December 20, 2021

Enterprise Technology - Cyber Insurance Requirements Raises Security

By Jaclynn Anderson
As businesses turn to cyber insurance to offload security risks, insurance carriers are increasing premiums and requiring additional security measures, which benefits vendors focused on identity management, endpoint security, and managing and remediating vulnerabilities.
  • Insurance premiums increasing up to 100% yy; cost increases forcing customers to adopt additional layers of security and accept lower coverage limits; incident response vendors partnering with insurance companies to provide discounted rates
  • Multi-factor authentication, single sign-on and priveledged access management services driving conversations for CSCO’s Duo, GOOG, MSFT, OKTA, RSA Security
  • Greater focus on advanced endpoint solutions benefits CRWD, S, MSFT, VMW’s Carbon Black; Arctic Wolf, Lacework, Panther Labs among private vendors benefiting

Cyber Insurance Requirements Drive Security Sales 
Eight security sources said cyber insurance requirements are driving security priorities and sales, consistent with themes in OTR Global’s October Okta Inc. report and November CrowdStrike Holdings Inc. report. One North American security channel partner said, “It took us by surprise when we started to see it. We would get a frantic call, saying, ‘Hey, we have to have two-factor authentication by the end of the month or we don’t have insurance.’ Cyber insurance absolutely is driving security sales, and the biggest feeling I get from that particular situation is that customers are being caught off guard and they’re being required to put solutions in place that sometimes have a really high cost associated with them. It’s an unexpected expense that wasn’t budgeted that now all of a sudden is take it or leave it: If you want insurance, then you have to put these solutions in place.” The partner reported some clients had only two to six weeks to address their technology shortfalls. “Even with six weeks, that’s not a lot of time to spec out a vendor and put two-factor authentication in place or endpoint detection and response. So, it’s definitely a big challenge out there,” the partner said.

Identity, Endpoint, Vulnerability Management Top Concerns
Security sources said products and services related to identity, endpoint security, and finding and patching vulnerabilities are the key beneficiaries related to cyber insurance requirements. A North American reseller said, “I have the experience of receiving sales because of such requirements -- patch management, recovery, and EDR sales -- which are CrowdStrike, [VMware Inc.’s] Carbon Black and SentinelOne [Inc.] -- and firewall sales. People are getting caught up with implementing solutions they have been thinking about, but are now getting to fulfill requirements.”

Within the identity category, sources said products addressing multi-factor authentication (MFA), identity access and privileged access management (PAM) are poised to benefit. Three said Cisco Systems Inc.’s Duo would benefit from changes in requirements from insurance companies. Alphabet Inc.’s Google [single sign-on (SSO)], Microsoft Corp.’s identity and access management products (including Azure Active Directory and Multi-Factor Authentication), Okta and RSA Security LLC were also cited as benefiting. A North American channel partner said, “Cyber insurers are not issuing new policies or renewing existing policies without two-factor authentication. Starting in February or March of [2021], they started requiring it. It is benefiting Okta, Duo and RSA. Then cyber insurers added one more requirement to the two-factor authentication, which was for VPN, and then required it into any server that had backup software on it -- the management interface [which benefits the same top three vendors].”

Within the endpoint security segment, security sources identified CrowdStrike, SentinelOne, Carbon Black and Microsoft as beneficiaries. A North American reseller said, “Our personal benefit is CrowdStrike. That’s one product or service that we’ve seen an increase in because of the requirements.” The partner also said cyber insurance requirements were pushing customers to adopt more sophisticated solutions. “They’re saying ‘endpoint detection and response,’ and not ‘endpoint security.’ That’s in a roundabout way making companies more secure by updating some of the language of what is required.”

Two sources said Arctic Wolf Networks Inc., which provides managed risk, cloud security posture management (CSPM) and managed security awareness, in addition to managed detection and response (MDR) and cloud detection and response offerings, would benefit from spending focused on managed detection and response. One said, “We’ve started working with Arctic Wolf a lot and are seeing cybersecurity insurance coming up in conversations with them quite a lot, and I see it accelerating the business case. It’s interesting as finance [departments] own the insurance relationship, and now we can say to the CFO, ‘Look at the cybersecurity we can deliver with a cost-neutral option.’”

