In the previous article, we saw how taking a Proactive Approach to Cyber Security is key and how it relates to Cyber Insurance. In this article we will see how cyber insurance can incentivize better cyber security practices amongst policy holders.
RUSI (Royal United Services Institute) for Defense and Security Studies published a paper titled “Cyber Insurance and the Cyber Security Challenge” in June 2021. This paper was supported by NCSC (National Cyber Security Center). The paper provides thirteen recommendations and below we have described recommendations relevant to cyber insurance providers:
Recommendation #1 – Establish a minimum expected security baseline – Insurers should collectively agree on a set of minimum security requirements as part of risk assessments for small and medium sized enterprises. For UK, it recommends using controls used for Cyber Essentials as a minimum requirement. Cyber Essentials specifies the requirements under five technical control themes as below:
- Secure Configuration
- User Access Control
- Malware Protection
- Security Update Management
Recommendation #2 – Partnerships with Managed Security Service Provider (MSSP) – Cyber insurance carriers should explore partnerships with managed security service providers, cloud service providers and threat intelligence providers to gain access to additional sources of data (for example not be limited to external perimeter scans). In exchange, insurers can offer reduced premiums and other financial incentives to their customers.
Recommendation #3 – Data sharing – Insurance industry needs to take a more collegial approach to data sharing.
Recommendation #12 – Obligatory disclosure of ransomware incident – Insurers should specify that any ransomware coverage must contain a requirement for policy holders to notify the NCA and the NCSC in the event of an attack and before a ransom is paid.
Recommendation #13 – Establish a set of minimum ransomware controls – Insurance industry should work with the NCSC and cyber security partners to create a set of minimum ransomware controls based on Threat Intelligence and insurers’ claim data. Insurance carriers should require these controls to be implemented as part of any ransomware coverage. These controls should include:
- Timely patching of critical vulnerabilities in external facing IT infrastructure.
- Enabling multi-factor authentication (MFA) on remote-access services.
- Limiting lateral movements by adopting network segmentation measures.
- Implementing procedures to ensure regular backups are created.
Cyber insurance providers need to persuade their policy holders to take a proactive approach to cyber security (rather than a reactive one).
ThreatWatch can help your organization proactively on the following fronts:
- Identification of critical vulnerabilities (AI aided automatic prioritization) to ensure timely patching. All of this without any scans on your network.
- Secure configuration – Identify any potential misconfigurations or configuration issues in your environment.
- Malware / Ransomware Protection – Stop malware / ransomware right in their tracks by ensuring related vulnerabilities are patched.
- Correlate Threat Intelligence to organization assets for mitigation.
- Secure multiple attack surfaces (Cloud, Container, Corporate Infra, Remote workforce, Code, etc.)
- “Security by design” via a shift left in DevOps. This includes: identifying vulnerabilities in 3rd party dependencies (jars, modules, packages, libraries, etc.), detecting secrets in source code, Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), Infra as Code issues, etc.
For more information on how ThreatWatch can help you proactively secure your organization write to us at email@example.com