Insurers need to balance their policies with the increasingly common payouts as a result of the breaches, so increased cost of insurance is an inevitable consequence. In practice, the insurers are now looking for mechanisms to make their risk estimates more accurate and adjust their insurance premiums to reflect the current situation.
I recently discussed this topic with Tom Dugas, Assistant Vice President and CISO at Duquesne University. He highlighted a new approach taken by the insurance companies to justify the increase in premiums. Insurers are looking at the organization's external services by acquiring network scans performed by a third party. The larger the infrastructure footprint you present to the world, the longer the report is likely to be, so large public universities are even more likely to be experiencing this.
The open and vulnerable services in your network are then considered part of the organization's attack surface. Even if they are not currently vulnerable and are managed according to best practices. Services with known vulnerabilities are naturally considered to be an even higher risk. They should have been taken care of in any case. As a result of these external attack surface reports, some insurers' premiums for cyber insurance policy renewals have been jacked up by more than 200%.
At the moment, as the pressure to increase the premiums is very high in the insurance market, insurance agencies don’t yet have incentives to provide the opportunity to present your side of the story. In a competitive market, you can provide verification and documentation that those services are secure and low risk, which will reduce your insurance price. A more balanced situation will emerge later once the premiums again match the risk exposure of the market. For now, to avoid a significant increase, it's necessary to work to remove the leverage that the insurers can have over you.
So, what can you do today to reduce your exposure? You should definitely batten down the hatches and remove access to any unnecessary or vulnerable services. You can keep track of these by adding a layer of third-party validation of your security efforts. What third-party monitoring sees is likely similar to what would be in the report that the insurance company acquires. While your premiums may still go up, you will definitely have more leverage in the negotiation.
By subscribing to Arctic EWS, we can tell you about many of your networks' open and vulnerable services that you should be aware of. You can then take appropriate measures to remove what is not strictly necessary. After removing them, those issues can't be used against you right now, neither by criminals nor by your insurance provider.
Another way to reduce the premiums is by storing less personally identifiable information (PII). The costs of cybersecurity insurance are directly related to the total amount of PII that could leak from your organization. Halving the amount of stored information means halving the damage exposure in a complete breach. That will directly impact the price of your insurance.
As a practical example, Mr. Dugas brought up how enforcing data retention policies for the university can significantly impact the damage exposure in case of an information leak. Holding onto sensitive data longer than is required increases the risk related to a data leak. This is a prudent approach, and it's recommended to take a critical look at your data retention policies going forward and ensure that those policies are being enforced.