Cyber Insurance Case Studies: A Tale of Two Customers
Shep Parke
Delinea customers are talking a lot about cyber insurance. Where to get it, what’s covered, and how to optimize their rates. We’ve been working with partners throughout the cyber insurance ecosystem to make sure our customers are well prepared to procure the right policy for them.
Among Delinea customers, two recent stories stand out.
Case Study 1. Rapidly growing consumer retailer
Risk manager Sara is part of the Governance, Risk, and Compliance (GRC) team for a national retailer. With ransomware on the rise, Sara knew it was time to re-evaluate her company’s insurance coverage to address the possibility of cyberattack.
She contacted her company’s insurance provider and received a list of dozens of questions related to security controls and strategies. She went to her Chief Information Securtiy Officer (CISO)—whom she had never met—to fill in the answers.
According to David Shluger, Cyber Risk Engineering Lead at Zurich North America, it’s common that GRC pros, often the people responsible for procuring insurance, don’t have the technical detail at hand. For that reason, his team often helps bridge the gap between GRC and the IT teams responsible for security strategies. As he explains, “we identify a control gap and provide actionable advice to close it.”
Unlike regulatory compliance, there is no “one-size-fits-all” security framework required by insurance companies. That’s why David’s team at Zurich doesn’t use a checklist-based approach to evaluating risk. “Each customer has a different threat landscape and may not need identical protection,” David notes. “You may have alternative or compensating controls to solve the same issue.
If David and his team identify significant control gaps, they will collaborate with the Underwriter to determine the level of residual risk, and whether it is a good fit. “Our appetite for risk isn’t a secret,” he explains. “We’re looking for the best quality risk and the price of insurance reflects that risk.”
What would have been ok three or five years ago isn’t ok today because now you have more to lose
As organizations begin to scale, particularly digitally, security risk increases. “What would have been ok three or five years ago isn’t ok today because now you have more to lose,” says David. “Those companies that have been diligent about protecting their environment by investing in cyber resilience are generally treated more favorably by the insurance market. Those that have neglected security investments may get smacked down.”
For example, when organizations grow business functions, again particularly digitally, they may not decide to—or may not be able to—hire IT staff, which means that the same number of people are stressed to manage a broader, more diverse range of IT operations and security. They may not be able to perform at the same level. That drives the need for more automation of policy-based access controls.
Companies that are merging or acquiring increase their risk as well. “The technical integration process opens the door to risk and must be carefully managed,” David says.
In Sara’s case, one of the drivers increasing the retailer’s risk profile was their expansive use of third parties for manufacturing, distribution, marketing, and IT operations support. “Rapidly growing organizations tend to work with more vendors, partners, and contractors as they expand into new markets and focus on their core business,” David explains.
Sam, the IT Administrator at Sara’s company, had been thinking for some time about making an investment in enterprise Privileged Access Management. The discussion with Sara cemented the plan and helped secure budget.
Sam was concerned that all the responsibility for securing privileged accounts was on the shoulders of just a few people. Having only one or two people hold the keys to critical resources was too much concentrated risk. PAM removes the burden and provides an intelligent, policy-driven system as backup.
The retailer worked with the team at Delinea to meet their PAM requirements and ultimately selected Delinea Secret Server With Secret Server in place, Sara was able to procure the appropriate insurance policy.
Case Study 2. Equipment leasing company moving to the cloud
Bob, the risk manager for a growing equipment leasing company, was surprised to find that the cost of cyber insurance was three times what he had paid just a few years before. Looking at the fine print of the 100-page cyber insurance policy document, he realized that in addition to the price problem, fewer risks were covered. The gap that concerned him most: the insurance coverage was limited for attacks due to ransomware.
It’s common for a policy to cover only up to a certain amount for ransomware
According to Daniel Gabriel, Principal at RSM Risk Advisors, “It’s very common for a policy to cover only up to a certain amount for ransomware. Or, they may cover if that ransomware was ‘user-caused,’ meaning, launched by clicking on a link, but not if there are no technical controls in place to prevent it.”
In Bob’s case, the biggest risk driver was the leasing company’s recent transition from on-premise to cloud. They stored sensitive financial information, including personally identifiable information, on 25 cloud-based servers.
In addition to helping with IT implementation and managed services, RSM provided the leasing company with tactical advice on mitigating cyber risk and evaluating insurance options. “Primarily, we make sure four things are in place: Privileged Access Management, Multi-Factor Authentication, controlled access to accounts, and monitoring.”
Without a security solution to address those requirements, the leasing company was at risk of a privileged account attack that could enter through one system and move laterally throughout the entire IT environment.
The leasing company selected Delinea Cloud Suite as a security solution tailor-made to protect the company’s privileged accounts in the cloud.
Ultimately, Bob procured an insurance policy that also included credit monitoring and support for incident response. He feels confident that if the leasing company is the victim of a cyberattack, the insurance provider will provide rapid access to IT providers they have on retailers to help them recover.
Don’t wait to become cyber resilient
The time to talk about implementing PAM isn’t when you need to get it right away to qualify for cyber insurance. Start evaluating PAM well before your next renewal so you have the security controls and strategies in place before you receive the insurance company’s questionnaire. You’ll be more likely to procure insurance at a rate that reflects your risk and provides the coverage you require.
Our Cyber Insurance Readiness Checklist can help guide you through the top questions most insurance companies ask when you apply.