It’s not a matter of if, but when your business faces a cyber threat. More and more companies are using cyber insurance to reduce potential costs. But with cyber insurance premiums and cyber attacks on the rise, cyber insurance will become even more expensive or cover less risk, or both.
AMRAE’s LUCY report notes a 44.4% increase in the amount of premiums paid by companies, and the momentum isn’t slowing down: Standard & Poor’s Corp. predicts a continued increase of 20% to 30% per year on average in cyber insurance premiums in the coming years.
Another important point, after the state said it was ready to register insurance companies’ compensation for cyber ransoms in early September, The Senate has just validated Article 4 of the LOPMI bill allows insurance to reimburse payment of cyber-ransoms. However, it should be noted that this practice is contrary to the recommendations of ANSSI, which strongly encourages companies not to pay in order not to encourage cybercriminals. Remember that even after the ransom is paid, there is no guarantee that you will find your data.
So how do you prove to insurance companies that you are low risk of attack and save on premiums? To support you, we share four best practices to follow.
Focus on your risk profile
The risk profile of the insured and the risk appetite of the insurance company will always remain the biggest factors in determining the cost of insurance coverage. The weaker the risk management program, the higher the cost of insurance, and the higher the cost to the insured.
Companies with a low risk profile pose less risk for insurance, and therefore benefit from better prices. So to save on cyber insurance you need to reduce your risk profiles.
4 Cyber Security Best Practices to Reduce Your Risk Profile
There are as many ways to reduce risk as there are risks themselves, so we won’t detail them all.
But let’s dwell on the pillars of a solid risk management program and the main factors that are taken into account when insurance companies assess your risk profile.
1. Create MFA
Passwords are too weak, we’ve known that for a long time. MFA is not a magic bullet, but it is an important defense against compromised passwords. In the report Verizon Data Breach Investigation Report (DBIR), we see many variations and attack methods to compromise credentials, but also the high effectiveness of each method. The report says hacked credentials are the source of 61% of all breaches.
Adding a second factor of authentication (2FA) means requiring “something you have,” “something you are,” or “something you know” in addition to the password. If either factor is compromised or discovered, an unauthorized user will have at least one additional barrier to overcome before successfully breaking into the targeted system.
Where do cyber insurers want to see MFA implemented?
As the cyber insurance market hardens, insurers are scrutinizing profiles and looking for customers with security checks in line with their high standards. By imposing MFA, insurers drastically reduce their exposure. Multi-factor authentication is becoming a requirement for all accounts, privileged and non-privileged, on-premise, remote and in the cloud.
In general, the prerequisites for taking out a cyber insurance contract are ANSSI’s hygiene measures. However, in some cases and depending on your business profile, your insurance may ask you to answer “yes” to all of the following questions:
- Is there a need for a multi-factor authentication solution when employees want to access their emails via a website or via a cloud service?
- Need a multi-factor authentication solution for remote network access for employees, contractors or a third-party service?
- In addition to remote access, multifactor authentication is requested in the following cases, including for third-party services:
- For all internal and remote administrator access to directory services (Active Directory, LDAP, etc.)
- For all internal and external administrators access to network backups
- For all internal and remote administrator access to network infrastructure components (switch, router and firewall)
- For all administrator access to company terminals and servers
According to Marc-Henri Boydron, founder of the broker Cyber Cover, the leading brokerage firm in France specialized in cyber and fraud risks for companies, one of the first protective measures he recommends is the implementation of multi -factor authentication for all accounts. Depending on the level of protection that the company has set up, the size of the premium can go from simple to double.
2. Increase visibility and control access
Insurance companies seek to mitigate their losses. It is also necessary to maintain a zero trust policy regarding risks. You are more likely to identify and prevent attacks when you focus on restricting and protecting access and increasing visibility of user activities and access attempts.
Access control helps address the need for better control and monitoring of data access based on user role. It also targets key attack modes rather than standard indicators of compromise, and carefully examines unauthorized actions.
- User permissions should be restricted according to their needs and goals (for example, a member of the development team does not need to have access to HR files)
- Access to data must be secureep user permissions such as network or application access permissions. However, authorization and authentication go hand in hand as individuals do not always protect their data as they should access, share and use, Data should also be monitored, including attempted deletion or deletion.
- Sensitive data must be encrypted regardless of whether it is used or not, and there must be a systematic treatment of compliance requirements and data governance rules.
3. Assign actions to specific users
Having a strong, ongoing monitoring program helps prove that your company has a strong cybersecurity culture. It is an important way to justify risk reduction during a risk assessment.
Cybersecurity reporting evolves with business needs and technological advances. On the business side, business leaders sometimes criticize reports for being too technical, disjointed and complicated. Worse, cybersecurity teams don’t always have the visibility they need to get the big picture. Additionally, depending on how reports are written and presented, they may not be sufficiently prioritized and consistent to demonstrate the effectiveness of processes and technology investments. While we realize the importance of having “end-to-end” visibility, sometimes there can be blind spots here and there that pose a risk to the business.
Essentially, cybersecurity managers and teams need to take a critical look at charts and reports to ensure that they actually help the business manage risks more effectively and make the right decisions about them.
4. Schedule breach alarm and automatic response
Automate as much as possible to ensure the entire process is efficient and effective – from monitoring the attack surface, to third-party risk management, to contracts with insurance companies. Ideally, a company should be able to jointly operationalize its supply chain security and risk posture at all times. Technology can help companies achieve this goal. It has the ability to automatically assess configurations and controls in a cloud environment and understand supply chain risks to understand how a business is performing from an attack surface perspective.
Save on your cyber insurance premium with powerful access control features
None of these four best practices alone are enough to give your business a discount on its cyber insurance premium. But by strategically implementing these four practices with a comprehensive software solution like UserLock, you can significantly reduce your risk and thereby demonstrate your low risk profile during a risk check. Plus, with a stronger security profile, you’ll be better able to negotiate a lower premium for your cyber insurance, which will save you money in the long run.