Cybersecurity leaders everywhere understand the constant threat of cyberattacks, which leave a wide range of consequences – from reputational damage and lost revenue to data loss and internal fatigue. Then, 45% of information security professionals they have decided to leave the business altogether due to the stress caused by the constant threat of ransomware and the expectations of being “always on call”.
Understandably, many organizations are using advanced tools and techniques to protect themselves against bad actors, while many are acquiring cyber insurance to mitigate the effects of a successful attack. But there is a problem. This type of insurance – once a policy add-on that many organizations would buy without a second thought – has become increasingly difficult and expensive to protect and maintain.
Businesses looking to obtain cyber insurance would be wise to adopt the principles of Zero Trust Architecture (ZTA). The ZTA philosophy is simple: ‘never trust, always prove.’ The underwriters are reviewing security protocols to ensure that they have adequate security solutions in place. For example, multifactor authentication (MFA), a major component of ZTA, is now required for Cyber Insurance Training.
What has changed in cyber insurance?
The need for cyber insurance is getting bigger and bigger 46% in 2020 alone, according to an investigation by the Government Accountability Office. And to add fuel to the fire, insurance premiums have gone through the roof, while premiums paid by insurers have fallen. In 2020, insurance premiums price increased 29% since last year.
Underwriters now require clients to provide their businesses with a thorough review. This includes assessing the security measures organizations have in place to prevent, detect, and recover from attacks. In addition, many insurers require assurance that organizations have robust procedures in place to perform the required operations. In short, zero-trust architecture (ZTA) is what they are looking for.
The Importance of Zero Trust
The concept of Zero Trust is deceptively simple: ‘never trust, always verify.’ It replaces the traditional network access method and forces users to verify their identity at multiple locations while traversing the network. This prevents attackers from being able to infiltrate the perimeter or move around the network until they reach their target.
Why do insurance companies care? Organizations without a ZTA in place are more vulnerable to cyber threats as well spent an average of 42% more recovering from a data breach last year than those with mature deployments. This is not lost on underwriters who understand the nature of threats, best security practices, and available solutions. For example, multifactor authentication (MFA) is a good method of authentication for reasons, and is a major part of ZTA. It prevents attackers from using compromised credentials to gain access to a system by requiring a second factor such as biometrics or one-time passwords (OTP) before receiving them.
MFA has become more important since the outbreak, as it is now common for employees to access information remotely, from different devices and locations. They, along with several other tools, are now essential to cyber insurance coverage.
In addition, access management (PAM) and role-based access improves an organization’s ZTA by ensuring that users are only given access to the systems and files they are supposed to use.
How can organizations insure – and prevent – a successful data breach?
In the risk business, insurers carefully consider each applicant’s ability to prevent an attack. They know that 61% of all violations are violent and information attacks, so those who adhere to zero trust policies will find it easier to obtain or renew their cyber insurance.
At a minimum, underwriters expect organizations to have core identity-based tools and protocols that support ZTA, including identity management, MFA, privileged access management (PAM), and single sign-on (SSO). While these requirements may be difficult in the short term, they help organizations improve their overall security – reducing the risk of a successful breach in the long run.
Route to ZTA
Ensuring that your organization meets the requirements of cyber insurance can be a big step. And unfortunately, taking shortcuts is not the way.
Start by talking to your finance, IT, security, and compliance teams. You need evidence-based answers to the questions below and a clear plan if the honest answer to each of them is “no.”
- Is the goal of identity and access management (IAM) your way to create a Zero Trust architecture that protects people from unauthorized access?
- Have you tested digital maturity, and adjusted your security strategy based on your findings?
- Do you have an MFA solution in place to strengthen security?
- Are you using a PAM solution that protects privileged accounts from unauthorized access?
Ultimately, success comes down to good planning, transparency, and a willingness to collaborate with underwriters to ensure your security and IT infrastructure meets their needs. In the end, neither you, nor your insurance company, want to file a claim.