Top 5 cyber loss controls that could become a pre-condition for insurance | Featuring Ian Fraser
As the frequency and severity of cyber attacks rises, cyber loss control measures are becoming a must-have for many businesses – and for insurers too.
In the first half of 2021, global cyber attacks increased by 29%, as threat actors continue to exploit the COVID-19 pandemic and shift to remote work. Meanwhile, ransomware attacks surged 93%, fueled by a new attack technique that targets organizations as well as their customers and/or business partners.1
As the number of claims continues to climb, carriers are trying to help clients prevent attacks from happening in the first place. Many are investigating whether some risk mitigation measures (such as encryption or enhanced permissions) should be required as a pre-condition for insurance. Some carriers have already implemented more rigorous underwriting standards that require specific cyber-security measures in place to obtain coverage. 2 It’s also expected that in the future, the insurance sector will collectively adopt security baseline requirements as a standard for cyber insurance. 3
“When it comes to cyber attacks, the common refrain is, ‘it’s not if, but when,’” says Ian Fraser, Associate Vice President, Cyber/Technology & Professional Lines, at Sovereign Insurance. “However, when it does happen, the better a business is prepared for it, the lower the severity and impact on the business will be. That’s where the concept of cyber loss control comes into play. It’s about helping to shape policyholders’ cyber-security practices and risk posture into a much stronger position, prior to an event happening.”
Here are five cyber loss control measures that could be a pre-condition for insurance in the future, but are also common-sense practices for any business to implement today.
- Multi-factor authentication (MFA): MFA is an authentication method that requires the user to provide two or more verification factors to gain access to a resource such as a network, application, or website. Usernames and passwords are particularly vulnerable to cyber attacks, so using MFA can help organizations stay safe. “Multi-factor authentication can be easily implemented at a relatively low cost and have a significant impact on exposure,” notes Ian. Some common MFA methods are answers to personal security questions, fingerprints, or facial recognition, and one-time passwords sent by text or email.
- Encryption: Encryption essentially makes data unreadable by anyone who isn’t authorized to view that information. Businesses should ensure there is a level of encryption implemented within the security architecture of a network, as well when data travels across networks and between locations. Ian stresses the importance of staying current with encryption methods. “As technology rapidly evolves, older methods of encryption may no longer be secure,” he says. “And while the topic can be complex, many new software solutions and devices have encryption elements built-in.”
- Software patches and system upgrades: As cyber threats constantly evolve, it’s important to stay on top of software patches and updates that fix security vulnerabilities. Outdated IT systems may also need to be upgraded to provide a better level of protection against today’s threats. “This comes at a cost and it’s a challenge for many businesses to determine what they’re going to spend on cyber security,” says Ian. “The key is finding a good balance between reinvesting in IT infrastructure and investing in other areas of the business.”
- Permissions: Permissions, or access controls, dictate who in the organization gets access to what resources, including networks, files, applications, and so on. The goal is to minimize the security risk of authorized access to sensitive data. Ian notes that in many startups and small businesses, all employees have access to everything, but it’s important to limit access from the start. “Businesses need to be mindful that they shouldn’t wait until they hit a certain size to implement controls,” he says. “These are elements that need to be built from the ground up, and a sound starting point is using the ‘least privilege’ access principle.”
- Incident response plans: An incident response plan is a set of detailed instructions to help IT professionals and staff detect, respond to, and recover from network security events. Ian stresses the importance of having a well-documented plan that is widely communicated to employees and practiced at least once a year. “Just as schools practice fire drills, businesses need to practice how they’re going to respond to a cyber event and make adjustments to their plan if necessary.”
Dealing with cyber risk today involves much more than buying an insurance policy. It’s about having the right loss controls in place — including having the right vendors and partners — to be prepared for a breach and to deal with the aftermath of a cyber event. “I think of it like a three-legged stool,” says Ian. “Businesses need to constantly address and improve their pre-breach cyber-risk posture, have a well-documented and practiced post-breach plan, and purchase a cyber insurance policy to be properly guarded and well protected.”
1 Check Point, “Cyber Attack Trends 2021 Mid-Year Report”
2 Property Casualty 360, “Cyber breaches, regulatory guidance and the insurance market,” May 17, 2021
3 Canadian Underwriter, “Should insurers (and others) be banned from making cyber ransom payments?” May 30, 2021