Cyber Insurance in 2022 – Do you meet insurers’ new requirements?
As a result of a significant increase in claims and heavy losses incurred by the insurers caused by ransomware attacks on their customers in 2021, insurers have significantly raised the bar on the security standards required to purchase cyber insurance, leaving little time for organisations to catch up.
Understandably, many organisations are currently struggling to meet these new cyber security requirements, even in sectors which have a reputation for excellent cyber security standards. Insurers’ expertise on cyber risk has also developed significantly in recent times, to the extent that in many ways the Insurers themselves are now seen as one of the key drivers for improvement in enterprise cyber security.
In addition to an already hardening insurance market, failure to comply with these new requirements can lead to marked increases in premiums, reduced coverage and in some cases, insurers declining to quote or provide renewal terms. This at a time when businesses and organisations are increasingly becoming aware of the scale of the cyber exposures they face and are seeking to insure against them.
Understanding insurers’ current requirements is therefore essential for those seeking to obtain cyber insurance.
Some of the key risk controls that insurers are focusing on at present include:
Very low number of domain administrator user and service accounts (with disabled interactive login).
Tight control on open ports (some insurers analyse these prior to providing a quotation).
Multifactor authentication for all remote users and access to cloud-based services, such as Microsoft Office 365.
Multifactor authentication for all privileged accounts (both outside and within network).
Critical software and firmware security patching less than 14 days (less than 7 days is preferable).
Advanced Endpoint Detection and Response (EDR) protection.
Offline or immutable data backups.
Web Application Firewalls (WAFs) for higher risk websites, such as customer online sales or login areas providing access to sensitive information.
No legacy and/or out of support systems, or strong mitigations where these are present.
Social engineering tests conducted.
At the very least, failure to comply with the above will usually result in risk improvement requirements. For some insurers non-compliance with the above can result in them declining to provide any level of cover.
In addition to the above, and dependent upon the size and type of cyber risk exposure, the following may also be put forward as requirements by the insurer:
Intrusion Detection and Prevention Systems (IDS and IPS).
Cyber incident response plan.
Dark web intelligence.
Assurances on controls relative to specific software weaknesses, such as most recently Log4j.
Insurers generally expect the following to already be in place as standard:
IT Security and Data Protection Policies.
Clear sight of number of PII and PCI records.
Least privilege access management.
Firewalls and DMZs.
Business Continuity Plans.
Defined Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs).
Again, failure to have the above in place can result in risk improvement requirements imposed, or refusal by insurers to provide terms.
To assist clients and organisations to navigate these new requirements, minimise cyber risk and quantify cyber exposures, Griffiths & Armour are already working with our clients to undertake cyber insurance assessments.
If you or your organisation is interested in obtaining further information on Griffiths & Armour’s cyber insurance assessments, you can contact Greg Street (below) or your usual point of contact at Griffiths & Armour who will be happy to assist you.
In addition, useful guidance and template documentation on cyber risk management is also available by logging into RMworks, Griffiths & Armour’s online risk management portal available to all clients. To find out more information on RMworks or to request client login credentials please click here.