Small and medium businesses (SMBs) are facing a reckoning now: their insurance companies are forcing them to get proper security measures in place or they risk not being insured. But how did it come to this?
Over the years, cybersecurity insurance has paid out billions in claims from malware and other attacks bringing businesses to their knees. As these attacks became more frequent and more targeted, it became costlier and more likely that insurance companies would have to pay out claims because companies were, and always will be, vulnerable to attack. And yet, insurance companies don’t want to shell out millions of dollars when their clients might have only paid them thousands of dollars—it’s just not profitable.
In response, insurance companies have introduced a few tools to lower their risk of paying out on losses due to cybersecurity incidents. And some of these tools have affected the way the industry couples cybersecurity and insurance.
How Does Insurance Normally Reduce Risk?
One way insurance companies reduce risk is by writing policies at scale. If you have a small percentage of claims filed among millions of policies, then any losses are shared across the whole business unit.
For a long time, it seemed like insurance would just pay out every incident. When I worked at Datto, instead of end users wanting to use a backup solution some said that their recovery process was just to get paid out from their insurance and that was good enough for them after a ransomware event. That is a pretty extreme case but those companies used and misused insurance as a crutch and so insurance companies had to reduce their risk further.
Enter risk reducer number two: enforce cybersecurity standards. We have talked to countless service providers and IT teams, and many are being instructed by their insurance companies to adopt some level of security stack.
At a high level, the thought makes sense. And it’s a thought that we at Huntress have been shouting from the rooftops for ages. The more layers of security you add, the less likely you are to have an incident. But then that brings us to our next looming question…
How Do Insurance Companies Know What Security Policies SMBs Should Have?
The truth is that most don’t. This is because there isn’t a lot of data out in the world for insurance companies to comb through. Companies hide if they have been breached and for how much, and there are new terms and procedures in cybersecurity all the time.
Brokers get dictated to by their carriers, then the carriers need to run through a form and check off what a company does to protect themselves. Based on those answers, the carriers will say if they want to insure the company or not and by how much.
But herein lies the problem, there is a lack of universal cybersecurity standards and practices—it mostly comes down to the thought that the more security controls in place and money spent for those controls, the more secure the company and the less the cost of the policy. This is true of the cybersecurity industry as a whole.
How Insurance Decides Who to Cover and by How Much
Insurance carriers usually have something called an attestation document. It’s the document that insurance uses to verify that proper processes and policies were followed after an incident. If all was true and in place, the company gets paid out from the policy. If the insurance company reviews the attestation after the incident and finds that something was not fully in compliance with what was said on the attestation, then it’s likely the company that had the incident won’t be reimbursed with all the out of pocket expenses that they might have incurred during the incident.
For cybersecurity, the attestation document usually includes a series of questions like:
- Do you enforce multi-factor authentication (MFA) across all users?
- Do you have endpoint protection enforced on all endpoints?
- Do you regularly update operating systems to the most recent versions and how often?
As you can tell, some of these questions are very general. Sometimes they get a bit more direct, but oftentimes they’re just plain old confusing, like:
- Do you use an RMM? - This is a tricky one because RMMs have been known to be attack vectors in incidents. Insurance companies want to know if they are used and which ones because some RMMs in the market are banned by insurance companies (sometimes with reasoning sometimes without).
- Do you use an EDR? - This one specifically annoys me because I have so many questions:
- EDR is endpoint detection and response, but how exactly does the insurance company define it?
- Is an EDR product required if I monitor endpoints via RMM, maintain security updates, have an AV in place, monitor AV detections and make sure MFA is enforced across the board? Most companies have different controls in place that work on the endpoint.
- If I say no, does that mean insurance will be dropped?
- Are there EDRs in the market that are unsupported?
- If the EDR agent is not installed on every host, would I still be covered?
These questions are pretty nebulous and usually require more clarification because it's a risk for the IT professional if these aren’t adhered to.
The ultimate goal is to make sure that insurance companies run through their due diligence to insure companies that reduce their exposure to within tolerable levels. If you can prove that based on the controls in place, then the insurance company should insure you.
Will There Be More Definitions in the Future?
Absolutely there will be. The US government has even released its recommendations with Cybersecurity Maturity Model Certification (CMMC) levels on what vendors working with the government should be adhering to with their security controls. It’s covered in five levels, with a five being the highest amount of security controls.
If it hasn’t started already, it’s likely that more insurance providers will start using these levels as a barometer for companies they are looking to insure.
So How Do We Start Bringing Back Balance to This Scale?
Well, until there is more definition as to what specifics are needed by insurance, it’s important to not just look at what security boxes need to be checked, but how and why you should check those boxes.
A great place to start is by reviewing CIS controls and the NIST Cybersecurity Framework—both of which were the basis for the CMMC recommendations.
From there, you can figure out the holes that need to be plugged. Spoiler alert: usually preventive technology isn’t the real issue. Detection and response are often the most critical layers that businesses are missing. And in the eyes of insurance, having EDR, MDR, or some type of detection and response capabilities listed on the attestation doc will help you answer “yes” when they come asking their list of questions.