering the exponential increase in ransomware attacks beginning in 2017.
As a result of claims well beyond forecast in both volume and settlement amounts, cyber insurance became unprofitable for many providers during 2019 and 2020 and carriers responded with significant price increases (in some cases doubling and tripling premiums), reduced policy limits (especially in losses involving ransomware), more restrictive coverage, and more stringent underwriting processes. This reaction has obviously put security and risk leaders in a difficult position as they are suddenly paying significantly more for less coverage, if they are approved at all.
Our recent whitepaper “A Skeptic’s Guide to Buying Security Tools” references a comment from The Risk Management Society which captures the current state of cyber insurance very well: “In 2022, cyber insurance became a C-level issue for commercial and government organizations. Risk managers felt fortunate if they could renew their cyber policy, maintain current coverage, and keep premium increases to below 50%.”
Many Cyber Insurers Not Doing Enough Due Diligence
Most cyber policy applications are surprisingly superficial, given the risks involved. To simplify application review, most applications ask a series of “yes/no” questions about the presence of various security controls. Some applications allow the applicant to provide additional context about their environment, but for the most part, applications do not account for variations in risk or controls. And what about the questions the application doesn’t ask? Most applications don’t ask whether you align to specific security frameworks (NIST, etc.) or if/how you incorporate 3rd-party threat intelligence to proactively protect against emerging threats.
Sure, there is a follow up conversation between the applicant and provider to review the application, and some kind of standard assessment or potentially even a penetration test. But each of these evaluation tools have significant limitations, and even in the best case, their results represent a single point-in-time rather than a continuous state of readiness. In the absence of proof that your security controls are working, configured properly, and constantly validated, the insurance carrier will likely base their coverage decision, and pricing, on your binary yes/no responses and apply a one-size-fits-all formula based on broad industry averages.
Breach and Attack Simulation Can Help Secure Coverage and Reduce Premiums
Ultimately, it is the applicant’s responsibility to ensure their insurance provider is basing coverage decisions on the real capabilities of their security controls, and this is where BAS can help tremendously. BAS platforms run real-world attack scenarios against production environments to validate that controls are in place, properly configured, and working as advertised. BAS plays a vital role in continuous security validation (CSV), an automated approach that uses security tools and techniques leveraging attacker TTPs.
The reporting provided by a BAS solution can provide insurance underwriters with detail on:
- Your security controls- This includes the controls that are in place, how effective they are, and whether or not they are securely configured. While a list of vendors and tools used in your security program may show potential for security, there’s a very real possibility that existing tools are being underutilized, or that misconfigurations are making it even easier for adversaries to leverage these tools themselves as attack vectors.
- Your resilience against 1,000s of real-world attacks, including ransomware- Like other kinds of insurance, your premiums will increase based on the likelihood of an incident. Showing that your IT environment can successfully stop real-world attacks provides you with hard evidence to negotiate your costs.
- Your EDR and firewall efficacy- Endpoints are a critical part of the attack surface, so of course there are a growing number of advanced threats designed to access them. Being able to concretely show that your EDR and firewall technologies are effective against these threats may put your insurers at ease.
- What you are doing to proactively defend against emerging threats- The integration of 3rd-party threat intelligence keeps you ahead of the latest vulnerabilities and TTPs. Responding to and mitigating these threats in real-time not only decreases the likelihood that your organization will fall victim, but this level of proactivity provides additional assurance to your provider.
Providing hard evidence of your cyber resilience can not only help you gain approval for coverage, it may help you stretch your budget a bit further. One SafeBreach customer recently reported they were able to reduce their premiums by 15-20% because our attack simulations helped them prove their cyber resilience. Obviously, every environment is different, and some insurers may reward BAS use more than others, but it pays to try. To learn more about breach and attack simulation and how SafeBreach can help provide better visibility and validate your security controls, we invite you to schedule a demo.