IT Brief New Zealand logo
Technology news for New Zealand's largest enterprises
Story image

Shopping for cyber insurance? Six questions to ask before calling the insurer

By Contributor
Wed 4 May 2022

Article by Yubico Asia Pacific and Japan vice president, Geoff Schomburgk.

The cyber threat landscape has always been worrisome, but today there are many more CISOs noticing new grey hairs in the mirror, given an anticipated uptick in cyber-attacks from nation-states and other bad actors.

Ransomware attacks and other forms of account compromise continue to grace the news every month, with malicious actors, state-sponsored or otherwise, potentially costing companies millions in downtime and lost opportunity. There are also serious reputational risks for vendors who might see customers flock to a competitor after a publicised attack.

These attacks have broken the old cyber insurance risk models because it’s become too easy for an attacker to steal credentials and work from the inside. They use relatively simple technology but can cause serious damage through days of downtime, even more than a classic breach or reputation damage. These developments have far-reaching implications across the entire insurance industry, from the insurers to the brokers, to the insured themselves.

Due to a heightened risk profile caused by recent events, cyber insurance premiums have skyrocketed, going up by 150-300 per cent in some cases. So, it’s no surprise that this increased-threat environment has inspired a quick uptick in cyber insurance interest as firms either consider signing up for the first time or seek to increase liability coverage. 

The cyber insurance industry is still developing in response to all the new threats coming from novel sources. However, the basic tenet of insurance still holds: Those companies at the highest risk will pay the highest premiums – or might not qualify at all. 

Asking the right questions

What can companies do as their “homework” before approaching cyber insurance providers? How do they put themselves in the best position to negotiate reasonable premiums on a policy that will pay out if the worst happens? It is worthwhile going through this checklist first before investing in a policy: 

1. What are the minimum-security requirements of the insurer?

Most quotes for cyber insurance will come with a cyber risk vulnerability report. It will be billed as a report beneficial to assessing the risk, but of course, it’s in the insurer’s interest to find any glaring weak links in an organisation’s armour. While minimum requirements will vary, they will likely closely mirror what is included in the Australian Cyber Security Centre’s (ACSC) Essential Eight.

These are eight strategies to mitigate cyber security incidents, and implementing them effectively helps achieve a baseline cybersecurity posture. One of the eight strategies calls for the implementation of phishing-resistant MFA authentication.

You can be sure that simple password authentication isn’t going to be enough to meet cyber insurers’ minimum requirements because the risk is too high for them. So before asking for a cyber insurance quote, it makes sense for companies to grade themselves against the Essential Eight first. 

In the past, a signed attestation from the company’s CISO that minimum standards were in place was sufficient. However, for high-liability or high-risk policies, some insurance firms may now need proper due diligence to go any further.

2. How fast can organisations implement more robust authentication?

If cyber insurance is something an organisation needs immediately, it may not have the time to wait for a full cycle of security upgrades. It’s worth asking what security practices, hardware-based authentication or increased employee training they can do today to make their security profile more attractive to cyber insurers? 

3. Has the pandemic weakened a company’s security profile because more people log in from home? 

Many companies’ pre-pandemic focused security efforts had the office locations set as the boundaries. But as so many remote workers now either work permanently remotely or in a hybrid manner, tightening the organisation’s grip on security has become a lot more complicated.

There is more risk because there are many attack vectors, and cyber insurers are acutely aware of this. It is not enough to focus on firewalls, web proxies, and data protection – today, robust MFA for those logging in remotely must be part of the picture. 

Attackers aren’t breaking in, they’re logging in, and compromised credentials are at the root of 65 per cent of cybersecurity incidents, according to the Office of the Australian Information Commissioner’s (OAIC) Notifiable Data Breaches Report for July-December 2021. Raising the security bar for user authentication beyond passwords is imperative.  

4. Will a policy payout when something bad happens? 

This is a legal question and still developing but keeping up with court cases that lay down precedent on these issues is key. It’s no secret that insurance companies stay in business by NOT paying out when they don’t have to or by keeping their payouts low. Therefore, it is important to carefully document all downtime and losses from the first day of a breach or other incident.

Some good news is a recent ruling on a $1.4 billion attack on the global pharmaceutical company Merck from Russia. Even though the attack was pointed at Ukraine in 2017 (a grim reminder of the physical invasion to come), the court ruled that it was not an “act of war or terrorism,” Therefore, a payout could not be excluded.

Insurance companies will try to limit their losses by breaking up covered items into categories. For example, losses due to downtime, hardware and systems replacement, ransomware payout and identity protection for affected customers may have been covered in a single bundle before, but today they are likely to be itemised. That makes policies more complex, requiring brokers to shop around for reinsurers to spread the risk. 

