Alvin Mills

Alvin Mills
VP of Information, Technology & Security

Cyber insurance premiums continue to climb

Cyber-insurance premiums could increase 20 to 50% through 2021 due to a combination of 2020 trends that are expected to continue through this year, according to an Aon report.”

Multi-factor authentication imageLast month, we learned that the global insurance company, AXA, would no longer write policies in France that reimburse customers for extortion payments made to ransomware criminals (Security Week, May 7, 2021). Their subsidiary in the U.S. stated it only applied to France. 

Considering France is second only to the U.S. in ransomware damages, how much longer before the same applies in the U.S.? At the same time, we heard that cyber insurance providers in Canada are now demanding that firms apply multifactor authentication (MFA), and some providers in North America will deny coverage if you have not implemented MFA. 

I know several of our community banks are getting the MFA questionnaire from their providers, but I have not heard of one being denied coverage if they check the box “no.” Cyber insurance premiums continue to climb, and we’re told by the insurance providers that the reason is the increased claims frequency and severity.

I’m not here to bash cyber insurance providers. It’s a critical need that has saved organizations millions of dollars. And, most importantly, we are getting the proper coverage. But, what about the organizations that have a very mature cybersecurity program, practice strong cyber hygiene, meet all the compliance requirements, apply MFA across the board and applied a strong defense in depth strategy? 

Our premiums are set based on asset size, not by how well we are at protecting our organizations. I’ve heard that insurance providers are looking at other ways to set a premium but I have not seen one in action yet. 

I also get approached by cyber security vendors that claim to be Safety Act certified. The Department of Homeland Security founded this effort and Congress enacted this as part of the Homeland Security Act 2002. 

Basically, this act provides incentives for the development and deployment of anti-terrorism technologies, cybersecurity being one of the categories. If you are a company in the cybersecurity industry and you get Safety Act certified, an organization that does business with you should, in theory, get discounts on insurance premiums. Maybe we are headed that way and hopefully we are.

Another one bites the dust:

“Using the credentials and exploiting a vulnerability in third-party security software, the unauthorized party gained unauthorized access to under 200 online customer bank accounts, had access to personal information in those accounts and fraudulently obtained an aggregate of less than $1 million from some of those accounts.” (SEC filing)

This happened to a U.S. bank in late April. This brings up a couple of questions I would like to address. In reference to the above quote: Is that relevant information to my organization? I would say yes, considering it is relevant to our banking community. 

Is it timely? Considering they learned about it in mid-April and released it in late-April, that is probably debatable. In that two-week window, how many other organizations, using the same third-party security software, were exploited and may not know it yet? A report by IBM found that the average time to detect and contain a data breach is 280 days! 

But the answer to the third question is what troubles me. Is it actionable? There is not enough information in the statement “third-party security software” that I can use to take immediate action. 

Actionable to me would come from my threat intelligence sources telling me something like, “All organizations running XYZ security software should immediately patch their systems or shut down the service” and look for signs of compromise. Business leaders read these same headlines, and most will be in your office asking the same question, are we secure? 

I hope we get to a point that I can say, yes, we are, but until then my response it going to be, we are working on it. That’s not how I want to respond and it certainly does not give my boss confidence.