In the Reimagining Cyber podcast episode “So you’ve been hacked, now what?” with Shawn Tuma, Shawn advocates leveraging cyber liability insurance to help minimize the fallout from a hack or breach. However, while cyber insurance once primarily served as a safety net, it is safe to say that today’s cyber threat landscape has gotten very ugly, very rapidly and with a vengeance.
Previously, when the data breach was considered the top cyber concern, there were industry verticals (like manufacturing, distribution, warehousing, and transportation) that were considered lower risk because they held less personally identifiable information (PII). And that has been generally true relative to their peers in other industry verticals, like healthcare and financial services, which have experienced loads of very costly PII data breaches. This meant those PII-light verticals were eligible for significant discounts on their cyber insurance premiums. But that is no longer the case. The ransomware threat actors have proven indiscriminate in who they target because they know that businesses will pay out in order to avoid lengthy business disruptions.
As the cyber insurance market hardens, insurers are scrutinizing their portfolios and looking for clients with security controls that more closely align to a higher standard. As you can imagine, insurers are asking clients for their strategies to ensure that their backups are available in the event of a ransomware incident and the approaches being used to monitor for threat actor activities. But another key area of focus is around Identity Access Management (IAM) controls.
Throughout the 2021 Verizon Data Breach Investigation Report (DBIR), we see the many variations and attack use-cases for compromised credentials, and the high efficacy of each method. The DBIR found that credentials are the #1 data type stolen and that hacked credentials lead to 61% of all breaches.
Not a requirement in previous cyber insurance renewals, cyber insurers are demanding firms have Multi-factor Authentication (MFA). While MFA is no silver bullet, it is a key defense to the threat of compromised passwords. Insurers view MFA as a best practice, and are starting to ask more questions around MFA when placing or renewing cyber insurance. For example, an insurer’s questionnaire required that an organization must answer yes to all of the following questions concerning MFA:
- Is Multi-factor authentication required for all employees when accessing email through a website or cloud-based service?
- Is Multi-factor authentication required for all remote access to the network provided to employees, contractors, and 3rd party service providers?
- In addition to remote access, is multi-factor authentication required for the following, including such access provided to 3rd party service providers:
- All internal & remote admin access to directory services (Active directory, LDAP, etc)
- All internal & remote admin access to network infrastructure components (switches, routers, firewalls)
- All internal & remote admin access to the organization’s endpoints/servers
- Please describe any circumstance where MFA is not used and any mitigating controls in place
- If MFA is not in place, what is the timeline for full deployment of MFA on all applications?
- What percentage of applications are not using MFA?
- Are any of these applications critical?
As you can see, MFA is no longer a security control just for privileged user accounts, but is now a requirement for all endpoints, critical applications, and all user access. By requiring MFA, cyber insurers drastically cut their exposure. As a result, organizations that want to renew their cyber liability insurance are scrambling to close MFA gaps in their access controls.
Some other IAM-related questions that insurers are asking policyholders include:
- To what extent is Privileged Access Management (PAM) being utilized within the networks?
- Is a PAM tool utilized on all servers and workstations?
- How many privileged account users are there and how many have been integrated into the PAM tool?
- Domain Access? Server Accounts? Persistent Privileged accounts?
- Upon employee termination what is the process for decommissioning accounts?
- Do you have telemetry into the use of privileged access credentials?
- How many users are in the Domain Administrators group (total for all domains)?
- Number of service accounts in the Domain Administrators group
- Specifically for any Service Accounts in DA:
- Does it require domain admin entitlements?
- What is its footprint? Is it logging into devices outside DC?
- What logon types is it using?
- What steps are you taking to mitigate any exposure the service account config creates which could result in cred harvesting?
At a recent Cybersecurity Summit that President Biden hosted at the White House, four major cyber insurance providers (Travelers, Coalition, Resilience Cyber Solutions and Vantage Group) pledged to do even more. For example, Resilience made the following commitment:
“Resilience, a cyber insurance provider, will require policyholders to meet a threshold of cybersecurity best practice as a condition of receiving coverage.
The insurance industry is uniquely positioned to have a mutual stake in the fight against ransomware. We want our companies to be stronger, more cyber resilient, when partnered with us. If our clients get hit, the insurance pays that loss. Our client’s cyber risk is our cyber risk.”
CyberRes is well positioned to assist policyholders with a broad range of critical security controls to help them meet insurer’s evolving requirements. We, for example, have with NetIQ one of the broadest IAM portfolios in the market. Specifically for MFA, NetIQ’s Advanced Authentication framework adds the strongest level of authentication customers require to meet regulatory, industry and client forces – as well as the requirements from cyber insurance providers.