Skip links

Can IAM help save on cyber insurance?

Sponsored Feature Underwriters are continuing to feel the pinch as cyber insurance claims mount. That means customers are hurting too, with policies becoming more costly and insurers demanding more proof of cybersecurity. So how do organizations make better use of identity and access management to demonstrate their competency in protecting people’s sensitive personal and financial data?

Darren Thomson is vice president of product marketing for identity security company One Identity, having previously held the role of EMEA CTO at Symantec before working at its cyber insurance analytics spin-off CyberCube. He explains that cyber insurance developed in the early 2000s as a way to hand off risk as cybersecurity concerns mounted.

“There comes a point where the simple choice between mitigating risks and ignoring them is not enough,” he says. “People want to share or transfer that risk.”

That point first came in 1997, when AIG launched the first documented internet security liability policy. It offered third-party risk coverage for technology services providers to reimburse their clients in the event of cybersecurity-related damage. In the mid-2000s, policies evolved to offer first-party risk, covering attacks against a policy holder’s own business and broadening the target market beyond tech firms.

As cyber threats grew, so did the appetite for risk transfer, with the US Government Accountability Office (GAO) noting a dramatic increase in the proportion of insurance clients taking out cyber insurance policies. In 2016, just 26 percent of clients opted for this coverage with one large broker it studied. By 2021, that number had reached 47 percent.

The rise of enterprise ransomware

Transferring the risk to an insurance company helps to regulate a client’s investment in cybersecurity, which in turns aids the avoidance of over- or under-investing in protective measures proportional to the risk. But what happens when the risks become too volatile for the insurers too?

That’s what happened as ransomware evolved from attacks on individuals and small businesses into a mature criminal industry targeting bigger companies. Cyber crooks became more sophisticated, hitting larger organizations with deeper pockets. They also became more successful at it. The size of ransom demands rose accordingly from tens of thousands to millions. “Insurance companies didn’t see that coming,” says Thomson.

The other problem for insurers was complexity. Clients frequently add more tools and technologies to their sprawling infrastructures. The pandemic exacerbated the problem. As hybrid work became a necessity, the physical perimeter disappeared.

Companies supporting a hybrid workforce found themselves grappling with endpoints sitting on residential local area networks (LANS) used for both work and personal activities. Managing these devices’ access to corporate information became more difficult. The change in infrastructure and access methods created yet more layers of security risk, making cyber risk transfer even more problematic for underwriters.

The problem of valuing cyber risk

Fairly assessing and pricing this risk has been tough for insurers, especially given the lack of available data. Actuaries have decades of data on car accidents and health conditions, but not much about cyber risk for example. Assessing the risk of cyber attack is more art than science, and the industry demand for the skills to support that process is high.

Insurers that charged too little for covering cybersecurity risk have found themselves shouldering an array of costs. Ransomware payments are perhaps the simplest to understand, but they’re just one factor among many possible expenses. These include post-breach investigation and data recovery; loss of income from business disruption; breach notification costs; legal claims; and regulatory penalties. Supply chain attacks make third-party liability costs especially worrying for insurers, who face reimbursement costs for their clients’ downstream users.

In May, Fitch Ratings found that reported cyber insurance claims had risen 100 percent annually in the past three years. Claims closed with payment grew by 200 percent annually over the same period, with 8,100 claims paid in 2021. This eats into insurers’ profits. The direct loss plus defense and cost containment (DCC) ratio is the proportion of the earned premium paid out in claims expenses. Lower is better and in 2015-2019, the average figure was 42 percent. In 2021, it stood at 65 percent

Insurers naturally became obsessed with ransomware as payouts increased, recalls Thomson. This, along with other evolving security risks, transformed the still-nascent cyber insurance industry into a ‘hard market’.

“A hard market is one that is difficult to comply with,” he explains. One characteristic is the rising price of premiums.

The Council of Insurance Brokers and Agents has measured these increases. Its most recent Q1 2022 data showed a 27.5 percent quarter-on-quarter bump in premium prices for cyber insurance, following a 34.3 percent rise in Q4.

