The zero-trust framework has made a particularly strong entry in most insurers’ good books in recent years. An increasingly hostile digital environment has prompted insurers to place the onus of ensuring excellent cyber hygiene on their insureds, with many now including the zero-trust methodology in the minimum requirements that they demand as part of the policy application process.
Zero Trust in a Hardening Market
It is no secret that the volatility of today’s cyber threat landscape has presented unique challenges to cyber insurance underwriters. A lack of actuarial data coupled with the rising level of sophistication in cyber-attacks have made it increasingly difficult to accurately calculate cyber risk, develop stable pricing structures and remain profitable. As a result, premiums are going up, and policy limits are going down.
Moreover, the eruption of ransomware, its evolution into Ransomware-as-a-Service (RaaS), and the widespread impact of supply chain attacks have proven very expensive for insurers as malicious actors are able to cast the net far wider and cash in through one, sweeping attack and causing more devastating disruption to businesses. Increased regulation and stricter compliance requirements have also threatened insurers with greater fines to pay in the event of a cyber-attack or data breach.
With many businesses still lacking cyber awareness, insurers have quickly cottoned on to cherry-picking their insureds by scrutinizing their security controls meticulously and setting minimum cyber hygiene standards that those wanting a policy will be required to meet. Far from the simple box-ticking exercise that brokering and underwriting used to entail, the in-depth analysis demanded by cyber insurers today has meant that it is not uncommon for insurers to require proof of, for example, proactive activity monitoring, ongoing security training, and regular patch testing, in a process that now commonly lasts between 4-6 months.
Those wanting to secure a cyber liability policy will have to prove that they have taken their cyber security seriously – and this is where zero-trust comes into play.
What is Zero Trust?
This security framework is entrenched in the principle of “never trust, always verify”. As the name suggests, it operates on the basis that no activity of an organizational network is immune from thorough, ongoing security checks and prioritizes access rights and restrictions.
The approach has garnered increased popularity in recent times because it is particularly suited to modern digital working environments and for securing remote, cloud-based networks: it leverages strong authentication methods, network segmentation, “least privileges” policies, and layered threat prevention techniques to prevent threat actors from moving laterally across a network at ease and speed.
Zero Trust in Four Fundamental Steps
Insurance professionals want to see CISOs and other IT professionals focusing on certain key steps when implementing a zero-trust framework. The basic principle of zero trust is that no one, no matter whether they are an internal or external user, can be trusted with unrestricted, unmonitored access to a network.
Let’s unpack the framework.
1. Inventory
This involves creating a full inventory of all users, applications, devices, and other services as well as the specific data and assets to which they have access. From this, security professionals will be able to evaluate their network’s attack surface and risk profile in a disciplined manner and piece together a comprehensive “least privileges” policy. Under this type of policy, users of a network are given the minimum authority possible to access or make changes to a system, in strict accordance with their roles and responsibilities.
Taking a full architecture inventory also enables security teams to create a unique, traceable identity for each user on the network. These identities in turn enable trusted users to be reliably authenticated. Insurance professionals should look into their insureds’ identification methods.
Remember that the zero-trust model assumes that malicious actors may sit both inside and outside a network so neither can be trusted and all users or devices must be properly authenticated before their request to access a network can be authorized and encrypted.
2. Micro-Segmentation
This is where a network is divided into zones, each of which has its own access controls. An inventory may help to identify these zones more easily. For example, security teams can layer security measures, such as firewalls, and remote access VPNs, to provide more reliable security. It, therefore, taps into the zero-trust “trust no one” principle by restricting access even to users sitting inside a network. In isolating parts of an entire network, a cyber security breach will be limited only to the micro-segment that a malicious actor has successfully infiltrated and therefore mitigates the risk of an attacker moving laterally inside the network.
3. Multi-Factor Authentication (MFA)
Cyberattacks have reached such a level of sophistication that, no matter how secure or convoluted your password may be, it will nearly always be relatively easy to crack. MFA has therefore become an increasingly popular method for confirming user identity and might be one of the measures implemented on micro-segments within a network. It uses at least two forms of credentials to authorize access such as a password in combination with security questions, SMS, email confirmation, or fingerprint identification methods. This minimizes attack surfaces because attackers are less likely to be able to use compromised credentials to access a network. It makes sure that users who access a zero-trust framework have the correct authority.
4. Continuous, Real-Time Monitoring
Insurers have realized that it is not a case of “if” a cyber attack will occur, but “when”. Even more brow-raising, many insurers now consider that there are two types of businesses: those that have been hacked, and those who have not yet realized that they have been hacked. Therefore, while they will look for a zero-trust model which will prevent attacks from happening, they will also pay keen attention to the lengths their insureds go to detect a breach at its earliest instance. Time is of the essence in a cyber event: the longer a breach remains undetected, the more damage a malicious actor is able to carry out.
Endpoint Detection and Response is a commonly adopted program for these purposes. You can read more about it here.
The implementation of continuous monitoring and detection systems of a network to help minimize the spread and time taken in an attack. The techniques are commonly termed Identity Access Management and Privileged Access Management (IAM and PAM). This involves examining what is being requested, what processes are performed, and what data is accessed by a network user or application. If the activities detected do not match a business’s pre-defined security policies, this can spark an appropriate response by way of investigation and remediation.
These fundamental steps evoke the zero-trust approach because they ensure that every identity which attempts to access a network and every action taken on it is detected, examined, monitored, and contained on a repeated basis.
Business disruption is an ever-growing concern and the second top business risk of 2022, with cyber risk ranking in the first place. In an age of increasing digital adoption, businesses must reassess whether their current security practices meet modern working environments. In order to reduce the disruptive impact that a cyber event can have, insureds will need strong preventative methods and contingency plans in place ahead of time. A zero-trust network can help to achieve that, by enabling high-risk users to work remotely with trusted and highly authenticated access to business networks and closely monitoring the activities of those who do. The improved cyber resilience that comes with a zero-trust approach makes it easier for risk to be calculated and premiums to be given in a way that will future-proof the business of both insurers and their insureds.
Do you want to learn more about cyber insurance? We offer a range of courses which provide a comprehensive overview of this fast-paced sector.