The Cost of Cyber Insurance is Rising. Here's How to Reduce Yours

It wasn’t long ago that CISOs were commenting on how cheap cyber insurance premiums were. Pre-pandemic, $1 million in coverage for under $1,000 was not unheard of. But since then, the cost of cyber insurance has been rocketing: the average rate increase in the first quarter of 2022 was almost 70%.

At the same time, the demand for coverage has also grown. Most IT security professionals, and their boards, recognize that a cyberattack on their organizations is highly likely and that cyber insurance is vital with today’s current threat level. We’re also seeing cyber insurance becoming increasingly a requirement to do business with other parties. Organizations are looking for ways to better manage risk, and transfer some of that risk to their partners.

If demand is high, why the price rise?

The reasons for this price hike won’t be a surprise to you. Cyberattacks, such as ransomware and supply chain attacks, have increased dramatically in recent years. As a result, insurance carriers' payouts have risen and the industry’s loss ratio has increased significantly.

That said, the loss ratio improved in 2021, falling from 65.4% in 2021 from 72.5% in 2020. This could be because the cyber insurance industry has become more cautious about underwriting policies in recent years.

It’s getting harder to get cyber insurance

While the rise in ransomware attacks is often a driver for purchasing cyber insurance, it’s also one of the reasons it’s getting harder to get coverage.

Average ransom payments reached $812,000 in 2021, with the biggest ransom demands ever. JBS paid out $11 million; Colonial Pipeline $4.4 million; and ransomware-as-a-service operation, REvil, demanded Acer pay $50 million to decrypt the company's network and not leak its data on the Dark Web.

As a result, cyber insurers are changing their limits and coverage, with some insurers suspending reimbursements entirely and others asking policyholders to pay half of the ransom.

Insurers are also mitigating risk by making it harder to get coverage at all. If you’ve recently completed a proposal form and the supplemental questionnaire to apply for cyber insurance, you’ll understand why.

There are four main prerequisites insurers require to consider insuring you. They are:

1. Regularly back up critical data to an “offline” location
2. Use multi-factor authentication (MFA) for all your services and applications
3. Don’t allow remote access to a corporate network without a virtual private network (VPN)
4. Provide regular cybersecurity awareness training, including anti-phishing, to all individuals who have access to your organization’s network or confidential/personal data

Prerequisites like enforcing multifactor authentication (MFA) are good for everyone. Not only do they help the insurer manage its risk exposure, they help you reduce your risk of attack and, over the next few years, they will also help stabilize premiums.

However, to get coverage for ransomware, the criteria for acceptance becomes even more stringent. A ransomware insurance proposal form will want to know about the following, with detail about the security solutions you’ve deployed to:

• Mitigate phishing
• Block harmful websites
• Monitor the output of security tools
• Microsoft Active Directory usage

The form will also need information on your security posture in respect to:

• Authentication for employees who are remotely accessing the corporate network and any cloud-based services where sensitive data may reside
• Authentication for independent contractors and vendors as above
• Limiting lateral movement
• Access controls for each user’s workstation
• Protecting privileged credentials
• The security of external facing systems

You will also need to provide details of:

• Your endpoint security policies, tools and controls in place for all workstations (desktops and laptops)
• Your average time to triage and contain security incidents of workstations
• Whether your multifactor authentication implementation meets the criteria that the compromise of any single device will only compromise a single authenticator
• The number of users that have persistent privileged accounts for endpoints
• Your target time to deploy critical patches, and your compliance with that target
• The tools you use for network monitoring, and what you monitor
• Whether you have a documented plan to respond to ransomware of a 3rd party provider/vendor or customer
• How you verify the efficacy of security controls
• Your disaster recovery capabilities and Recovery Time Objective (RTO) for critical systems
• Your backup strategy and capabilities
• Whether you have a policy that all portable devices use full disk encryption

While not exhaustive, this list is representative of the kinds of questions insurers have for applicants, and the criteria they use to determine premiums.

Security solutions impact cyber insurance premiums

It’s not just the number of policies, controls and systems you have that insurers are basing their decisions on – it’s also the solutions you have in place. Cybersecurity tools are now being assessed as part of the application process to help underwriters determine whether an organization is insurable.

Unfortunately, each insurer has a different baseline you need to hit, and the details of these can be hard to obtain.

How convergence can reduce cyber insurance costs

To close the cybersecurity exposure gap, a critical area to explore is identity security. Increasingly, the attack vector for data breaches and ransomware are user identities. Whether it’s stolen credentials, compromised passwords or social engineering targeted at privileged users, you can drive down the cost of cyber insurance by deploying the right identity security solutions.

But there is a challenge. When we surveyed over 1000 IT security professionals for our report Identities and Security in 2021: A Global Survey of Identity and Security Stakeholders, we found the following:

Organizations are experiencing identity sprawl: 25% say the number of identities they manage has increased by a factor of 10 or more. 84% report that the number of identities they manage has more than doubled.

IT security teams are struggling to manage fragmented security environments: 51% report they use more than 25 different systems for identity management including 21% that cite using more than 100 different systems.

IT security professionals find managing risk challenging:

• 95% face challenges managing identities
• 51% say separate applications provide a lack of visibility into access
• 55% report the wide range of applications and identity technologies complicate provisioning and deprovisioning
• 85% say they have employees who have more privileged access than is necessary for their work.
• Only 12% are fully confident they can prevent a credential-based attack

There is a new trend in identity security that addresses these challenges.

Convergence takes an identity-centric approach by aligning people, applications and data as one so you can verify everything. This unified identity security strategy, with a converged solution for identity and access management, can save you money on cyber insurance.

By closing cybersecurity gaps, insurers are more likely to offer you coverage, and as premiums stabilize, we anticipate seeing discounted premiums when you deploy specific tools. Converged or unified solutions increase your identity security and lower your risk – a good thing for you, your organization and your insurer.

To explore how unified identity security can close cybersecurity gaps, help you manage identities more effectively and save money, watch our video here.