Andreas Wuchner, Field CISO, Panaseer describes how security metrics can reduce rising cyber insurance premiums.

The US is under huge threat from ransomware gangs. In fact, it was the most targeted region in 2021, accounting for 53% of all ransomware attacks globally. IT and security leaders are still hugely concerned about this form of cyber-attack, with 59% believing the ransomware crisis worsened over the second quarter of this year.

As the threat increases, organizations are increasingly looking to cyber insurance as part of their risk management strategies. However, insurers are struggling to assess cyber risk, leading to soaring premiums and limited coverage. Earlier this year it was reported that the cost of cyber insurance cover more than doubled in the fourth quarter of 2021 alone. Worryingly, this increase is only set to continue.

Despite the high prices, many businesses still see value in cyber insurance. Being covered means less disruption to day-to-day operations in the event of an attack as well as crucial legal and financial support.

Alongside a whole host of proactive cybersecurity solutions – like vulnerability monitoring, endpoint detection and response (EDR) and Continuous Controls Monitoring (CCM) – cyber insurance ultimately forms a crucial part of an enterprise’s security strategy. Yet, to make it an achievable and affordable component, there is a growing need for organizations to find a more accurate way of assessing their security posture and evidencing their cyber-hygiene. The subjective questionnaires used by insurers today simply won’t cut it anymore.

The story so far

Cybercrime and cyber insurance must be looked at through a business lens; both the ransomware gang and the insurer have the end goal of making a profit. While criminals will look for the lowest hanging fruit and the easiest target – with the greatest reward – insurers need to guarantee they are not losing money when they pay out on multiple costly breaches.

As a result of both of these factors, premiums are rising and show little sign of slowing down. Panaseer’s recent research, a survey of global insurers across the UK and US, found that 82% are expecting the rise in premiums to continue. The survey also identified that the largest ransom pay-outs by these insurers across the last two years averages at $3.5 million.

It is likely that the complexity of IT environments, as a result of pandemic-driven digital investment, has a significant role to play here. As cyber-crime increased, many turned to more point solutions to protect their hybrid IT environments. In fact, one report found that the number of security tools in use among enterprise security teams has increased over the last two years by around 19%.

The average enterprise security team now uses 76 different tools. These tools are typically siloed, do not communicate with each other and, ultimately, do not know what they don’t know. As tool sprawl increases, so does the IT complexity that makes it easier for ransomware gangs to exploit gaps and unpatched vulnerabilities.

Pair this complex environment with a lack of talent and it’s no wonder ransomware is an ever-increasing threat. The critical skills gaps and the regular waste of resources have combined to plague the cybersecurity industry. There is reportedly still a cybersecurity workforce gap of more than 2.72 million positions, while security teams spends more than half their time (54%) manually producing reports.

The result is unsurprisingly more exploitable security gaps, less control for organizations and almost no reliable visibility for insurers into their client’s security posture. Panaseer’s research shows that around two-thirds of security leaders lack confidence in their ability to prove controls are working as intended and three-quarters of insurers admit their lack of visibility into customers’ security posture is impacting price increases.

Yet it is also the case that threat actors themselves are innovating and evolving. In fact, 73% of insurers surveyed claimed the increasing sophistication of threat actors is another leading cause of rising premiums. One example we’ve seen is the emergence of Ransomware-as-a-Service which, along with advanced tactics, techniques and procedures being shared across dark web forums, has democratized this form of cyber-crime.

Metrics and measures to reduce premiums

It’s not all doom and gloom. While ransomware will continue to pose a significant threat to businesses in the US, there are ways these enterprises can reduce their premiums and increase their coverage. Panaseer’s research found that insurers would like to see evidence of multiple layers of protection to get the best understanding of customers’ security postures and effectively assess the risk. These include cloud security, vulnerability management, application security, privileged access management, security awareness and patch management.

This layered approach is required because insurers expect organizations to have good cyber-hygiene across the whole spectrum of cybersecurity controls. For example, excellent workforce security awareness is pointless if vulnerabilities are never patched.

Most crucially, more evidence and transparency is needed. 89% of insurers state they would value direct access to a customer’s security metrics and measures providing the status of their security controls. In other words, insurers want access to the data that highlights where controls are working and where there are gaps or vulnerabilities that must be patched.

It is these metrics and measures that will certainly have a bigger role in cyber insurance moving forward. There is a new market developing in which insurers offer a reduction on pricing if an organization can provide evidence of their security posture through a specific security platform, as long as they know it is a good product that can improve cyber-hygiene. It is likely we will see more of this and growing collaboration across cyber insurance and security platforms. The old way of doing cyber insurance is coming under pressure and may not be feasible for much longer, especially as there are smaller and more agile organizations capable of going further and offering better support.

The role of Continuous Controls Monitoring (CCM)

The insurance industry would hugely benefit from more oversight and access to customer data, which is where CCM is so valuable. By using security automation to allow immediate access to trusted metrics and measures, organizations can prove the efficacy of their security controls and evidence this to their stakeholders, insurers and regulators. The data within a CCM solution is continuously updated, meaning the evidence of controls maturity is near real time. What’s more, automation frees up security teams to focus on strengthening their enterprises’ security posture and patching critical systems.

This option is far more agile and relevant than outdated insurer questionnaires. It means risk assessments are more reliable, businesses with strong security controls become more attractive customers to insurers and organizations can reduce their premium costs

In an era where ransomware attacks show no sign of abating, the cyber insurance industry will continue to grow as long as it can identify new ways to assess and evidence cyber-risk. CCM will play a huge role moving forward, as a way to improve visibility, measurement and remediation while allowing organizations and insurers more control.

Ultimately, it all comes down to security data. With more reliable information, organizations are better placed to incorporate cyber insurance into their all-important cybersecurity strategies. For CISOs, it’s time to act. They can’t wait until they’re priced out of the market, but must instead turn to solutions like CCM to evidence their security posture and ensure they can get the coverage they need.

For more information, visit: panaseer.com

This article was originally published in the October edition of Security Journal Americas. To read your FREE digital edition, click here.

Return to Security Journal Americas NEWS INDEX