Our cyber security products span from our next gen SIEM used in the most secure government and critical infrastructure environments, to automated cyber risk reporting applications for commercial and government organisations of all sizes.
Cyber security insurance used to be like any other risk management tool. Manage it by building internal expertise, outsource it to a specialist provider; or lay it off to an underwriter or insurer. Cyber insurance has been seen as an effective risk management option to protect against loosely defined operational risks for many years.
Things are changing. Right now, cyber insurance is becoming increasingly difficult and costly to procure. It’s at the point where you need to verify your ability to manage the security risks in order to be eligible to insure them.
Pricing cyber risk is proving to be an imperfect science for insurers. Cyber risks emerging from some digital transformation initiatives, the explosion of ransomware claims and the massive increase in loss ratios for insurers has fundamentally changed the market. Insurers now want evidence that cyber security controls are in place and that the effectiveness of cyber risk management efforts can be substantiated.
They want to know that there is:
They also need a high level of confidence that technical risks too, are being managed in line with a recognised security risk management framework – for example, ACSC Essential Eight, ISO 27001 or NIST.
Cyber security has shown itself to be one of those risky areas where things can go wrong, and it’s too late after the event. An insurance proposal can now take months to prepare with involved questionnaires and supplementary queries after that. Even then, when the specific technical requirements of the insurer are met, you may still find significant premium increases, coverage limits, exclusions and retentions. Improved quality of cyber security risk data is now a priority for all stakeholders in the insurance process – with insurers seeking assurance of a stated posture and those seeking insurance being able to verify just that.
For those seeking cyber insurance in 2022 they can expect more of what occurred in 2021:
Insurers are now effectively setting the table stakes for security controls as international security agencies confirm the importance of those very same prevention, containment and recovery mitigation strategies. There is now some real clarity around the security steps organisations need to improve their cyber resilience. Putting in place a system that measures the effectiveness of each of these safeguards is a foundational step in the success of any cyber risk management process.
Whether it’s to meet the pre-conditions of an insurer, or to improve your cyber resilience or comply with tightening cyber regulatory requirements – organisations should adopt a security framework and maintain compliance processes against the relevant cyber security controls. A set of safeguards that can be regularly measured and any variance reported for risk management purposes. Those controls should include both technical as well as “softer” cultural controls, for example: staff cyber security training and awareness programs. These KPIs need to reflect the adoption of a cyber security culture within the organisation from the top down; at both technical and business levels.
With appropriate cyber risk management systems in place, poor performance of any one of your controls can be quickly identified and the security gap closed. With the increasing volatility of security operating environments, time is of the essence, so the more responsive the security risk management process the more cyber resilient the enterprise.
In fact, supported by systematic empirical measurement the security and risk teams, as well as senior executives, can promptly make evidence-based decisions about the state of their cyber security preparedness.
The latest joint ACSC, NCSC, FBI, NSA and CISA cyber security advisory, reminds organisations that it is vital to maintain an active awareness of their cyber posture in the current hostile risk environment. Organisations should ensure that they have effective measures in place, to inform their security and risk, as well as their executive, teams of the security posture of the enterprise. Cyber security is no longer a set and forget activity – so having regular visibility of the state of your security controls is now a base-line security requirement.
As noted above, the recommended controls as per latest joint advisory are closely aligned with the “mandatory” mitigation efforts being sought by cyber insurance underwriters everywhere.
The good news is that cyber insurance policies are still being written; it’s just their terms have tightened. The successful management of adequate security controls across your organisation will deliver two important outcomes:
Neither of these can be ignored, if as forecast, cyber insurance is to become an increasingly important part of managing the risks associated with digitalisation.
From the perspective of both insurers and international security agencies, organisations are not as well protected as they should be. This low level of protection makes the risk of attack higher, and given the nature of the threats, the impacts more severe. That also affects insurance premiums.
So, if you’re starting out it’s a good idea to focus attention on improving low cost, but high value controls. Often some of these are inbuilt into your IT systems and yet maybe not appropriately configured. The improvement of high value security controls can significantly improve your insurability. The costs of some of these efforts need not be prohibitive.
For example, prompt and rigorous patching of systems and fully testing backups are fundamental steps in a good cyber hygiene regime.
Human error has been blamed for as much as 90+% of cyber security breaches so again it provides good scope for high value security controls.
The first and most cost-effective initiative is to improve staff training and cyber awareness. Reducing the risk of someone clicking a malware attachment or installing unauthorised third-party applications can pay big dividends.
