The CISO’s role in corporate cyber insurance

The CISO’s role in corporate cyber insurance Image 1
The CISO’s role in corporate cyber insurance Image 2

With the frequency and severity of cyber insurance losses on the rise, insurance companies are implementing strategies to mitigate their own exposures. Already this year (2022) there is anecdotal evidence pointing to cyber insurance coverage increasing in excess of 100% in some markets. The CISO plays a key role in how insurance is priced for an organisation and CEO’s, Boards, Shareholders and Regulators alike rely heavily on the CISO getting their security posture right.

For organisations that may not have all of the desired controls in place, significant ransomware sub-limits are being applied (a limitation in an insurance policy on the amount of coverage available to cover a specific type of loss), reduction in capacity and much higher retentions are being asked for i.e the amount you need to pay per claim before insurance cover kicks in.

CEO’s and CISO’s are increasingly being asked by insurers about risks mitigation measures (controls) as the criteria for purchasing cyber insurance becomes more difficult and more expensive. Insurers now want to see the enforcement of multi-factor authentication (MFA) across the corporate network, regular employee training, completed software patches/updates and the use of endpoint detection and response tools – just for starters!

The MFA requirement by insurers has now become a lot broader and applied to far more applications (everything) where possible or feasible. They want to see external attack surfaces locked down and a strong Disaster Recovery Plan (DRP). As a result of these increased requirements to buy cyber insurance cover, Brokers are now getting in touch with clients 4-6 months out from policy renewals to close any gaps.

CISO’s are also being scrutinised by Regulators and Boards as to their “cyber supply chain strategy”. The want to understand how a CISO is pivoting their security strategy in response to the threat trends and if they’re being proactive enough in adjusting the risk lens. For example, after the first incident at Solar Winds, not all security recommendations were implemented. After Kaseya was attacked they waited 2 weeks before rolling out a patch to address the vulnerability. As such, attackers are targeting this vendor segment in order to use their direct path connection to send malicious code deep inside companies. Insurers want to see effective network monitoring tools to prevent the injection of malicious code inside normal software updates.

CISO’s and their teams also need to demonstrate the robustness of their cyber supply chain in 3 ways…

  1. Identify all software vendors that monitor, manage and/or support applications & networks, developers pushing code to an application and undertake a software inventory on their most critical applications
  2. Map identified vendors against their 3rd party assessment program and assess if any fell below the radar? Use a tool such as SecurityScorecard who scan these vendors to provide their grade.
  3. Have a plan to show how they’re raising/prioritizing their risk assessment rating and potentially have a supply chain remediation plan on the worse scored vendors.

The Decipher Bureau effect - If you need help finding the right talent or workplace in the year ahead, contact our team of specialist cybersecurity recruiters at the Decipher Bureau here or via LinkedIn.