Balancing The Scales of Cybersecurity and Insurance
Small and medium businesses (SMBs) are facing a reckoning now. Insurance companies are forcing many to get proper security measures in place, or they risk not being insured. But how did it come to this? Over the years, cybersecurity insurance has paid out billions in claims from malware and other attacks bringing businesses to their knees. As these attacks became more frequent and more targeted, it became costlier and more likely that insurance companies would have to pay out claims because companies were, and always will be, vulnerable to attack. Insurance companies have introduced a few new tools to lower their risk of paying out on losses due to cybersecurity incidents. And some of these tools have affected how the industry couples cybersecurity and insurance.
How Does Insurance Normally Reduce Risk?
One way insurance companies reduce risk is by writing policies at scale. If you have a small percentage of claims filed among millions of policies, any losses are shared across the whole business unit.
For a long time, it seemed like insurers would payout for almost every incident. In the past, many businesses wanting to use a backup solution said that their recovery process was just to get paid out from their insurance, and that was "good enough" for them after a ransomware event. That is a pretty extreme case, but those companies used and misused insurance as a crutch, and so insurance companies had to reduce their risk further.
Enter risk reducer number two: enforce cybersecurity standards
At a high level, the thought makes sense. And it's a thought that we at Pendello Solutions have been shouting from the rooftops for ages. The more layers of security you add, the less likely you are to have an incident. But then that brings us to our next looming question…
How Do Insurance Companies Know What Security Policies SMBs Should Have?
The truth is that most don't. This is because there isn't a lot of data for insurance companies to comb through. Companies, unfortunately, hide their breaches and ransomware amounts. In addition, the cybersecurity protocols, including policies and procedures, are constantly adapting to the new cybersecurity risks.
Brokers get dictated to by their carriers. Then the carriers need to run through a form and check off what a company does to protect itself. Based on those answers, the carriers will say if they want to insure the company or not and by how much.
But herein lies the problem, there is a lack of universal cybersecurity standards and practices—it mostly comes down to the thought that the more security controls in place and money spent for those controls, the more secure the company and the less the cost of the policy. This is true of the cybersecurity industry as a whole.
How Insurance Decides Who to Cover and by How Much
Insurance carriers usually have something called an attestation document. Attestation is the document that insurance use to verify that proper processes and policies were followed after an incident. If all is true and in place, the company gets paid out from the policy. Suppose the insurance company reviews the attestation after the incident and finds that something was not entirely in compliance with what was said on the attestation. In that case, the company that had the incident won't be reimbursed for all the out-of-pocket expenses they might have incurred during the incident.
For cybersecurity, the attestation document usually includes a series of questions like:
- Do you enforce multi-factor authentication (MFA) across all users?
- Do you have endpoint protection implemented on all endpoints?
- How often do you regularly update operating systems to the most recent versions?
As you can tell, some of these questions are very general. Sometimes they get a bit more direct, but often they're just plain old confusing, like:
- Do you use a Remote Maintenance Monitoring System (RMMS)? - Insurance companies want to know if they are used and which ones because insurance companies ban some RMMs in the market (sometimes with reason, sometimes without).
- Do you use an EDR? - This one is especially tricky as there are so many lingering questions involved:
- EDR is endpoint detection and response, but how exactly does the insurance company define it?
- Is an EDR product required if I monitor endpoints via RMM, maintain security updates, have an AV in place, monitor AV detections, and ensure MFA is enforced across the board? Most companies have different controls in place that work on the endpoint.
- If I say no, does that mean insurance will be dropped?
- Are there EDRs in the market that are unsupported?
- Would I still be covered if the EDR agent is not installed on every host?
These questions are pretty nebulous and usually require more clarification because it's a risk for the businesses if these aren't correctly adhered to.
The ultimate goal is to ensure that insurance companies run through their due diligence to insure companies that reduce their exposure to tolerable levels. If you can prove that based on the controls in place, then the insurance company should insure you.
Will There Be More Definitions in the Future?
Absolutely there will be. The US government has even released its recommendations with Cybersecurity Maturity Model Certification (CMMC) levels on what vendors working with the government should be adhering to with their security controls. It's covered in five levels, with a five being the highest amount of security controls.
If it hasn't started already, more insurance providers will likely begin using these levels as a barometer for companies they are looking to insure.
So How Do We Start Bringing Back Balance to This Scale?
Until there is more definition as to what specifics are needed by insurance, it's essential to look at what security boxes need to be checked and how and why you should check those boxes. A great place to start is reviewing CIS controls and the NIST Cybersecurity Framework—both of which were the basis for the CMMC recommendations.
From there, you can figure out the holes that need to be plugged. Spoiler alert: usually, preventive technology isn't the real issue. Detection and response are often the most critical layers that businesses are missing. And in the eyes of insurance, having EDR, MDR, or some detection and response capabilities listed on the attestation doc will help you answer "yes" when they ask their list of questions. To learn more about being "Cyber Aware," contact your Pendello Solutions team today.