5. Have we done a full cybersecurity review recently? If not, how do we do it? 

Risk assessments should be carried out on a standard schedule, including both internal and external threats. It can start with a comprehensive review of user access, which identity access management (IAM) system an organisation uses, and what kind of anti-phishing user education they have employed or plan to employ. A review should look closely at privileged users, critical staff and admins, but it should not exclude users. The safest end goal will be to at least start on a path toward strong MFA authentication for all users. 

Organisations should review their cybersecurity posture in line with the Essential Eight. They can bring this information into conversations with insurance brokers, which will put them in a stronger bargaining position when they negotiate cyber insurance premiums. 

6. Is the cyber policy specific about what is covered and what will be paid out? 

Boilerplate policies are never good because each firm will have specific threat vectors and, most likely, scenarios for how an attack would happen. Businesses taking out a cyber policy should make sure there are enough specific references to the organisation’s vulnerabilities and that they are satisfied with how third-party liability is considered.

In general, the more specific it is in terms of what falls under covered attacks, the better. Note: This is when having a proper legal advisor, preferably with cyber insurance experience, would help. What we say here shouldn’t be taken as legal advice to follow. 

These six questions are only a starting point for cyber insurance research, but it’s a good foundation to consider how to get the best deal on premiums and the most comprehensive protection for the years ahead.

