The Cyber Risk Insurance Series
Our CTO, Cameron Fairbairn discusses how to use cyber resilience to reduce your cyber risk insurance premiums.
For most organisations, applying for and embedding the necessary protocols to meet eligibility guidelines for cybersecurity insurance is a complex and obscure field.
As the severity and frequency of cyber-attacks grow, businesses with significant cybersecurity vulnerabilities and high risk industries are finding it increasingly challenging to secure cyber risk insurance coverage.
Equally, insurers are tightening underwriting guidelines, becoming more selective about who they cover, requiring organisations to have implemented specific security controls and clear risk mitigations in place before granting coverage. Leading insurance company Gallagher noted that businesses lacking appropriate cyber security controls can expect to see substantial rate hikes (100% to 200%), reduced coverage terms, and even possible non-renewals of their insurance policies1.
At Proaxiom, our Audit to Assurance + Cyber Insurance Readiness program tackles this head on, providing the processes, tools and embedding the controls you need to access comprehensive cyber risk insurance protection and achieve ASD Essential Eight Level 3 compliance in 8 weeks.
What security controls do insurers look for?
We’ve undertaken detailed research into cyber risk insurance requirements and reviewed many insurer questionnaires on behalf of our clients. And while many relate to controls that align with the ASD Essential Eight, there are many others specified beyond that, including:
Network segmentation
Insurers know that if your network isn’t sufficiently partitioned with a central firewall, attackers will have a much easier time moving laterally and finding high value targets. Where most SMEs have a single, large network, introducing network segmentation and firewall rules will control traffic and ensure network activity is logged centrally for review.
Data encryption
Is highly regarded by insurers in evaluating an organisation’s risk management practices. Serving as a critical defence mechanism against data breaches, demonstrating a commitment to encrypting sensitive data ensures protection in the event of unauthorised access ad is a strong indicator of an organisation’s commitment to data security.
Security awareness training
The best kind of protection starts with the front line. So, it’s not a surprise that evidence of undertaking security awareness training is a critical requirement for insurers. If a threat actor can trick a team member into giving up their credentials, they can use this account as an initial point of entry. If your team hasn’t been trained to identify and report these threats, the risk of a successful cyber-attack increases significantly.
Endpoint security
If your computers don’t have adequate protections against malware and malicious activity, a threat actor can leverage your weaknesses to undertake an attack. Insurers want to see proof of an Endpoint Protection Platform (EPP) an Endpoint Detection and Response (EDR) system, and centralised telemetry. They will also be looking for evidence of how you’ve reduced and managed access privileges across your organisation.
Email security
A high percentage of threats originate from email messages, using phishing and whaling techniques to harvest credentials and deliver malicious payloads. Insurers will be looking for you to demonstrate that you have taken appropriate steps to secure your environment through the implementation of a mail security gateway that logs data centrally for review by security team members.
Web security
Credential phishing and malware distribution bring significant risks. Insurers want to ensure you have a secure web gateway, acting as a barrier to filter malicious web traffic and ensure compliance with company policies. Central logging recording and analysing web traffic data is critical in identifying potential threats, aiding in forensic analysis, and maintaining compliance records.
Security Information and Event Management (SIEM)
A SIEM is crucial in the cybersecurity landscape for its ability to provide real-time analysis of security alerts generated by applications and network hardware. By aggregating and analysing log data, organisations can proactively identify patterns and anomalies and facilitate prompt and effective responses to potential incidents. This proactive stance reduces the likelihood and impact of security breaches, leading to fewer claims and lower risk for the insurer. So they’ll want to see that you have implemented a SIEM platform and evidence that your security telemetry is aggregated there.
Security Operations Centre (SOC)
Increasingly, insurers look for evidence of a proactive and comprehensive approach to cybersecurity through an in-house or outsourced SOC. A team of cybersecurity specialists engaged in real-time threat detection, incident response, and ongoing cybersecurity management, a SOC ensures an organisation is equipped to identify and respond to threats and is proactively mitigating risks. This continuous vigilance and capability to respond to incidents reduce the likelihood of significant breaches and the associated costs. Be ready to show evidence that you have built or outsourced a SOC to a managed security services provider like Proaxiom.
Intrusion Detection and Prevention System
Intrusion Detection and Prevention Systems (IDPS) are pivotal components in detecting potential security breaches (intrusion detection) and taking action to prevent these breaches from causing harm (intrusion prevention). These systems continuously monitor network and system activities for suspicious behaviour, providing real-time alerts on potential security threats, and for insurers, signify a proactive and dynamic approach to cybersecurity.
The real burden of cybersecurity on SME Executives
If this all seems like a lot, it’s because it is. Executives in SME sized businesses are already oversubscribed and overworked, and all of these cybersecurity concepts with baffling jargon and unintelligible terms to all but highly trained cybersecurity experts make it almost impossible to keep up.
Our clients regularly share how intimidated they are by the cyber risk insurance review process, knowing that their company is failing to meet the requirements laid out by the insurer, and that many of them represent concepts that are a challenge to understand.
Relieving the cybersecurity risk burden by doing good and making better
As a business, we’re committed to doing good and making better by making it easy to protect and navigate the world of cybersecurity.
Looking for lower cyber risk insurance premiums and accessible and affordable onshore cybersecurity protection 27*7*365?
We’re here to help. Our Audit to Assurance + Cyber Insurance Readiness program is based on the trusted foundation of the Microsoft security platform, to drastically simplify your journey to meeting ASD Essential Eight Level 3 standards, and meet the mark for cyber risk insurance.
Together we’ll move forward from panic paralysis so that you can get on with running your business. We’re looking forward to helping you.
Want to know more? Get in touch.
