With increasing demand and third-party risk, online insurers are taking a harder look at business security – to the point where they are reducing or denying coverage based on the existence of certain technologies.
Cyber insurance premiums and premiums have skyrocketed over the past three years as attack surfaces and adversary tactics have grown. Insurance carriers struggling to keep up with the rapid evolution of cybersecurity threats have required customers to comply with a growing list of requirements, such as implementing multifactor authentication (MFA). But the cost of cyber damage has risen so much that cyber insurance companies are stepping up.
While the work to improve security continues on both sides, there are specific technologies and programs that can affect the transmission of businesses. Payal Chakravarty, head of marketing at the cyber insurance Coalition, said rates are based on factors that make people worry. Examples include remote desktop protocol (RDP), which continues to be a problem for SMBs, as well as network vulnerabilities and third-party peer threats.
Although prices have risen, he said businesses can control the cost by being more strategic in choosing risks related to products and technologies in their area. Contract prices are based on certain technologies, which means they are not necessarily high for each renewal, according to Chakravarty. Remediation rates are determined based on technical expertise and user behavior, including how they responded to the Coalition’s notifications and whether they fixed the problem.
For example, Chakravarty said the availability of SonicWall products on a customer’s network could result in significant costs due to the increased number of threats and zero-day vulnerabilities that have been exploited by threat actors recently. The cost can be especially high if the organization fails to correct the deficiencies in time.
“You had SonicWall, [and] we know SonicWall is a problem. We told you to step up, and if you don’t, we have to pay you,” said Chakravarty.
Products with a history
Nathan Smolenski, head of cyber intelligence strategy at Netskope and former CISO at Corvus Insurance, said that if suddenly more complaints come to the software provider, the prices of the use of the product will increase. This was demonstrated during the pandemic and the rapid shift to remote work that increased the threat of adversaries. Attackers have taken advantage of the immutability and vulnerability of technologies such as VPNs that have facilitated home-based switching.
The ways in which companies are adapting their employees to work remotely has become a big factor for the cyber insurance industry, Smolenski said. Because many companies couldn’t afford to buy more VPN licenses, they opened RDP instead.
“The bad guys go, ‘I can just go into Shodan and see all the RDP sessions available and try to hack,’ and that’s free,” he said. “This goes back to the configuration, but the weaknesses were big. We saw during the epidemic, it was like every month – Pulse Secure VPN, SonicWall, different every month. You have that problem, you have to fix it now.’
“[NPM] they didn’t have MFA food, so they had a big problem, and that affected everyone – small, medium and large businesses,” he said. [instances] we saw what was said.”
When it comes to products with multiple vulnerabilities that pose a high risk, Ismael Valenzuela, vice president of threat and intelligence research at BlackBerry, cited Microsoft. Looking at the impact of automotive products on cyber insurance, he said it is important to look at the biggest risk in 2021.
“If we look at the report from the US CERT, we will see different vendors on the list, but Microsoft’s vulnerabilities continue to increase and be used more for data breaches,” Valenzuela said.
On the other hand, Andreas Wuchner, field CISO for the cybersecurity vendor Panaseer, said that it is the design of the network and the configuration that will be the flag than the goods, especially when it comes to the cloud. Insurers ask constructive questions, such as what the company is using and whether it has implemented microsegmentation, he said, rather than asking questions.
On the contrary”2022 Cyber Insurance Market Trends Report“Panaseer surveyed 400 insurers worldwide; respondents cited cloud security as the most important factor in assessing security due to the increasing number of hybrid workers.
The report also mentioned patch management as an important aspect of the analysis. Wuchner said many organizations are struggling to find enough time to address the growing number of common threats and exposure, and that doesn’t eliminate other attack methods.
“It would be easy to blame problems on use or legacy,” Wuchner said. “There will always be a time when something is not mentioned. There is always an opportunity to use a zero day or the possibility of social engineering ransomware, where people click on something.”
Risks happen to everyone
Sometimes it seems that businesses are relying too much on cyber insurance, rather than improving their security posture or control. For example, infosec experts say it participates in ransom payments because the company knows it will get paid if it does what it wants.
Now, the cyber insurance market is shifting more risk to carriers.
Jennifer Rothstein, cyber insurance and legal expert at BlueVoyant, discussed the new concept of co-insurance where in the case of extortion protection, the insured organization can contribute money out of pocket to cover any type of expropriation or investigation.
Rothstein also said that insurance carriers are still struggling with how to build coverage for third-party businesses or vendors. Third-party risk poses one of the biggest challenges in writing, and questions remain about how to deal with it.
“The coverage may or may not include their vendors, so that’s something we’re trying to figure out,” he said.
Another area that is difficult to verify is operational technology (OT) and industrial control centers (ICS). Ian Bramson, global head of cybersecurity for the ABS Group, has seen increased interest in the core areas of cyber insurance audits. First, there was a question to be written. Now, insurers expect senior management to be on hand to answer these questions in detail.
However, he also said that many OT and ICS customers cannot answer the first question: What do you need to protect? Another problem is that ICS or OT environments have legacy issues because systems are designed to operate over many years. One example Bramson cited was wind turbines that have been around for 50 years, but were not designed with safety and computer software.
“The question is, do I pay more for my internet insurance to be less, except for more?” he said.
Quickly, the OT and ICS areas support critical infrastructure, so Bramson said insurance carriers need to consider more than just the threat of identity theft.
“OT attacks can lead to cyber-physical events that have far-reaching consequences.” he said. “The problem is, they don’t have a good way of writing.”