One North American partner said any company focused on vulnerability management or on increasing compliance and reducing risk benefit from insurance requirement changes. Lacework Inc. and Panther Labs Inc. were mentioned as potential beneficiaries as code-based scanners helping organizations find vulnerabilities. One source said, “Qualys [Inc.] is a traditional scanner with a standard host, and creates issue reports to fix them. But with the movement to the cloud -- especially since people are moving to [ Inc.’s] AWS -- monitoring in the cloud is a different beast. There’s more startups addressing this need. Lacework is one of them, Panther is another. They monitor infrastructure and scan for vulnerabilities.”

Additional Quotes:
“Everyone in the world is asking for SOC 2 [System and Organization Controls for Service Organizations 2 compliance] reports, and insurers require these. For example, if you use an AWS service, you pay extra to have a SOC 2-compliant server, and if you are trying to buy cyber insurance, you will have to provide the SOC 2 reports. It is a way for the insurance companies to make sure you are using security companies at a certain level. There are certain vendors that are not SOC 2 compliant. The [vendors] that have it have the advantage.”

“This year, insurance companies are mandating things like continuous vulnerability management and for an endpoint anti-virus service that not only detects but also remediates. They are looking for MFA and PAM controls to be in place. They are looking for people to have asset management and to have it documented and proved that the devices on the network are known or managed devices that meet a minimum standard.”

Microsoft Benefits from Higher-Level License Adoption
Three partners expect the need to address additional security needs could drive customers to higher Microsoft licensing levels. One security channel partner said, “When Microsoft bundles, they’re getting Office 365 and email security and things built in. When I come in to sell CrowdStrike, then they still have Microsoft licensing needs and from a cost perspective, they may say, ‘We use five of seven things from the bundled licensing. We might just go up a level of licensing, bolt on the security, and not have to have another third-party product.’”

Insurance Requirements Consistently Evolving
Insurance providers are adjusting the requirements required to maintain existing levels of insurance for the annual renewal cycles, which can often take months of planning. One source said, “The norm is renewals every year, and the process to renew is like four to five months, at least. Bigger companies use a broker; Marsh McLennan [Inc.] and Aon [PLC] are some of the big ones. They have experts, and we have a cyber team from Marsh who we work with. Marsh serves as a broker and adviser and has built risk-management capabilities -- not just insurance, but also the assessment -- and they have data breach response teams.”

Sources said insurance premiums could increase up to 100% if customers do not meet the stricter requirements. In some cases, the insurer may decide they will reduce the coverage or the types of protections. One enterprise risk executive said, “With cyber, in the past, you could almost always get the insurance. You might have some coverage restrictions if you didn’t have good risk management in place. Now, if you don’t have something, if you don’t meet the requirements on these specific 12 issues, you might not be able to get insured. Or if you do get insured, it could be more than 50% more [in cost] or probably twice [as much], and you will be scrutinized and have a tough renewal process.” A cyber insurance sales executive said, “Premiums are increasing by 100% or more. Insurance companies used to offer a $10 million policy, and now are only going to offer $3 million. It’s a function of seeing so many large claims, and they want to limit their exposure. And every insurance company is treating their own cyber portfolio differently than others, but all are reducing limits. Essentially, they are saying, ‘Our appetite has changed, and you don’t meet our requirements any more, and we will no longer provide [you] insurance.’”

Cyber insurance companies also have developed relationships with incident response (IR) vendors to respond when a breach occurs. One partner said, “The insurance providers will typically have three or four types of IR vendors on an insurance panel with whom they have negotiated lower rates: Breach attorneys like Lewis Brisbois [Bisgaard & Smith LLP] and McDonald Hopkins [LLC] that have extensive data breach practices; vendors like CrowdStrike, Kroll [Inc.], Kivu [Consulting Inc.] and [Palo Alto Networks Inc.’s] Unit 42 [formerly Crypsis].” The partner said negotiators and data recovery firms (like Coveware Inc. and MoxFive LLC, respectively) are typically deployed as part of an incident response case. Another said, “The cyber insurance marketplace bi-fabricated between traditional insurance and insurance tech into a blend of insurance and technology. One of our insurance companies called At-Bay [Inc.] just announced strategic partnership with a tech company [Microsoft]. The two premiere insurance companies are At-Bay and Coalition [Inc.].”