“The policies are highly priced and the payout limits are very low,” continues Thomson. “So it’s actually pretty hard for many organizations to get good coverage on cyber now.”

Holding clients to account

The other reaction from insurers has been more scrutiny. Insurance companies are asking more detailed questions about their clients’ cybersecurity posture before assuming their risk. They are also building more cyber assessment capabilities, ranging from auditing through to penetration testing and IT security consulting.

Increased insurer scrutiny means a lot more hoop-jumping for companies that were used to treating the premium payment as a simple hedge against attack. Now, they must demonstrate a robust approach to cybersecurity.

“A better security posture means higher coverage and/or lower rates,” explains Thomson.

Insurance firms started establishing minimum requirements with checklists before verifying compliance. And clients which find themselves falling short must step up to address any issues if they want a reasonable cyber insurance policy.

Insurers are asking organizations to demonstrate their plans for disaster recovery for example. Backup and restoration too play a big part in that assessment, Thomson explains, prompting companies to demonstrate that they are regularly testing these capabilities.

Underwriters are paying extra attention to email security in their assessments, given the heavy use of phishing in ransomware and other cyber attacks.

Clients are under extra pressure to demonstrate that they’re patching their systems regularly, which also increases attention on endpoint management and effective software inventory (you can’t patch what you don’t see).

Other focal points include classification schemes for networks, data, and systems, along with education and cybersecurity awareness programs for users.

The role of identity and access management

Thomson sees one of the most significant areas that companies can improve upon is identity and access management. Solutions that stop attackers from getting onto the company network and accessing information inappropriately are of particular interest.

“IAM teams historically always struggled to show concrete benefits to the business,” he says. “Now, with cyber insurance as a risk management requirement and potential savings on policies it’s a much easier argument to win. IAM can clearly demonstrate value for the business.”

Insurers are focusing on multi-factor authentication in their evaluations as they realize the growing importance of identity in cybersecurity posture. Harvesting some low-hanging fruits is mandatory, including multi-factor authentication (MFA) for the whole workforce.

“Most insurers now want to know that you have at least two factors of authentication in place for your users and your customers, if not multi-factor authentication,” Thomson continues.

But not all MFA solutions are equal, and this choice can affect clients’ cybersecurity protection. One common problem is the lack of support for on-prem devices. Many solutions will secure access to SaaS applications but can’t protect access to the workstation you’re sitting in front of. So the type of MFA you use affects issues on insurer checklists such as endpoint security management.

“One Identity managed to cover this capability gap by fusing together Defender (our on-prem 2FA) and OneLogin SaaS, creating a hybrid solution well suited to these hybrid needs,” Thomson adds.

Increasing the focus on identity infrastructure

Some insurers are also acknowledging the need to enforce complex passwords and avoid default passwords or default accounts, One Identity says. Companies should also look at other areas, such as structured processes for handling joiners, movers, and leavers.

Insurers are already asking more questions about the management of access credentials on their cyber insurance premium questionnaires. They are becoming more interested in techniques ranging from password management through to privileged access management, and are asking companies to attest to their capabilities here too.

AIG asks clients about their techniques for managing privileged access credentials, including the use of access logging tools and secure storage mechanisms, for example. It also makes explicit reference to the use of MFA for workers remotely accessing corporate resources.

Active Directory or equivalent directory systems are foundational technologies when managing identity data and access privileges, so it’s not surprising that this comes up in questionnaires. You’ll find insurers asking about the number and types of accounts used on that system, Thomson says.

As technology moves on, he expects insurers to embrace other facets of identity management, such as passwordless technology.

“They [insurers] are aware of the trend and they’re excited about the next phase,” he says. “They’re tracking the maturity of those solutions.”

As underwriters continue to turn up the pressure on cyber insurance clients, we’re seeing a traditionally conservative industry tackle the challenge of insuring against a dynamic, fast-moving set of risks. Ultimately, this will benefit everyone, increasing insurers’ confidence in underwriting cyber risk while forcing clients to improve their protection. Acquiring the right tools in areas such as IAM and IT management, combined with an appropriate risk management mindset, are critical for equitable, sustainable risk transfer.

Sponsored by One Identity.