In recent years, companies renewing their cybersecurity insurance coverage may have noticed rising costs paired with decreasing coverage. According to new research, they should expect to see the same in 2025.
Experts believe that cyber insurance premiums worldwide could rise to $23 billion by 2025.
This shocking number comes from the growing threat of data breaches and cyber-attacks. It also hasn't helped that with the increase of attacks, insurers now having a clearer view of the true cost of these cyber events. Insurers can now clarify their policies and, more importantly, their exclusions from coverage.
This article will cover the cybersecurity controls your organization needs in 2024 to qualify for cybersecurity insurance coverage.
The cybersecurity insurance underwriting process has become more specific, with carriers now requiring companies to meet certain minimum standards for their cybersecurity programs.
Here are the top 10 controls you'll need to have in place when applying for cybersecurity insurance in 2024:
Multi-Factor Authentication or MFA requires users to provide two forms of identification when signing into your company's systems. This is usually a password and a code sent to a physical device such as your mobile phone.
Insurance carriers expect companies to use MFA for system administrators, remote network access, and cloud apps like Office365.
Password rules should be in place and enforced on all systems.
A strong password should consist of:
Best practices dictate that businesses should prompt employees to change passwords every 60-90 days. They should also maintain a database of password history to prevent password reuse.
Passphrases are the latest trend in cybersecurity, and consists of a secret sequence of words, using the above guidance. According to the National Institute of Standards and Technology, a passphrase is generally longer than a traditional password and adds additional security.
Companies need to be backing up their data quarterly at a minimum, and ideally daily or nightly.
Along with regular backups, businesses should store them in multiple places. This includes at least one location that is off the network or separate from the main network.
Organizations should protect data by limiting administrative access on workstations and in applications. When possible, limit administrative access to IT personnel.
Companies are expected to be providing formal cybersecurity training to their employees at least annually.
Insurance carriers may request reports that show the effectiveness of your security awareness training. They are specifically interested in identifying how many employees may require additional training.
Anti-virus and malware software is expected to be installed on every device on your network. Your team should regularly maintain and update this software to apply critical patches and upgrades.
The Sender Policy Framework or SPF is an email-authentication technique. This framework is primarily to prevent spammers from sending messages on behalf of your domain.
With SPF, companies can publish authorized mail servers. This lets you specify which email servers can send emails on behalf of your domain.
Endpoint Detection and Response or EDR is an integrated endpoint security solution. EDR combines real-time continuous monitoring with the collection of endpoint data.
A Security Operations Center (SOC) is a team responsible for monitoring a company's network security events.
Larger organizations may staff this type of service in-house. Most small and medium-sized companies cannot afford to absorb this responsibility.
Since most internal IT staff lack this skill set, companies often outsource to a partner like Blue Pioneer Consulting.
Servers, workstations, firewalls, and other devices on your network generate security logs. A Security Information and Event Management (SIEM) platform is software that automatically collects them.
This platform has alerting capabilities to inform the Security Operations Center of high-risk incidents that have occurred.
Cybersecurity insurance carriers aren't sending auditors to verify claims yet. However, they often ask company owners or CEOs to sign affidavits confirming that the required controls are in place.
For more information related to cybersecurity and cybersecurity insurance, please reach out to the team at Blue Pioneer Consulting.