Cyber Security collides with Insurance Industry

Cyber Insurance Providers Step Up Their Game

Did you recently receive a renewal application from your Cyber Insurance provider?  Did it look a lot different than last year’s application?  If you noticed that, you are not alone.  Most companies looking to renew their Cyber Insurance policy are facing new and stiffer requirements than in previous years.  Insurance companies are much more concerned with the hygiene practices of their clients where security is concerned than ever before.

And for good reasons.  2021 saw the highest average cost of a data breach in 17 years, with the cost rising from US$3.86 million to US$4.24 million on an annual basis. And a health care data breach reached $9.23M in 2021, a nearly 30% increase over the prior year.[1] These costs are necessarily going to be passed on to consumers, however, insurance companies are now more than ever interested in what their clients are doing to prevent these costly events.

Some minimum requirements that you as a consumer of Cyber Insurance can expect to meet.[2]

·        Zero-Trust Models

o   According to the National Institute of Standards and Technology (NIST), “Zero trust assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location (i.e., local area networks versus the internet) or based on asset ownership (enterprise or personally owned). Authentication and authorization (both subject and device) are discrete functions performed before a session to an enterprise resource is established.”

·        Endpoint Detection & Response implemented on all endpoints

o   Endpoint detection and response (EDR) is a form of endpoint protection that uses data collected from endpoint devices to understand how cyberthreats behave and the ways that organizations respond to cyberthreats.[3]

·        Multi-Factor Authentication is implemented and required for all remote access

o   Multi-Factor Authentication (MFA) requires and end user to authenticate using another method, in addition to a username and password, using something they know (security key), something they have (security FOB), or something they are (biometrics).

·        Backup Procedures, Offline Backup, or Alternative Backup Solutions

o   With the advent of Ransomware, which renders a customer’s data unusable, the requirement for data backups has garnered much more attention.  What used to be a business continuity concern, is now a cyber security must-have.

·        Identity and Access Management for ad-hoc privileges and restricted network access

o   With hybrid work being more common than ever, employees need secure access to company resources whether they’re working on-site or remotely. This is where identity and access management (IAM) comes in. The organization’s IT department needs a way to control what users can and can’t access so that sensitive data and functions are restricted to only the people and things that need to work with them.[4]

·        Privileged Access Management to monitor accounts with privileged access

o   Privileged access management (PAM) is an identity security solution that helps protect organizations against cyberthreats by monitoring, detecting, and preventing unauthorized privileged access to critical resources. PAM works through a combination of people, processes, and technology and gives you visibility into who is using privileged accounts and what they are doing while they are logged in. Limiting the number of users who have access to administrative functions increases system security while additional layers of protection mitigate data breaches by threat actors.[5]

·        Good Patch Management

o   Patch Management, applying security updates to Operating Systems (OS), cannot be an afterthought in today’s threat environment.  Bad actors can quickly exploit security vulnerabilities that exist in a computer’s OS.  Patch management needs to be regular and automated.  The patch management processes must be nimble as well, to respond to Zero-day threats.

Jack PIne Consulting has assisted its customers with simplifying compliance with all these Cyber Insurance requirements. We start with Risk Assessment Program to diagnose the current security landscape, make recommendations, and proceed with implementation of new security measures.

[1] (IBM Cost of a Data Breach Report 2021)

[2] Cyber Insurance Academy

[3] Malwarebytes

[4]https:// www.Microsoft.com/en-us/security/business/security-101/what -is-identity-access-management-iam

[5] https://www.microsoft.com/en-us/security/business/security-101/what-is-privileged-access-management-pam