Experts Blog

Recently, in our Virtual CISO (vCiso) role for one of our clients, we completed a routine cybersecurity insurance renewal questionnaire and a supplemental ransomware questionnaire, which contained typical inquiries, including whether our client uses multi-factor authentication and if it encrypts its data backups. Pretty standard stuff. 

Once completed, we submitted the form to the insurance company. From there, our client expected that the form would help the carrier determine the amount of coverage and the premium it would charge. What happened next surprised our clients and highlighted a growing trend in the industry. After submission, our client was surprised to receive an invitation from the broker to meet and discuss the answers in the questionnaires. 

In the past, we have seen brokers or underwriters take these forms as the source of truth for their calculations. But during this call it quickly became clear that the underwriters wanted to discuss the answers in further detail and review potential risks they identified with the client’s userbase. Notably, the underwriters were clearly leveraging open-source intelligence (OSINT) techniques to research the company before issuing and signing off on the coverage.

Increasingly, insurance companies are taking cybersecurity insurance customers seriously with the intention of reducing their own overall risk by either denying coverage or increasing premiums for clients they deem as “risky.” This client isn’t alone. Just in the past year alone, we have worked with a significant number of clients who have watched as their cyber insurance premiums skyrocketed, in some cases quadrupling in just 12 months. Meanwhile, as premiums shot up, carriers cut back dramatically on the coverage they would provide. During the second quarter of 2022, cyber-insurance premiums are up 79% from a year earlier, according to a recent study by the Global Insurance Market Index. We don’t see this trend ebbing anytime soon. Instead, we fully expect insurance companies to increase their scrutiny of their clients even further and more thoroughly going forward.

What can you do:

Supplementing cyber insurance with a balanced approach to preventative, detective, and response control organizations can strengthen an organization’s cybersecurity posture and risk profile. Ensure your defensive security controls are in place and well documented. To that end, consider implementing the following recommendations.

Supplementing cyber insurance with a balanced approach to preventative, detective, and response control organizations can strengthen an organization’s cybersecurity posture and risk profile. Ensure your defensive security controls are in place and well documented. To that end, consider implementing the following recommendations.

• Adopt a proper vulnerability management program. Utilizing a through, risk-based vulnerability management program should bring awareness to threats and exposures that can negatively impact the organization. 
• Use Multifactor Authentication (MFA) on email and remote access. MFA is a critical component to reducing risk in an organization. 
• Harness Endpoint protection (EDR, MDR, XDR). Utilize an endpoint protection platform to detect and prevent security threats on an endpoint device (e.g., laptop, tablet, phone). 
• Implement and Require Security Awareness training programs. Educating all staff within the organization can help to mitigate risk and highlight the warning signs of a potential cyber threat or attack.

As cyber insurance companies continue to adopt OSINT techniques, organizations should consider an OSINT review of your company to see what information may exist on the dark web. OSINT can be used for proactive research to understand the future threat landscape. Fortalice can assist your organization in remaining agile and preemptive rather than reactive to cyber threats.

Additional resources:

CISO Minute: Cyber Insurance Market Growth by 2025

WSJ: Buying Cyber Insurance Gets Trickier as Attacks Proliferate, Costs Rise

‍