Second, managing the way privileged accounts are assigned and used. Minimising who has access, for how long and for what purpose can be a significant risk mitigation strategy.
Thirdly, when it comes to building or configuring systems, IT and security team members need to be aware of the key role they play in secure code development and application security. Proactive security practices and cultural awareness can impact significantly on improving your overall cyber posture.
You can also do a lot to ensure that if an incident occurs you have sound processes and plans, and an available expert service in place.
It may not reduce your actual premium but it will almost certainly reduce the overall cost of an incident.
This is part the process – the last line of defence. Defining a plan, testing it and having the tools and mechanisms at your disposal if and when you need them. In the case of ransomware, for example, backups are a major part of any recovery plan. Having backups that have been tested as suitable to reinstate business operations, are a significant fall back in that they provide more options for resolving your situation.
Where once a back to base alarm or dead locks would ensure an insurance premium rebate; in the cyber insurance market, equivalent security controls are merely the cost of entry. While the improvement of some controls can provide greater benefits than others; ultimately good cyber posture with verifiable assessment artefacts is now a condition precedent for cyber cover.
As insurers challenge your answers to mandatory questionnaires and insurance proposals and interrogate your security team for evidence, it’s important to be prepared. Tightening your controls, managing your staff awareness and incident plans will confirm your intent. Having an easy-to-understand report on the state of each of your security controls for all stakeholders, their effectiveness and ultimately your cyber maturity level will also help. It will provide the audit artefacts that insurers and regulators are increasingly seeking.
Trying to “game the system” is no longer an option. If you want to participate in one of the increasing number of industries that require minimum levels of cyber security compliance you need a security risk management system that easily and quickly reports your cyber security posture and any vulnerabilities requiring your attention.
A recent KPMG Report suggests that protecting against and dealing with cyber risks will be the major challenge for senior executives in 2024. It is clear that despite high levels of security investment, organisations continue to suffer from cyber attacks.Read more
The Australian Signals Directorate’s (ASD) recent publication of their Cyber Threat Report 2022-2023 unearthed a range of areas for concern for government departments and critical infrastructure entities at local, State and Federal level.Read more
As cyber risks increase, organisations are encountering the longer life cycle of insurance renewals and the need to demonstrate better management of security controls and their effectiveness.Read more
Highlights and insights from the recent Managed Services Summit in London & the ISACA Central Chapter Conference on Digital Trust, in Birmingham, UK. With two recent conferences in the space of three days, some interesting challenges were very evident in the topics discussed. Being very different events, the challenges were quite different, but interestingly they […]Read more
In early August 2023, the latest joint advisory on persistent vulnerabilities was issued by the intelligence and security agencies of the “Five-eyes” community. These joint advisories are becoming more common. Perhaps recognising the growing importance of shared security information and the common nature of many of the threats faced – the weight they carry makes […]Read more
The quality of your risk assessment and the security information it provides is important; if you plan to use it to actively manage your operational and cyber resilience activities. Organisations are constantly exposed to a rapidly changing threat environment, so you really need a similarly rapid evidence-based feedback system that informs you of the ongoing […]Read more
The UK market has its own regulators, security standards and challenges. And while rulings from SEC in the US or the Australian Prudential Regulation Authority (APRA) in Australia don’t apply to UK companies, for the most part, the observations are undoubtedly relevant and the resulting advice instructive. It would be wrong to think UK financial […]Read more
<<< Part 2a: Australia’s Essential Eight: Beyond Endpoint Control <<< Part 2b: Activating UK NCSC & US NIST Guidelines: Beyond Endpoint Control Part 4: Systematic Measurement of Cyber Controls >>> As much as we invest into cyber security controls, external threats are inevitable. In a recent Notifiable Data Breaches Report from the Office of the […]Read more
Keen campers, scouts and even the Swiss Army know – that a good penknife is indispensable. This simple device has mitigated many a disaster at one point in time or another. Whether it’s to cut through a bit of string, tighten a screw or simply to solve the problem of no bottle opener in the […]Read more
Supply chain risk is an area of cyber security that demands the ongoing attention of every enterprise; because it can make the difference between being resilient or not. It’s no surprise that insurers warn that the vulnerability of supply chains is potentially a systemic risk that can quickly propagate across supply chain dominated industries. Organisations […]Read more
Read by directors, executives, and security professionals globally, operating in the most complex of security environments.