By: Kurt Petro, Senior Forensic Examiner, bit-x-bit, LLC
High-profile cybersecurity incidents, such as the SolarWinds(1)(2), Colonial Pipeline(3), Microsoft Exchange Server(4) and Log4J(5)(6) attacks, have certainly captured recent headlines, These major events were far from the only wide-ranging cyber incidents to impact the global marketplace over the past few years. In fact, according to the Identity Theft Resource Center, “ in 2021 there were more data compromises reported in the U.S. than in any year since the first state data breach notice law became effective in 2003.”(7).
The sheer volume increase in the number of incidents is not the only critical metric to see substantial growth: the costs associated with responding to cyber incidents are ballooning as well. The average cost of a data breach in 2021 was $4.24 million, according to the IBM Cost of a Data Breach Report 2021(8), which represents a 10% increase from 2020. As incidents and their associated costs continue to rise, more organizations are looking to cybersecurity insurance to mitigate and/or cover the costs of an incident.
The insurance market, flooded with increased demand for cyber coverage and payouts for policy claims, are themselves therefore subject to increased risk. To address these trends(9), insurers have begun requiring businesses to adhere to and maintain certain core information technology (IT) security best practices as a requisite to the insured receiving coverage as well as policy pay-outs for claims. These more stringent terms and conditions are being required of prospective policyholders looking to place coverage for the first time and current policyholders seeking policy renewal.
The good news for potential insureds or insureds seeking renewal is that carriers are for the most part not “reinventing the wheel” by creating unique or new IT security best practices for the organizations to adopt. Instead, carriers are using already-established standards, such as the CIS Critical Security Controls(10), NIST Cybersecurity Framework(11), Payment Card Industry Data Security Standard (PCI DSS)(12), Health Insurance Portability and Accountability Act (HIPAA)(13) requirements and other preexisting frameworks as guidelines when setting policy terms and conditions.
With this backdrop in mind, companies seeking to procure or renew cyber coverage would be well-served to take certain core steps in advance of approaching their brokers or carriers. Below is a list of core IT security standards that should be a part of every organization’s IT security posture, and are also the requirements we most often see as being required by insurance companies during policy procurement and renewal.
Multi-Factor Authentication (MFA)
- Under MFA, system or asset access is governed by two sets of authentication, generally a password as well as a timed security code. The timed security code changes with each log-in and is sent directly to the custodian at time of access, typically via an app installed on a smartphone.
- Most assets and systems (computers, email, financial accounts, etc.) can be protected by enabling multi-factor authentication.
Software Updates & Security Patches
- Taking advantage of previously discovered vulnerabilities in operating systems and software applications is an easy attack vector for threat actors to gain access to your organization’s network and data.
- Having a documented process designed to continually patch and update operating systems and software applications will go a long way towards preventing threat actors from exploiting these vulnerabilities that have already been addressed by the respective systems’ developers.
Endpoint Detection and Response (EDR)
- Traditional antivirus solutions alone are no longer sufficient to deal with the growing cyber threat landscape.
- EDR solutions provide endpoint monitoring and data collection, advanced threat detection, automatic containment, and analysis capabilities.
- Having routine backups of critical company data can keep your organization running in the event of a ransomware or other attack, where such systems have been affected.
- Backups can also help inform your negotiation strategy if a threat actor claims to be holding your data hostage.
- Threat actors will target your backups, so careful planning must occur to ensure their integrity.
Employee Awareness Training
- Having cybersecurity front of mind should be a top priority for all organizations and should not be limited to just those in IT functions.
- Training that teaches the basics of cybersecurity and mimics real-world phishing and other malicious access attempts should be implemented.
- Security training should be iterative and adapted based on the employees’ grasp of core concepts. Means by which to gain unauthorized system access is not a once-a-year topic for threat actors and shouldn’t be for your organization’s employees, either.
Data Mapping & Asset Inventory
- Knowing where your core information is located, how it is being stored, and who has access to it are critical pieces of information needed when developing an approach for how to protect your organization’s data against threat actors.
Plan! Plan! Plan!
- Develop preventative plans that cover how the organization uses technical, process, and educational controls as measures to reduce risk.
- Prepare an incident response (IR) plan that will guide the organization through the steps to take when a threat actor is suspected to have gained unauthorized access.
- Create disaster recovery (DR) and business continuity (BC) plans that will help your organization to keep all essential business functions operational if a natural or other disaster occurs.
- Utilize industry guidelines, such as the CIS Critical Security Controls or the NIST Cybersecurity Framework, to align your organizations efforts to best practices.
- Perhaps most importantly: test your plans on a routine basis so everyone involved in the process is prepared when those plans eventually spring into action.
bit-x-bit offers cybersecurity expertise to help you with the measures outlined above. We have worked with various clients who are seeking or renewing cybersecurity insurance coverage, so don’t hesitate to reach out if you have any questions.
- CIS. (2021, March 15). The SolarWinds Cyber-Attack: What You Need to Know. Center for Internet Security https://www.cisecurity.org/solarwinds
- Fireeye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Mandiant. https://www.mandiant.com/resources/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor
- Turton W., and Mehotra K. (2021, June 4). Hackers Breached Colonial Pipeline Using Compromised Password. Bloomberg. https://www.bloomberg.com/news/articles/2021-06-04/hackers-breached-colonial-pipeline-using-compromised-password
- Microsoft 365 Security. (2021, March 2). HAFNIUM targeting Exchange Servers with 0-day exploits. Microsoft. https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
- Uberti, D., Rundle, J., and Stupp, C. (2021. December 21). The Log4j Vulnerability: Millions of Attempts Made Per Hour to Exploit Software Flaw. The Wall Street Journal. https://www.wsj.com/articles/what-is-the-log4j-vulnerability-11639446180
- CISA. (n.d.). Apache Log4j Vulnerability Guidance. Cybersecurity & Infrastructure Security Agency. https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance
- ITRC. (n.d.). 2021 Data Breach Annual Report. Identity Theft Resource Center. https://notified.idtheftcenter.org/s/2021-data-breach-report
- IBM Security. (n.d.). Cost of a Data Breach Report 2021. IBM. https://www.ibm.com/security/data-breach
- GAO (2021, June 1). What is Cyber Insurance, and Why is It In High Demand? U.S. Government Accountability Office https://www.gao.gov/blog/what-cyber-insurance,-and-why-it-high-demand
- CIS Critical Security Controls https://www.cisecurity.org/controls
- NIST Cybersecurity Framework https://www.nist.gov/cyberframework
- Payment Card Industry Security Standards Council https://www.pcisecuritystandards.org/
- U.S. Department of Health & Human Services https://www.hhs.gov/hipaa/index.html