Top 10 Cyber Security Controls for Cyber Insurance

Cyber Insurance Companies are Scrambling to Reform Cyber Insurance

Cyber insurance companies are losing money due to increased claims. As a result, they are implementing cost (risk) containment measures and raising rates that have already skyrocketed since 2021. Cyber insurance claims by customers increased by 100% from 2016 to 2021. Ransomware being one of the leading causes of those claims. The demand for cyber security insurance has surged as companies try to reduce corporate risk. But the requirements to qualify for cyber insurance will continue to increase in scrutiny to meet ever-changing security regulations.

Cyber Insurance Companies are Squeezing Customers

Insurers are increasingly tightening underwriting requirements and stipulating that organizations adopt security controls that can make a measurable positive impact on their exposure to cyber risk.

What are Cyber Insurance Companies Doing?

• • Increasing insurance premiums to cover the cost of increased claims
  • Increasing requirements to qualify for insurance to minimize the number and severity of cyber security insurance claims
  • Reducing the coverage they provide

Top Cybersecurity Controls Identified by Insurance Companies 

Cyberattacks continue to dominate news headlines, driven by a surge in ransomware events, which increased by an overwhelming 148% in 2021. Insurance companies are working together to reduce these risks and the associated cost to insure companies. The adoption of certain controls has now become a minimum requirement of insurers, with organizations’ potential insurability on the line.

The following list of security controls is defined by insurance leader Marsh as the top cyber security controls that companies should adopt. Smart companies will adopts these and any others that are recommended for their company to ensure they qualify for insurance and to minimize their cyber security risks. This list is confirmed by other sources in the insurance industry including the applications for cyber insurance from major insurance companies.

Top 5 Cyber Security Controls for Cyber Insurance

1. Multifactor Authentication (MFA): Requiring at least two pieces of evidence to validate a user’s identity helps prevent unauthorized entry into an organization. This control is a top weapon in an organization’s arsenal to thwart ransomware attacks, especially in relation to remote access and the management of administrative accounts.
2. Endpoint Detection and Response (EDR): The continuous monitoring and analysis of endpoints can help deflect attacks. In the event of an attack, it can also enable a more efficient response.
3. Secured, Encrypted, and Tested Backups: The proliferation of ransomware attacks has placed additional emphasis on a sound organizational backup strategy and implementation. Restoring from backups is one of the ways organizations attempt to recover data, recover from an attack, and avoid dealing with the difficult decision of paying the ransom demand.
4. Privileged Access Management (PAM) or Access Control: This is designed to ensure that employees have only the necessary level of access — not additional — to perform their jobs. This control also helps security teams identify abuse of privilege.
5. Email Filtering and Web Security: Email filtering identifies and blocks malicious emails and attachments, whereas web filtering blocks inappropriate sites. These tools are primarily used to help block the spread of malware.

The Next 5 Important Security Controls to Qualify for Cyber Insurance

1. Patch & Vulnerability Management
2. Vulnerability management is a capability that identifies vulnerabilities on software and hardware devices that are likely to be used by attackers to compromise a device and use it as a platform from which to further compromise the network.
3. Patch management is the systematic notification, identification, deployment, installation, and verification of an operating system and application of software code revisions. These revisions are known as patches, hot fixes, and service packs.
4. Incidence Response Plans: Incident response plans document a “predetermined set of instructions or procedures to detect, respond to, and limit consequences of a malicious cyberattack against an organization’s information systems.
5. Cybersecurity Awareness Training: Cybersecurity awareness training is a control used to educate employees and IT users on cyber risks and threats. It equips them with the necessary information on how to identify and recognize the various types of attacks, protect themselves and their organizations by preventing events, and respond appropriately after an attack or an attempted breach.
6. Remote Desktop Security & Hardening: Hardening is the process of applying security configurations to system components including servers, applications, operating systems, databases, and network devices, in line with security best practices. These configurations are defined to reduce an organization’s surface attack by limiting the exposure of each platform on the internal network or that may be facing to the internet.
7. Logging and Security Monitoring: In order to react to a cyberattack in a timely manner, organizations should establish strong logging and monitoring capabilities that enable them to identify any suspicious activity on the network. These capabilities require specific knowledge, tools, and processes normally executed by a security operations center (SOC). For most companies using an external managed security service provider (MSSP) makes the most sense.

Cyber Insurance Requirements Continues to Rise

The requirements for cyber security for companies continues to rise. With the goal to prevent companies from getting compromised by cyber-attacks, security regulations and cyber insurance requirements continue to escalate. Companies need to get out in front of these increased requirements and implement stronger security. Failure to do so can result in rejected cyber insurance applications or worse yet, increased risk of cyber security attack compromises.

Helping Companies Qualify for Cyber Insurance

eSecurity Solutions assists customers in navigating the emerging changes of cyber insurance requirements. These are the same forces driving increased regulations and cyber-attacks.  

eSecurity Solutions can help customers define and prioritize security solutions that meet current and future cyber insurance requirements and regulations while mitigating cyber-attacks. Contact us for a free cyber assessment today.

Subscribe to our monthly newsletter to get the latest cybersecurity news delivered straight to your inbox.