Cybersecurity liability insurance has progressed dramatically since the first bona fide policies emerged in the late 1990s. Some of the greatest changes that have occurred in recent years include insurance companies no longer insuring against state-sponsored attacks or ransomware events. The insurers do not want to become part of a cyber-war. In some cases of ransomware, the attackers have figured out how much cyber liability coverage a company has, and that is the payment that they request for the decryption key. This has all led to insurance companies increasing their due diligence prior to underwriting any cyber liability policies.
Pre-insurance questionnaires have become more detailed, expecting not only affirmative assurances, but seeking the confidence that a company is performing more than the minimum in order to qualify for coverage. Along with that, companies that qualify for coverage have to maintain and improve their security practice in order to renew the policy over the course of the contract.
Each insurer will have different criteria for insurability, however, in preparation for coverage, an organization needs to address five main topics:
- Visibility
- Risk Management
- Prevention Controls
- Detection
- Response
Visibility
Visibility is commonly known as asset inventory. Since you cannot protect what you cannot see, it is vital that you have a complete list of all assets. Visibility pertains to more than just physical assets. It is also important to know what sensitive data resides in your enterprise, as well as how you discover those assets and determine who should have access to them. To go beyond the asset inventory, various testing methods, such as penetration and application security testing results can show how your organization aims for continuous improvement.
Risk Management
As part of reducing your attack surface, risk management can help to prioritize remediation for critical exposures. It’s possible that you may not want to insure every asset in the organization, and if that is the case, you must be able to prove that the covered assets are carefully segmented from the rest of the environment.
Identity and Access Management (IAM) is also a key component of a strong risk management program. In some cases, multi-factor authentication using an authenticator app is the minimum expectation for network access. Hardware-based IAM is viewed by many as superior to app-based authentication. Evidence of a configuration management system is also an advantage when proving insurability.
Prevention Controls
Once the assets are accounted for, and the risks are assessed, it is necessary to show how you protect these sensitive resources. You want to be able to show that the enterprise is shrouded in security, not only at every ingress and egress, but within the environment as well. Part of this would include Endpoint Detection and Response (EDR), email security, and also Data Loss Prevention (DLP) capabilities. These will provide area-wide protection. These capabilities can be augmented with ongoing monitoring and tuning, which shows that there is heightened security attention in the organization.
Detection
Since a 100% prevention mechanism is not possible, a good detection mechanism is required. Security always relies on a layered defense. The minimum expectations for this include web security, an Intrusion Detection System (IDS), and a log management solution. To further elevate your layered defense, a Web Application Firewall (WAF), threat hunting, and a Security Operations Center.
Response
All of these topics become neutralized in the absence of a response plan. In the event of a compromise, the primary goal of a business is to return to normal operations as quickly as possible. All of the previous preparatory steps are performed to minimize any damage.
Part of a response plan is a solid data backup and recovery program. Backups must be verified and tested. Not only is a written response plan necessary, it must be shared with everyone involved, and it must be rehearsed on a consistent basis. Rehearsal factors into success for any team-based event, and corporate incident response involves almost every department within an organization.
Insurance provides an organization with the cushion of risk transference. However, no insurer will assume the burden of accepting a risk in the absence of good security. Depending on the policy that an organization is seeking, an insurance provider can ask very tough questions before they underwrite the risk. It is important for an organization seeking cybersecurity insurance to carefully review their security posture prior to seeking coverage.
To learn about cyber insurance and other related topics, you can check out the on-demand sessions from Fortra’s most recent cybersecurity week.
Zero Trust and the Seven Tenets
Understand the principles of Zero Trust in cybersecurity with Tripwire's detailed guide. Ideal for both newcomers and seasoned professionals, this resource provides a practical pathway to implementing Zero Trust, enhancing your organization's security posture in the ever-evolving digital landscape.