The demand for cyber insurance – a type of cover designed to protect businesses against threats such as ransomware attacks and data breaches – has never been greater.
This is a positive indication of improved awareness around the need to strengthen security defences. However, as demand rises it’s becoming more difficult to obtain cover.
Many insurers are driving up the cost of premiums, to protect themselves as claims increase. Across the board, the list of requirements, restrictions and exclusions are progressively strict. Some providers are refusing to take on customers they deem too risky, making the availability of policies a concern.
Given the volatility in the current cyber threat landscape, businesses simply can’t afford to find themselves edged out of the cyber insurance market. According to Statista, the global cost of cybercrime is expected to surge to $23.84 trillion by 2027 – a threefold increase on the $8.44 trillion recorded in in 2022.
Aligning with key criteria
Insurers have become increasingly pragmatic, demanding that businesses have a baseline of protective technology tools and processes in place before they’ll underwrite a policy.
Among the most stringent stipulations, the proper management of access to the organisation’s privileged accounts, data backup systems, and user endpoints really stands out. By addressing these areas, businesses will make good progress towards improving their robustness, and their insurability.
Managing privileged access
This is being highlighted by cyber insurance specialists as a particular point of weakness. Privileged accounts allow individuals to perform processes such as installing new software or changing configuration settings. If criminals get hold of the logins, they can steal or delete data, or wreak havoc by making changes to systems, servers, applications and devices.
Providers are scrutinising how businesses control access to their privileged credentials. Traditional identity access management (IAM) tools don’t provide sufficient protection; they work by proving the user is who they say they are before letting them log in. Specialist privileged access management (PAM) tools take security up a level, by controlling what users can access, and exactly what they can do.
Protecting backed up data
Insurers will look for additional protection around critical systems, such as backups, which are essential to the ability to recover and restore data in the event of a ransomware attack for example. Businesses should ensure their data is backed up to multiple onsite and offsite locations, and that effective access controls are applied to backup systems.
Guarding the endpoint
Employees’ laptops, devices and workstations are attractive entry points for cyber attackers aiming to get a foothold in the corporate network. If staff have privileged admin rights activated, this heightens the damage they can do once inside. Insurers will want to see systems are in place to handle the situations where humans make mistakes – for instance forgetting to log out, or jumping onto an unsecure wifi network.
Rather than an obstacle, the burgeoning list of eligibility criteria for cyber insurance should be viewed as an opportunity to strengthen security posture in line with best practice. Ultimately, it’s in insurers’ interest to keep policyholders safe. If customers have a strong set of protections, the chances they’ll have to make a payout will be reduced.
Reviewing these requirements should therefore be the first port of call for businesses wanting to apply for or renew a policy. Having appropriate access controls in place has become a vital piece of the puzzle, and the requirements will shift as the threat landscape evolves. Businesses must invest time now in identifying how they can better protect themselves against increasingly sophisticated and frequent cyber attacks, to avoid being left out in the cold.