Opportunities exist for incident IR vendors of varying sizes. One security channel partner said, “Every cyber insurance company has a contact with three or more incidence response companies. It is negotiated at a fixed rate for the cyber insurance company. Normal IR cost is $500 per hour with a minimum of 40 hours, so out of the gate you’ve peeled off $20,000, and if you go over 40 hours, then it is more money for another block of 20 hours. Insurance companies pick a company and get a lower cost of $320 per hour. There are so many different players out there. Mandiant [Inc.] has IR, Cisco does IR -- and Cisco doesn’t do discounted prices. If you call Cisco, it is $100,000 right out of the gate. So smaller IR companies with great technology like DirectDefense [Inc.] with less than 100 people -- and their IR team is fantastic -- are being used. Customers and insurers are going to companies like that that are less well known and usually regional. Smaller companies get called because it is cheaper to deploy them.”

Additional Quotes:
“Some companies are buying an IR retainer, which is a lower-cost option to that of cyber insurance. With an IR retainer, a company can pay for a 12-month contract with an IR company that will guarantee a response within four hours. With cyber insurance, you have to call in the incident and get a claim number, which takes more time. How many more devices have been encrypted in those hours?”

“Having the right tool can result in having 30%-40% lower premiums and also better coverage. We have been using it as a way of helping clients use the cost savings to pay for cybersecurity. So if instead of spending $100,000 on insurance, they could buy $40,000 of tools and reduce their insurance bill to $60,000. They’re still spending the $100,000, but it’s a better proposition.”

“Our CISO and data privacy teams are doing everything they can to minimize risk, but as a business, you have to prioritize, and there are choices. We have a bunch of old technology that creates more risk, so we have to address that based on a reasonable timeline.”

“Cyber insurance falls into corporate governance and allows boards to authorize spending on security products and insurance products. From a board level, there is a financial decision of how much risk there is with current security practices. And they suddenly realize, ‘I am going to have to address this risk, reduce it, offload it or accept it.’ In each situation, offloading the risk is tied to buying insurance or working with a SaaS [security as a service] provider or SOC [security operations center] provider.”

“Arctic Wolf [has a] deal with Marsh McLennan that if you have purchased the Arctic Wolf solution, you get the reduction on your premiums with no questions asked. For the client, that means less scrutiny, and we expect to see more of that.”

“If MFA is broken, then the world will have problems. But Duo is a big player. Microsoft, Google and Amazon have their own identity solutions, though they are not easy. But turnkey options are Okta and Ping [Identity Corp.].”

“Microsoft has their own EDR solution that’s pretty good. XDR applications have to do really shady stuff, like editing the Microsoft Windows kernel that Microsoft doesn’t want you to edit. There’s opportunity to turn off the show [for competitors]. Microsoft can flip the switch and no one can get in. I’m less optimistic on the EDR/XDR space.”

“Cyber insurance is definitely looking for security companies that have a ransomware rollback, which is if you do get attacked, you can roll back to right before the attack took place. Also, identity management like [LogMeIn Inc.’s] LastPass is crucial to not losing all credentials. And mobile threat management [also is important].”

“SentinelOne certainly offers IR, and if there is a major breach, somebody insured works with their IR team and finds out if certain endpoints weren’t covered [by the security].”

Fortinet [Inc.] has a couple solutions as it pertains to connecting using two-factor authentication, but they’re minimal. FortiToken is one solution, and that can integrate with Forti-Authenticator, which is basically a user-name-and-password type product. You can offload authentication to that machine.”

“There’s a vendor in particular that has the market on insurance company vulnerability scans, which is BitSight [Technologies Inc.].”

“We do know these insurance carriers are losing their fannies with payouts. Losses are exceeding their premium base. They are having many more claims than assumed, and they did not have the underwriting history to understand this.”

“Generally, when people look at security, it is coming out of CSSP [Cyber Security Service Provider] literature that says three things: You remediate risk, accept risk, and/or transfer risk. Cyber insurance is transferring risk. Insurance companies want to know: Do you have multi-factor authentication on all accounts? Do you have data loss protection in place? Do you have end user training? And do you have X, Y or Z? In order to obtain cyber insurance coverage, they are requiring you to have certain practices in place to issue the policy.”

“Every company, size and vertical from K-12 all the way up to large financial institutions, manufacturing, and oil and gas is buying cyber insurance.”

“It will get to a point in five to seven years where companies won’t be able to afford cyber security insurance and will go to IR contracts. It will be more cost effective to get a bigger budget for security and not pay for the insurance.”