With rising demand and dangerous third-party risks, cyber insurance carriers are scrutinizing enterprises’ security postures to the point of limiting or denying coverage based on the presence of specific technologies.
Cyber insurance premiums and payouts have risen significantly over the past three years as attack surfaces and adversary techniques have expanded. Customers must comply with a growing list of requirements, such as implementing multifactor authentication, as insurance carriers struggle to keep up with the rapid evolution of cybersecurity risks (MFA). However, the costs of cyber attacks have risen so dramatically that cyber insurance companies are going even further.
While both sides continue to work to improve security postures, certain technologies and software can have an impact on enterprise coverage. According to Payal Chakravarty, head of product at cyber insurance provider Coalition, rates are based on the root causes of claims. Remote desktop protocol (RDP), which continues to be a problem for SMBs, is one example, as are supply chain issues and third-party partner risks.
While rates have risen, she claims that businesses can keep costs under control by being more intelligent about risk selection in terms of the products and technologies in their environment. According to Chakravarty, coalition rates are based on specific technologies, so there is no flat rate increase for every renewal. Renewal rates are determined by a technology-based rating and user behavior, such as how users responded to Coalition alerts and whether or not the issues were resolved.
For example, Chakravarty stated that the presence of SonicWall products in a customer’s network can result in higher premiums due to the number of vulnerabilities, including zero-day flaws, that have recently been exploited by threat actors. If an organization fails to patch those vulnerabilities in a timely manner, the costs can be particularly high.
“You had SonicWall, and we all know SonicWall is a problem. We told you to upgrade, and if you don’t, we’ll have to charge you “Chakravarty explained.
Flagged Products
According to Nathan Smolenski, head of cyber intelligence strategy at Netskope and former CISO at Corvus Insurance, if a software provider suddenly receives a large number of claims, rates for using that product will rise. This was highlighted during the pandemic and the rapid shift to remote work, which increased adversaries’ attack surface. Threat actors increasingly took advantage of misconfigurations and vulnerabilities in technologies such as VPNs that enabled the work-from-home transition.
According to Smolenski, the ways in which companies configured their employees to work remotely became a huge factor for cyber insurance companies. Because many businesses could not afford to purchase additional VPN licenses, they turned to RDP.
“The bad guys think, ‘I can just log on to Shodan and see all the available RDP sessions and try to hack it,’ and that’s free,” he says. “This is related to configuration, but vulnerabilities were also significant. We saw it during the pandemic — Pulse Secure VPN, SonicWall, a different one every month. And the cyber insurance companies looked at their customers and said, ‘You have that problem, and you need to fix it right now.'”
Chakravarty provided more recent examples, such as Kaseya, which was attacked last year and affected managed service providers as well as NPM packages. Threat actors hid over 1,000 malicious JavaScript packages on the NPM Registry in February.
“[NPM] had no provisions for MFA, so they had a massive problem that affected everyone — small, medium, and large businesses,” she explained. “Log4j affects everyone, but from what we’ve seen, it’s primarily VMware Horizon [instances] that we’ve seen claims from.”
When it comes to products with a high risk of vulnerabilities, Ismael Valenzuela, vice president of threat research and intelligence at BlackBerry, mentioned Microsoft. When assessing the impact of buggy products on cyber insurance coverage, he advises looking at the top exploited vulnerabilities in 2021.
“If we look at that report from US CERT, we’ll see a variety of vendors on the list, but Microsoft’s vulnerabilities remain prevalent and the most exploited in data breaches,” Valenzuela said.
Andreas Wuchner, field CISO at cybersecurity vendor Panaseer, on the other hand, stated that network designs and configurations will be flagged more than products, particularly when it comes to the cloud. Insurers will raise architectural questions, such as which containerization a company is using and whether microsegmentation was implemented, rather than product questions, he said.
Panaseer surveyed 400 insurers worldwide for its “2022 Cyber Insurance Market Trends Report,” and respondents cited cloud security as the most important factor when assessing security postures due to the growing hybrid workforce.
Patch management was also mentioned as an important factor in assessments in the report. Most organizations, according to Wuchner, are struggling to find enough time to patch the increasing influx of common vulnerabilities and exposures, and it does not eliminate other attack techniques.
“It would be too easy to blame application or legacy problems,” Wuchner said. “Something will always be unpatched at some point. There is always the possibility of a zero-day exploit or social engineering ransomware, in which people click on something.”
Everyone is at risk.
At times, it appears that businesses rely too heavily on cyber insurance instead of improving their security postures or implementing controls. According to information security experts, it plays a role in ransomware payments because a company knows it will be reimbursed if it accedes to the demand.
The cyber insurance market is now transferring more risks to carriers.
Jennifer Rothstein, BlueVoyant’s cyber insurance and legal expert, discussed a new concept of co-insurance in which the insured organization may have to contribute out of pocket to any kind of ransom payment or for investigations in the event of a ransomware claim.
Rothstein also said insurance carriers are still grappling with how to factor in the security of a client’s third-party business partners or vendors. Third-party risks are one of the most difficult to manage in underwriting, and many questions remain.
“We’re trying to figure out whether or not the coverage includes their vendors,” she said.
Operational technology (OT) and industrial control systems (ICS) environments are also difficult to ensure. ABS Group’s global head of industrial cybersecurity, Ian Bramson, has noticed an increased focus in the early stages of cyber insurance assessments. Initially, there was only a questionnaire to complete. Insurers now expect senior management to be present to go over the types of questions in greater detail.
However, he also stated that the majority of OT and ICS customers are unable to answer the first question: What do you need to protect? Another issue is that legacy issues exist in ICS or OT environments because the systems were designed to last decades. Legacy wind turbines, for example, can last 50 years but were not designed with security and software patching in mind, according to Bramson.
“The question is, do I pay a lot of money for cyber insurance that covers very little with many exceptions?” He stated.
More urgently, OT and ICS environments support critical infrastructures, so insurance carriers must consider more than just a threat actor stealing confidential data, according to Bramson.
“Attacking OT can result in cyber-physical events with far-reaching consequences,” he explained. “The problem is that they don’t have a good way to underwrite it.”