The landscape of cyber risks continues to create a sea change affecting many areas of the industry. From regulatory compliance mandates to customer and partner-led requirements, this isn’t anything new. However, one area that’s starting to feel newer for many organizations is the realm of cyber insurance. In a recent blog post by Karen Worstell, she underscored the criticality of endpoint security as a requirement for cyber insurance. Diving into that further, the depth and breadth around fulfilling that requirement is one that insurers are leaning in towards.
It used to be that organizations would annually meet with their cyber insurer and attest to having a series of controls in their environment. By itself, that is now becoming more and more of the past. Insurers are looking to move to a much more frequent assessment and they’ve already moved to a much more granular scrutiny of their client’s infrastructure. In speaking with a handful of cyber insurers, they all are maintaining that the direction of assessments is via conducting more validation and at a higher frequency.
To put this in perspective, let’s look at EDR and its intersection with defending against ransomware as a popular use case. The following type of questions from insurers are becoming commonplace:
- Have you implemented endpoint security tools (such as EDR) with behavioral detection and exploit mitigation capabilities?
- Is there a team of analysts dedicated to monitoring the output of the EDR tool in place? Is that team internal or external?
- What % of endpoints is EDR fully operationalized on?
- Has the EDR solution been configured to actively “block” threats?
- Has the EDR solution been adequately tuned in your environment to detect and prevent ransomware?
It’s clear that purchasing and procuring an EDR solution is not enough. Insurers want proof it’s operationalized and optimized sufficiently within their client’s environment. While this sounds straightforward, the reality is that there may be gaps in the network where the EDR solution wasn’t deployed, which may be the opening that can lead to a successful attack. Additionally, if an EDR solution is procured and deployed, but sub-optimally tuned, then this could potentially lead to further scrutiny by insurers. One CISO mentioned being in a difficult situation where he was told by his cyber insurer that he would be dropped from coverage if he didn’t have an EDR implemented and operationalized within a 60-90 day window. This isn’t a scare tactic by the insurers, but rather a due diligence practice that organizations are finding is the necessary new normal in protecting against rapidly evolving threats, like ransomware.
But wait, there’s more. We touched on the frequency of annual cyber insurance assessments being the norm. However, that’s potentially going to change as well. An annual cybersecurity assessment of any kind attenuates quickly in its accuracy as the clock ticks and the calendar’s date changes. So much so, an organization’s cyber security posture after a few weeks to months may no longer be indicative of its earlier state.
Not only is the anticipation that a more frequent validation of cyber controls will come down the pike, but that a more real-world one will as well. In other words, insurers are looking at moving to technical data to substantiate attestation-based validation. Showing dashboards, technical readouts, and reports of findings on threat assessments are all within the realms of expected outputs in tomorrow’s world of cyber insurability criteria.
Cyber insurers are carrying more and more transferred cyber risk so their clients can be more indemnified of it. This is what’s leading to climate change in insurability requirements. And quite frankly, that’s not seen as a bad thing across the board. The end result of higher tide raising all ships is commensurate here. Many CISOs have expressed appreciation toward evolving cyber mandates from insurers, regulatory bodies, etc. because of how impactful these drivers are in getting more support, funding, and culture change to better secure the organization.