Cyber Insurance: A few security technologies, a big difference in premiums
When the BlackCat ransomware gang compromised healthcare-billing services firm Change Healthcare in February, several security controls failed: The company did not adequately protect its Citrix remote-access portal, did not require employees to use multifactor authentication (MFA), and failed to implement a robust backup strategy.
The subsidiary of UnitedHealth also had no cyber insurance, meaning its parent company had to foot the bill, at least $872 million, and — in hindsight, perhaps just as important — missed the benefit of a cyber insurer’s focus on what strategies can minimize claims. Both insurers and “insursec” firms, which combine insurance and security services, are awash in data on the current threat landscape and the technologies that appear to make the most difference — among them, backups, MFA, and protecting remote-access systems.
Finding the right security technologies for the business is increasingly important, because ransomware incidents have accelerated over the past few years, says Jason Rebholz, CISO at Corvus Insurance, a cyber insurer. Attackers posted the names of at least 1,248 victims to leak sites in the second quarter of 2024, the highest quarterly volume to date, according the firm.
“Without a doubt, attacks are increasing in terms of frequency and severity — the data is pointing to that,” he says. “We also see that when you focus on specific security controls, you can have a meaningful impact on both preventing those incidents, but also in just recovering from the incident [with fewer costs].”
Cyber insurance has become a security best practice, with the vast majority of security-mature companies (84%) retaining a cyber-insurance policy while another 9% are in the process of obtaining a policy, according to a recent survey of 400 security decision makers by insursec firm At-Bay and analyst firm Omdia, a sister company to Dark Reading. Overall, 72% of all firms consider cyber insurance to be critical or important to their organization, the survey found.
Three (or Five) Defenses Every Company Needs
More than 60% of insurance claims involve a ransomware incident, while email-based fraud accounts for another 20% of claims, according to At-Bay. Because most successful attacks use vulnerable or misconfigured remote-access points or compromise an individual system through email, improving security on those two vectors is paramount, says Roman Itskovich, chief risk officer and co-founder at At-Bay.
The insurer charges less to customers who use email systems with better security, such as Google Workspace, and more for on-premise email systems, because Google users have filed fewer claims. The insursec firm also found that companies who use self-managed virtual private networks have a 3.7 times greater likelihood of filing a ransomware claim.
“We take VPNs very seriously in how we price [our policies] and what recommendations we give to our companies … and this is mostly related to ransomware,” Itskovich says.
For those reasons, businesses should take a look at their VPN security and email security, if they want to better secure their environments and, by extension, reduce their policy costs. Because an attacker will eventually find a way to compromise most companies, having a way to detect and respond to threats is vitally important, making managed detection and response (MDR) another technology that will eventually pay for itself, he says.
To read the complete article, visit Dark Reading.