Cisco Advisory CISO Helen Patton and John Bruggeman, Consulting CISO sit down together in this episode of Inside the CISO’s Office to discuss the financial side of information security. They discussed the benefits and challenges of cybercrime insurance, how insurance requirements are shaping corporate approaches to information security, and the “security poverty line.”
The rising cost of cybercrime insurance
As cybersecurity incidents grow increasingly common around the globe, cybercrime insurance providers are getting stricter about what they will—and will not—cover. At the same time, even these scaled-down policies cost companies more than ever. Helen Patton, advisory CISO for Cisco, has noted the change in her conversations with clients.
“Anecdotally, I did some closed-door round tables with a bunch of CISOs across the industry,” said Helen, “and in those sessions, they were reporting… premium increases of about 30% year over year, from last year, for the same or less insurance than they had previously.”
The shift isn’t only the result of rising cybercrime. A historic over-reliance on insurance to offset risk, rather than prioritizing a cybersecurity program, has left some companies vulnerable. Now, when insurance agencies are assessing a company’s risk up front, their standards have gotten more stringent.
“The insurance companies are looking at standards like the NIST [SP 800-207] standard, and others, as the blueprint that they’re asking companies to follow,” said Helen. “So, it’s worth keeping an eye on NIST and what’s happening with zero trust there because it seems to be instructive to insurance agencies as well.”
Common cybercrime insurance requirements
- Multi-factor authentication
- Extended detection and response
- Strong e-mail security
- Effective patch management
- Employee cybersecurity training
- Privileged access management
- Network firewalls and remote access control
- Business continuity/disaster recovery plan
When the White House formalized zero-trust architecture as its security standard, the effect rippled outward to other government entities and their supply chains. The private sector has not been subject to the same kind of top-down pressure, but the cybercrime insurance industry is beginning to move the needle.
In today’s high-risk landscape, a zero-trust philosophy paired with common sense cybersecurity measures can both increase your odds of securing insurance and lower your premiums.
Also read: Cybersecurity highlights of 2023: New SEC cybersecurity rules and the major breaches driving them
Insurance agencies can offer cybersecurity advice
While risk tolerance may be shrinking, cyber insurance agencies have also developed expertise in preparing for and responding to cybersecurity incidents. In the case of a ransomware attack, many agencies can provide an incident-response team to guide you through the event. That includes expertise on the threat actors who have targeted you—which will help you decide whether to pursue negotiation or focus on data recovery.
“Those folks will know whether the people who are ransoming your computer systems are likely to give you your encryption key back even if you pay. They’re rating the ransomware gangs in terms of how sophisticated they are operationally,” said Helen. “That is part of the benefit of that kind of work.”
While ransomware is often the first thing people think of in cybercrime insurance, it is not the only risk. Insurers can also offer employee training to protect against phishing and social engineering and provide legal guidance regarding your rights and obligations. Cyber insurance agencies leverage their experience with cybercrime into training and incident response resources that can help you mitigate even more risk.
Learn more: What is cyber insurance and do I need it?
Cybersecurity is a collective effort
A strong cybersecurity strategy is not without cost. Implementations require time and resources, both financial and human—which smaller businesses with older technology stacks may struggle to find.
“There are sizes of organizations and organizations of certain ages that just don’t have the resources to be able to do security very well,” said Helen. “And in those situations, it becomes difficult to get cyber insurance. So, it could be just the kind of industry somebody is in; they don’t have the margins to be able to afford a really great security program, or they just might not be old enough—like startups who aren’t going to invest in having…a security program until they get big enough and more financially secure.”
Helen credited Wendy Nather, head of advisory CISOs at Cisco, for coining the term “security poverty line” to describe the challenge these organizations face.
“Particularly as we’re dealing with supply chain risk, there is definitely this question of—even the biggest companies are leveraging vendors and partners who are below the security poverty line, and that puts those big companies at risk as well.”
“If we don’t start helping out those organizations that are important to us and are good partners…we are damaging ourselves.”
Helen Patton
Even large enterprises are only as secure as the most vulnerable vendor in their supply chain, but cybersecurity resources are scarce. Collaboration will be essential to close the gap.
Build your cybersecurity plan with CBTS
From strategy to resourcing—wherever your cybersecurity hurdle is, CBTS can help you clear it. Consult with experts on your next implementation or take advantage of fully managed security services to relieve the load on your in-house team. Our security team can help you meet the increasingly demanding cybercrime insurance specifications, both to get coverage and keep your premium in check.
To learn more about improving your cybersecurity posture and meeting cyber insurance requirements, contact CBTS today.
