Cyber insurance has become a very popular risk mitigation control against all sorts of cyber incidents that may affect businesses. In risk management, it’s a transfer technique, where you don’t remove the actual risk, but you move the ownership to another party (you may still be liable if a breach occurs, but you will be compensated).
According to Statista, global cyber insurance market in 2020 was worth $7.8b with a forecast of $20.4b in 2025. We can see a steady growth but the insurers are risk management wizards and they adapt to the trend, amount of incidents and claims where they have to pay the compensation out.
Most of us have experienced this personally while insuring our properties, homes or automobiles. If you live in an area with a high car crime rate, your premium goes up, if you keep your car in a garage overnight your premium goes down.
Action – reaction, risk landscape – insurance cost
According to Reuters cyber reinsurance rates rocketed at July renewals. Not only did the prices go up, the requirements to actually qualify for renewal are getting more and more demanding. The insurers have figured out whose risk is highest, let’s have a look what’s required.
Underwriting process
Underwriters want to know more about your business and its risk landscape. They no longer just take a look at the processes and governance (policies, standards, procedures and guidelines) but the controls you have in place to mitigate various risks like ransomware or data disclosure.
‘THE’ thing you really need to have – Multi-Factor Authentication
Multi-factor authentication (MFA) is no longer a good will of improved security posture, it’s a must. The threat of credentials leak is real and accounts for an absolutely mind blowing amount of breaches. By deploying MFA, you are reducing the leaked credentials attack surface to near zero. From the insurer’s perspective it’s gold dust. And so it should be for any organisation who cares about their business continuity. The National Cyber Security Centre (NCSC) has also published their MFA guidance. Check my blog post here where I take a closer look at MFA.
What should you consider to stay ahead of the game?
Mind shift for a start. Move away from the dated concept of perimeter security and adopt the ‘Zero-Trust’ model. Long story short, everything should be authenticated, every endpoint, every flow, every data source. Encryption is now a standard and in a zero-trust model you should encrypt all (appropriately classified) data both at rest and in transit. Instead of listing potential threats around encryption standards in the threat modelling process, include them in the requirements, at the project initiation phase, not during deployment. The list is longer but let’s focus on the Identity and Access Management (IAM) domain.
A holistic approach to identity management
Access and authentication
You are as strong as your weakest point. You can have all the bells and whistles of security in place, but if your front door is not strong, the rest doesn’t really matter. Don’t reinvent the wheel and put all bespoke identity solutions to rest. Use industry standards protocols and solutions. Federate your applications using protocols like SAML2, OAuth2 and Open ID Connect. If your environment is diverse, use an off the shelf product to minimise the work required on the application side. You can protect your web applications and API’s using state of the art access management solutions (e.g. Forgerock Identity Gateway or PingAccess). You can apply all the business magic you need, fulfil regulatory and contractual requirements and you really, really don’t have to code it into your application. Config vs code. Complexity is your enemy.
Identity Governance and Administration (IGA)
In other words – starters, movers and leavers and managing lifecycle of the identities. Automate every possible process. Don’t leave anything that you might miss to introduce vulnerability. While we are fairly familiar with the (usually painful and time consuming) process of on-boarding, off-boarding, the movers logic is somewhat forgotten. The rule of proportion in access management loses its traction and we end up with accounts that accumulated access privileges throughout its life, which in turn introduces vulnerability and is what the insurers are looking at. If you’re interested to learn more about IGA you can take a look at ideiio here, which is a platform I have a privilege of working with.
Privileged Access Management (PAM)
You need to protect all credentials but taking extra care when protecting privileged accounts will soon become a must rather than a good idea. At the very least you need MFA everywhere, but if we look at businesses which have a good track record of Business Continuity Planning (BCP), you will find they made an investment in a PAM solution. Automated credential rotation, accountability for admin actions, logging, vaulting to name the few benefits, not only improve your security and reduce risk, but significantly reduce cost of lengthy forensic investigations, which are required should the cyber threat materialise.
An investment in a modern IAM solution not only lowers the risk of cyber attacks but also reduces the premium of your cyber insurance.