Related stories
Top stories
Story image
Oracle Cloud
Commvault, Oracle to deliver Metallic Data Management as a Service
"We are excited to partner with Commvault and enable our customers to restore and recover their most mission-critical cloud data."
Story image
Microsoft names A/NZ Partner of the Year award winners
The awards recognise partners across the globe for their innovative use of Microsoft technologies to help customers succeed.
Story image
Oracle Cloud Infrastructure expands distributed cloud services
“Distributed cloud is the next evolution of cloud computing, and provides customers with more flexibility and control in how they deploy cloud resources."
Story image
Blasé attitudes to cybersecurity by business a national risk
The largely unregulated state of cybersecurity in NZ, and consequential ambivalence of most businesses, risk hurting the country's trading prospects.
Story image
TO THE NEW unveils A/NZ Managed Services for Microsoft Azure
TO THE NEW has released Managed Services for Microsoft Azure to meet the growing demand in the A/NZ market and globally.
Story image
New Relic
How to tackle the great brain drain in the tech industry
Attracting and retaining tech talent in Australia and New Zealand is becoming increasingly challenging, with the 2022 Hays Salary Guide showing a startling 91% of employers facing a skills shortage.
Story image
Tech job moves
Tech job moves - ActiveCampaign, Arcserve, LogRhythm & Qlik
We round up all job appointments from June 17-22, 2022, in one place to keep you updated with the latest from across the tech industries.
Story image
Internet of Things
Domino's Pizza: A blueprint for secure enterprise IoT deployment
Increasingly, organisations are embracing smart technologies to underpin innovations that can enhance safety and productivity in every part of our lives, from industrial systems, utilities, and building management to various forms of business enablement.
Story image
How TruSens air purifiers can create healthier workspaces
The pandemic has heightened our awareness of our own and others’ health, and made us all much more conscious of the environments we work in.
Story image
Enable launches free Wi-Fi in Christchurch city centre
Fibre broadband provider, Enable, and the Christchurch City Council have launched their new Christchurch Free Wi-Fi service in the central city. 
Story image
Gartner's top recommendations for security leaders
"Leaders now recognise that major disruption is only one crisis away. We can’t control it, but we can evolve our thinking, philosophy, program and architecture.”
Story image
Industry-first comprehensive risk-based API security enhances protection
Application Programming Interfaces (APIs) have become a crucial part of operating web and mobile application businesses and are causing significant economic growth in the digital sector.
Story image
Cloud Security
Palo Alto Networks bolsters cloud native security offerings
Latest Prisma Cloud platform updates help organisations continuously monitor and secure web applications with maximum flexibility.
Story image
Forrester names Talend Leader in enterprise data fabric
Forrester has named Talend a leader among enterprise data fabric providers in the Forrester Wave: Enterprise Data Fabric, Q2 2022 report.
Story image
Zero trust security adoption rises 27% in just two years
A survey of WAN managers has revealed that multi-factor authentication and single sign-on are the top zero trust features implemented.
Story image
Overcoming hybrid and multi-cloud challenges to drive innovation
Driven by improvements in technology, financial services companies have advanced both internal and external systems and processes, with the likes of digitisation, personalisation and risk management redefining the industry.
Story image
Amazon Web Services / AWS
Zscaler, AWS accelerate onramp to the cloud with zero trust
Zscaler has announced an extension to its relationship with Amazon Web Services, as well as innovations built on Zscaler's Zero Trust architecture.
Story image
Microsoft expands APAC Enabler Mentorship Program
"Mentors are the key to success for every professional. A good mentor is a coach, a guide, as well as a vocal advocate."
Story image
Forescout reveals top vulnerabilities impacting OT vendors
Forescout’s Vedere Labs has disclosed OT: ICEFALL, naming 56 vulnerabilities affecting devices from 10 operational technology vendors.
Story image
Global investment in data centers more than doubled in 2021
DLA Piper's latest global survey finds the total investment in data center infrastructure worldwide rose from USD $24.4 billion in 2020 to USD $53.8 billion in 2021.
Story image
How to achieve your monthly recurring revenue goals
Monthly recurring revenue (MRR) is the ultimate goal, the most important issue on which anyone in the IT channel should focus.
Story image
Unknown connections: How safe is public WiFi in Aotearoa?
If it's not your own household WiFi, then who has control of your data and is your connection actually safe?
Story image
Data ownership
Brands must reclaim trust by empowering data ownership
According to Twilio's new State of Personalisation Report 2022, 62% of consumers expect personalisation from brands, and yet only 40% trust brands to use their data responsibly and keep it safe.
Story image
Commerce Commission
ComCom puts electronics sector on notice over resale price maintenance
The Commerce Commission has concluded an investigation into allegations that television manufacturers were engaging in illegal resale price maintenance.
Story image
Hybrid workforce
Why hybrid working is here to stay and how to ace it
Citrix's new report reveals hybrid workers are more productive and engaged at work than their office and completely remote counterparts.
Story image
Internet of Things
Global 5G subscriptions to top one billion by the end of 2022
Global 5G subscriptions are predicted to pass the one billion milestone by the end of 2022, according to a new report.
Story image
Ingram Micro launches vendor-backed security program
Ingram Micro has unveiled a new program intended to give resellers the effective offerings their customers need to stay safe in the evolving threat landscape.
Story image
F5 Networks
Telstra, F5 team up to bolster services and solutions
“This partnership demonstrates our ongoing investment into APAC as we continue delivering high value services and solutions to our partners and customers."
Story image
Significant security concerns resulting from open source software ubiquity
"The risk is real, and the industry must work closely together in order to move away from poor open source or software supply chain security practices."
Story image
Monitors are an excellent incentive for getting employees back
The pandemic has taught us that hybrid working is a lot easier than we would’ve thought, so how can the office be made to feel as comfortable as home? The answer could be staring you in the face right now.
Story image
The best ways to attract young talent during labour shortages
New research from Citrix reveals hybrid working and ventures into the metaverse are top of mind for Gen Z workers.
Story image
Dark web
Cybercrime in Aotearoa: How does New Zealand law define it?
‘Cybercrime’ is a term we hear all the time, but what exactly is it, and how does New Zealand define it in legal terms?
Story image
Web Development
Whitecliffe fosters careers for the future of tech
Do you want a career in Information Technology, Networking, Web Development, Software Development, or are you looking to upskill?
Story image
Honeywell launches new carbon energy management software for buildings
The new Carbon & Energy Management service allows building owners to track and optimise energy performance against carbon reduction goals, down to a device or asset level.
Story image
Email threats spike 101%, remains a top attack vector
"Each year we see innovation in the threat landscape, but each year email remains a major threat to organisations."
Story image
How Airwallex helps businesses achieve globalisation success
As markets continue to shift, businesses need to be able to provide the same quality of service for customers regardless of where they are located around the world.
Story image
Aqua Security, CIS create software supply chain security guide
Aqua Securityand the Center for Internet Security have together released the industry’s first formal guidelines for software supply chain security.
Story image
SMX partnership with Microsoft leads to NTT recognition
SMX has captured the attention of NTT after receiving positive reviews from businesses across Australasia and beyond for its email security.
Story image
Why is NZ lagging behind the world in cybersecurity?
A recent report by TUANZ has revealed that we are ranked 56th in the world when it comes to cybersecurity - a look into why we're so behind and what needs to be done.
Story image
Artificial Intelligence
Accenture shares the benefits of supply chain visibility
It's clear that gaining better visibility into the supply chain will help organisations avoid excess costs, inefficiencies, and complexity to ultimately improve their bottom line.
Story image
Robust digital warehouse management crucial in Asia-Pacific
Thanks to a network of “cloud” stores, grocery and food delivery providers such as Foodpanda can arrange for these commonly requested items to get packed up and sent over in almost no time.
Story image
The link between cybersecurity, extremist threat and misinformation online in Aotearoa
Long story short, it's often the case that misinformation, threat and extremism link closely to cybersecurity issues and cyber harm.
Story image
How the metaverse will change the future of the supply chain
The metaverse is set to significantly change the way we live and work, so what problems can it solve in supply chain management?
Story image
Threat actors ramp up their social engineering attacks
As people get better at identifying potential threats in their inbox, threat actors must evolve their methods. Their new M.O? Social engineering.