10 Key Controls to Show Your Organization Is Worthy of Cyber Insurance

More-effective cyber-risk management controls can help bolster a company's policy worthiness. Start with these 10 tips to manage risk as underwriter requirements get more sophisticated.

Paul Trulove, CEO, SecureAuth

August 8, 2023

4 Min Read
Large key on a keyboard that reads: cyber insurance
Source: Panther Media GmbH via Alamy Stock Photo

Increasing concerns about ransomware and other breaches, especially at the credentials level, are likely why organizations are investing in cyber insurance at greater rates than ever before: 48% have already invested in cyber insurance (registration required) for identity-related incidents, and another 32% plan to invest.

But while many organizations see cyber insurance as a vital tool for managing cyber-risk, insurers are putting stricter coverage policies in place and increasingly denying claims. As organizations face heightened scrutiny and undergo tighter underwriting processes, it's important to be able to show that your organization is worthy of cyber-insurance coverage.

Changing Dynamics of Cyber Insurance

For the last couple of years, insurance companies have become increasingly careful about underwriting cyber-insurance policies, making it harder for organizations to purchase policies at an affordable price point with the coverage level needed. It's not difficult to figure out why insurers are hesitant — cyberattacks continue to increase while losses may exceed what the insurance market is able to absorb. Higher loss ratios for cyber insurance in 2020 and 2021 resulted in higher premiums in 2022 to manage that risk.

According to Check Point Research, there was a 38% increase in global attacks in 2022 compared with 2021, accompanied by rising costs for insurers defending and settling cyber claims. IBM's "Cost of a Data Breach Report 2023" (registration required) showed 83% of organizations experienced more than one data breach, while the average cost of a data breach reached $9.44 million in the United States and $4.25 million globally. Verizon's "2023 Data Breach Investigations Report" rates stolen credentials as the primary way attackers access an organization, followed closely by phishing.

Small wonder that premiums are rising, claim payouts are often limited, and some claims are denied altogether. A 2013-2019 analysis by Willis Towers Watson showed 27% of data breach claims had an exclusion in the policy that prevented payout or full payout. More recently, Travelers Property Casualty Company of America denied coverage and sought to rescind a cyber policy due to alleged material misrepresentations in the International Control Services Inc. (ICS) application signed by the CEO regarding the enterprisewide use of multifactor authentication (MFA). Both parties agreed to void the policy. Misrepresenting the identity controls in place certainly didn't protect ICS from attackers — but it did result in lost cyber insurance.

It's not surprising that insurers themselves are now proponents of more effective cyber-risk management for policy holders. Expect to see underwriters do the following:

  • Deny coverage if you don't have bare-minimum controls in place. This may include raising the bar for minimum controls. For example, traditional MFA may not be accepted as a strong enough control due to man-in-the-middle (MitM) attacks.

  • Tie premiums to the maturity of your security controls.

  • Include additional conditions and limitations on policies based on the security posture of policyholders and the controls in place when an incident occurs.

Controls Show Policy Worthiness

Many organizations are trying to figure out exactly what they need to implement in order to satisfy the changing requirements of cyber-insurance underwriters. A good place to start is with these 10 controls to manage cyber-risk:

  1. Use invisible/phishing-resistant MFA and move to a passwordless solution.

  2. Segment and segregate networks.

  3. Adopt a robust data backup strategy.

  4. Disable administrative privileges on endpoints.

  5. Conduct regular employee security awareness training.

  6. Deploy endpoint detection and response (EDR) and anti-malware solutions.

  7. Implement Sender Policy Framework (SPF) to prevent email spoofing and phishing attempts.

  8. Create a security operation center (SOC) that operates 24/7.

  9. Deploy a security information event management (SIEM) platform to enable threat detection, incident response, and compliance management.

  10. Implement robust security measures for service accounts within Active Directory (AD) environments.

These 10 controls are a great starting point, but there are many more factors underwriters evaluate as they review new policy applications. It's a safe bet that underwriters will get more sophisticated about their requirements for identity protection, authentication mechanisms, access controls, and identity management processes to minimize the likelihood and potential impact of a data breach. And as the insurance market and cyberattack landscape continue to change, make sure your cyber-risk management approaches keep pace.

Improve Risk Management for Better Coverage

Many cyber-insurance policies require organizations to comply with specific regulations related to data protection and privacy. Demonstrating compliance with these regulations increases your likelihood of qualifying for coverage, possibly leading to more favorable policy terms as well. Compliance can also demonstrate your commitment to securing identities and personal information, which can positively influence insurance underwriting decisions, coverage terms, and premiums.

As cyberattacks continue to rise, a good cyber-insurance policy helps organizations prepare for and manage the seemingly inevitable ransomware attacks and data breaches. Putting identity access management and next-gen authentication at the center of your security program can help you manage cyber-risk, comply with regulations, and meet cyber-insurance underwriting requirements.

About the Author(s)

Paul Trulove

CEO, SecureAuth

Paul Trulove holds 15+ years of IAM experience in senior leadership roles, and as CEO of SecureAuth, he sets the vision and strategy. More recently, Paul was CPO at SailPoint Technologies, where he joined in 2007 as Head of Product, driving the product strategy, road map, and messaging for its market-leading identity management portfolio. He played a key role in taking SailPoint from an identity pioneer to its successful IPO.

Prior to SailPoint, Paul gained extensive experience in formulating innovative product strategies, launching products in early-stage ventures, and growing products into category leaders at tech companies including Newgistics, Sabre, and Pervasive Software.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights