Building Cyber Resilience Beyond Insurance

As VP of Engineering at Elpha Secure, Ratnesh Pandey drives cyber strategies & security portfolios that protect SMEs against cyber threats.
This article builds upon my previous one, where I discussed the three top challenges in the cyber insurance industry. Here, I share insights about solving these challenges through the use of adaptive frameworks for building better cyber resilience.
The cyber insurance industry should prioritize the adoption of structured cybersecurity frameworks to assess risk profiles and enable organizations to follow adequate security measures and cyber resilience. The frameworks should emphasize a combination of controls that not only reduce threat exposures and improve resilience but also provide insurers with a standardized methodology for evaluating policyholders. This framework can then be used in defining and managing “cyber catastrophic risk” based on 360-degree visibility around an organization’s risk profile.
Adoption Of Structured Cybersecurity Frameworks To Manage Risk
The key criterion for a successful adoption framework is being flexible enough for different organizations’ needs and risk profiles to counter evolving threats. Recommendations from the Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST) highlight the importance of proactive and layered security strategies tailored to an organization’s unique risk profile.
CISA’s Cybersecurity Performance Goals (CPGs) focus on essential, prioritized measures that organizations can adopt to strengthen their defenses. These goals point toward practical steps like securing backups, implementing multifactor authentication (MFA) and continuous vulnerability management. This includes effectively determining exposure to on-system common vulnerabilities and exposures (CVEs) as well as environmental and configuration risks, both on-system and used in the course of business, such as VPNs and firewalls.
NIST’s Cybersecurity Framework (CSF) complements these efforts by providing a scalable and adaptable framework for managing risks. It emphasizes the importance of advanced technologies like endpoint detection and response (EDR) for securing decentralized work environments, especially considering increased cloud adoption. NIST also recommends the use of zero-trust architecture and identity-based access control as primary approaches to mitigating risks in multicloud and complex systems.
The Need For Inside-Out And Outside-In Controls
So far, the cyber insurance industry has been heavily focused on outside-in controls like external scanning of cloud assets or dark web monitoring to find evidence of breaches. However, this approach isn’t sustainable considering the limited visibility of an organization’s cyber hygiene from external scanning and monitoring approaches. A successful cyber insurance strategy should blend inside-out controls, which focus on an organization’s internal cybersecurity practices, with outside-in controls, which look at external vulnerabilities in a similar manner to how threat actors scan for potential exploitable organizations. This combination of approaches enables a more holistic view of risk.
Inside-Out Controls
• Endpoint Detection And Response (EDR) And Incident Response Planning: A well-defined incident response plan with EDR helps ensure a structured approach to contain and recover from attacks.
• Privileged Access Management (PAM) And Multifactor Authentication (MFA): Limiting access to sensitive data and implementing additional layers of verification can significantly reduce the risk of breaches due to weak or stolen credentials.
• Nonhuman Identities: With the adoption of cloud services, applications and service identities play a crucial role in interacting securely. If not managed and tracked properly, they become an easy target for breaches.
• Backup Integrity: Regularly tested, secured and encrypted backups are crucial to help ensure business continuity even in the event of an attack.
• Securing Email: Email is one of the most common entry points for hackers. Claims related to business email compromises (BEC) cover the largest portion of overall claims, according to the Federal Bureau of Investigation (FBI) IC3. BEC claims resulted in $2.9 billion of adjusted losses in 2023.
• Vulnerability Management: Regularly scan systems and applications to identify, prioritize and address vulnerabilities. Timely patching and remediation reduce the risk of exploits targeting known weaknesses, ensuring a more secure environment. I would include the high number of “noisy” vulnerabilities rather than only the remarkably few meaningful ones, especially for small and medium enterprises (SMEs).
Outside-In Controls
• External Scan And Threat Intelligence: Analyzing the external threat landscape through threat intelligence allows organizations to provide proactive defense measures against emerging vulnerabilities, such as cloud services exposure, the presence of botnets, loose configurations, weak passwords used in cloud services and data breach evidence. Palo Alto Networks PAN-OS vulnerability CVE-2024-0012 is one example of an outside-in control, where finding and fixing critical CVEs first could reduce risk exposure and losses.
• Supply Chain Security: With the rise in supply chain attacks targeting third-party vendors to access the organizations’ data and controls, it’s crucial to evaluate supply chain security practices.
• Industry Benchmarks And Frameworks: Structured benchmarks offer insurers a way to assess clients based on standardized controls and methodologies to help organizations meet minimum cybersecurity standards and enhance insurability.
Empowering SMEs With MSPs
The cyber insurance industry recognizes that SMEs often lack the resources and in-house expertise to meet stringent cybersecurity requirements. Managed service providers (MSPs) can play a role in bridging the gap for these organizations. By partnering with MSPs, SMEs can implement essential security controls like EDR, incident response capabilities and privileged access management without the need for large internal teams.
Conclusion
There’s no silver bullet to fix all cyber insurance challenges, but the industry can certainly raise the bar to mitigate cyber risk while building resilience. These structured frameworks provide detailed guidance on the adequate use of security controls and managing supply chain risks. They encourage policies to continuously monitor and automate responses to reduce attacker dwell time and mitigate the impact of cyber incidents.
Both inside-out and outside-in controls are needed to provide the foundation for a structured insurance framework to reduce overall claims and support more accurate risk profiles. Also, cyber insurance companies could actively encourage and incent SMEs to work with trusted MSPs, as this reduces risk for both the insured and insurer.
Following these best practices can help organizations improve their defenses while ensuring a more consistent and transparent approach to procuring cyber insurance.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?