Four ways to lower your cyber insurance premiums

New Zealand Security Magazine - October 2023

Cyber insurance
Implementing the right tools and strategies can lead to lower cyber insurance premiums.

Four cybersecurity strategies can help lower an organisation’s cyber risk profile and therefore lower their cyber insurance premiums, writes Geoff Schomburgk, VP for Asia Pacific & Japan at Yubico.


Cyberattacks are growing in frequency and so are the costs associated with them. According to the 2022 Cost of a data breach report by IBM and the Ponemon Institute, an alarming 83 percent of organisations experienced more than one data breach in 2022 and the average cost is now NZD 7.14 million. As a result, many organisations want cybersecurity insurance, but the escalating cost and regularity of cyberattacks have led to insurers inflating their premiums.

According to Veeam’s 2023 Ransomware Trends Report, cyber insurance is becoming very expensive and there is a concern that common threats like ransomware are increasingly being excluded. 74 percent of organisations with cyber insurance said they have had their premiums increased and 21 percent stated that ransomware is now excluded.

Cyber insurance covers financial loss and expenses businesses may suffer due to a cyberattack. However, as cyber insurers better attempt to quantify and control for loss, the security postures of organisations applying are often inspected. Those who rely solely on traditional passwords and some legacy multi-factor authentication (MFA) tools can be ineligible for cyber insurance.

Here are four recommended cyber security strategies organisations should implement to help lower their cyber risk profile and therefore lower their cyber insurance premiums.

1. Adopt the Essential Eight

The eight mitigation strategies set out in the Essential Eight are designed to minimise the potential impact of cybersecurity incidents and to improve cybersecurity maturity. It assists security leaders with self-assessing the maturity of their organisation’s security infrastructure using a Maturity Model with three maturity levels for each of the eight mitigation strategies.

No single mitigation strategy is guaranteed to prevent all cybersecurity incidents, so organisations of all sizes are recommended to implement the eight essential mitigation strategies as a baseline. Unfortunately, complacency is their enemy, because organisations will adopt one mitigation strategy and stop there without pursuing the other strategies.

2. Implement modern, phishing-resistant MFA

MFA is now a mandatory security requirement for most cyber insurance providers. This security control was mandated because 81% of breaches are caused by stolen or weak passwords, proving that static credentials are no longer secure. Since most cybercriminals depend on stolen user credentials to access a private network, modern phishing-resistant MFA tools like security keys prevent these attempts to compromise an organisation’s network.

Security Keys leverage FIDO2 (WebAuthn) to facilitate strong MFA that is phishing resistant by design. FIDO2 protects against the most common MFA theft schemes, like push bombing, fake login portals and social engineering. By leveraging security keys with FIDO2 authentication, enterprises can roll out easy-to-use, strong phishing-resistant MFA.

Phishing resistant or password-less MFA uses a more secure method to verify authorised connection requests without requiring a password, either using biometrics like fingerprints, or decentralised PINs, which are not shared secrets; therefore, they provide a more secure alternative for login when the Internet is unavailable.  

However, when choosing an MFA solution, they are not all created equal and there are legacy MFA methods that are not phishing resistant. These include receiving a one-time passcode (OTP) via text message or email or using mobile-based authenticators; both are highly susceptible to phishing attacks and account takeovers.

They do not offer phishing-resistant MFA-like hardware-based authentication methods like FIDO2-backed security keys. In fact, phishing resistant MFA is required as part of the maturity level three, the highest level of maturity in the Essential Eight Maturity Models.

Contact centre specialist Afni has reduced cyber insurance premiums by 30 per cent by adopting security keys. Moreover, the fact that the company is seen to be taking its security seriously and being transparent about its security practices has helped establish Afni as a trustworthy supply chain partner.

3. Implement a zero trust architecture

Having a Zero Trust architecture demonstrates a proactive defence mindset. With Zero Trust, a user’s identity and permission settings are continuously verified even after network access is granted, especially when they attempt to access highly sensitive assets.

According to IBM’s report, organisations that do not employ a Zero Trust approach to security typically pay an average of NZD 1.64 million more in breach costs than those that do.

For organisations with a remote workforce (and many organisations are nowadays), cyber insurers will look for evidence of endpoint protection. This is best implemented through a Zero Trust strategy, which will present cyber insurance applications favourably.

4. Deliver cybersecurity awareness training

Employees fall victim to cybercriminal deception because they don’t know how to recognise a cyberattack or are too scared to admit they may have shared something they should not have. Cybersecurity awareness training, coupled with a regular simulated phishing attack schedule, will keep staff vigilant to common cyber threats.

Humans will always be the weakest link in every cybersecurity strategy. The value of a costly cybersecurity investment is instantly invalidated if an employee can be tricked into handing over their credentials. Cyber insurers understand how susceptible staff are to getting swindled by cyberattackers, so they’ll be delighted to find evidence of a cybersecurity awareness training policy.

The best way to reinforce the cyber awareness training employees receive is to reward their success instead of punishing employees when they make a mistake. Organisations must explore their lived culture, purpose and values and how they impact their employees’ engagement with cyber risk.

As cyberattacks continue to rise in frequency and cost, organisations must take proactive steps to mitigate their cyber risk, which will help to lower their cyber insurance premiums. Implementing modern, phishing-resistant MFA is one of the most uncomplicated and effective controls an organisation can implement to reduce the reliance on the user’s vigilance and prevent cybercriminals from gaining unauthorised access. Organisations that implement the right tools and strategies will not only significantly reduce their cyber risk but can also lower their cyber insurance premiums.

Babcock
RiskNZ