2022 saw massive geopolitical developments which have led to some significant changes within the cyber insurance market. These include:
The notion of 'insuring away cyber risk' is now (and arguably always was) somewhat unrealistic. With both premiums and insurers prerequisites/policy exclusions increasing, the actual scope of what is covered is also rapidly narrowing.
The insurers are acting rationally. The costs of data breaches continue to risk and insurers cannot take on additional risk without increasing premiums. They are also heightening their due diligence of potential clients’ security practices. An organization with poor security controls presents greater risk than one with a mature security program.
Organizations looking to maintain their coverage while minimizing premiums need to provide evidence that they are taking appropriate steps to protect those assets targeted by attackers; data that can be used for identity theft, financial gain, or competitive advantage.
Some of this is operational security. A misconfigured cloud storage bucket can expose sensitive data to anyone looking for it (this even happens at mature organizations like Microsoft). From an insurer’s point of view, however, the focus will be on what you are doing to mitigate threats and protect your data.
The Verizon Data Breach Incident report found that human error is still the leading cause of data loss. The Covid-forced Work From Anywhere movement has likely exacerbated this as users work outside the protective umbrella of the corporate network and use non-sanctioned applications and devices.
Mitigating these threats requires training and controls to address data loss through accidental or malicious actions.
Reveal provides a full picture of where data is flowing inside your organisation, including unsanctioned applications and other “shadow IT”. It discovers and alerts on behaviour that puts sensitive data at risk.
Reveal educates users on high-risk behavior. When users take actions that could put data at risk, pop-ups reinforce corporate security policies and teach employees to make the right decisions.
Reveal identifies and classifies data instantly, every time a user accesses a file. AI and machine learning on the endpoint allows Reveal to learn what is considered “normal” per employee and only raises alerts when abnormalities are encountered.
Lightweight endpoint agents see everything, on and off the corporate network. Instant classification and behavior analytics consider content, context, and communications to protect data from accidental or intentional exposure. Reveal supports content inspection and controls to see and block content in email applications, browsers, web applications, removable devices, messaging apps, and printers.
Insurers and compliance audits require evidence of controls. Reveal maintains an evidentiary quality audit trail on all activity on and off the corporate network. In fact, Reveal was integral in Next DLP’s ISO 27001 certification.
The cyber insurance market and models will continue to evolve. Treating security as a “tick box” will not provide acceptable controls in an increasingly stringent market. Smart organizations can mitigate risk, minimize premiums, and maximize cyber insurance coverage by proactively addressing the security of sensitive information.