Meet your new cybersecurity auditor: Your insurer

As businesses deal with the fallout of massive ransomware waves, from Lapsus$ to Cl0p/MOVEit, an unlikely new entity is joining the regulatory bodies to raise the bar for cybersecurity: the cyber insurer. These experts do more than just process claims in the aftermath of an attack. Their coverage requirements and metrics-driven approach to risk put organizations not meeting cyber-hygiene basics on notice. How can chief information security officers (CISOs) prepare to work with this important power player?

Understand Your Cyber Insurer

Cybersecurity risk has increased exponentially due to the changing and complex cyber-threat landscape, particularly ransomware attacks. As a result, cyber-insurance premiums have surged by 50% just in the last year, which could have a significant impact on risk management budgets. Facing pressure from all sides, CISOs have the unenviable challenge of proving to their cyber insurer that their organization is properly set up to withstand cyber-risk. To make their case, CISOs must thoroughly understand cyber-insurance companies’ role and key priorities.

Insurance companies live and die by their ability to accurately quantify risk, and cybersecurity is no exception. Actuarial science powers a global market of insurance premiums worth $7 trillion annually. Due to the profound disruption caused by a surge in simple but scalable cybercrime, organizations have endured financial blow after financial blow. Most organizations recognize their cybersecurity strategy must change, and cyber insurers that make decisions about coverage using advanced statistical methods play a pivotal role in determining what that change entails.

The year 2022 was rough for the cyber-insurance market; premiums skyrocketed due to ransomware attack frequency. This means it is more important than ever to get right with your cyber insurer. With the market rebounding, insurance companies are refining their actuarial models and gaining a better understanding of cyber-risk.

Right-Sizing Security Priorities

Self-assessment questionnaires are getting more detailed as underwriters seek to understand the applicant’s security posture, from the finer details of multifactor authentication (MFA) to exact group policy rules for Active Directory (AD) administrators. Most organizations can say they have some of these strategies in place, but rarely can they tick every box. Therefore, they must make investments in tools or headcount to make up the difference. Failing to invest might mean denial of cyber-insurance coverage or significantly more expensive premiums.

To read the complete article, visit Dark Reading.