Announcing Ordr 8.2 - The Most Comprehensive Single Source of Truth for Connected Devices Read more here!

Ordr

Request a Demo Search

Author: Danelle Au

There has been a lot of confusion about the future of cyber insurance following recent statements by market makers Lloyd’s of London and Zurich Insurance Group. In late 2022, Lloyd’s informed underwriters in its syndicate that they would be required to explicitly exclude coverage for damages related to state sponsored cyberattacks. More recently Zurich CEO Mario Greco told the Financial Times, “What will become uninsurable is going to be cyber,” adding that if a threat actor “takes control of vital parts of our infrastructure” the results may be uninsurable.

Those statements, coupled with well publicized policy price increases for 2023 that are as much as three times higher than what many customers paid the year before, have fueled concerns that cyber insurance coverage may be unavailable in the near future and that many underwriters may simply get out of the business. In many ways what we are seeing is the maturation of what remains a relatively new market trying to find its footing in a dynamic threat and risk landscape. Because of that, questions and confusion are rampant, and rational answers from seasoned experts are needed. That is why Ordr recently convened the Cybertrends and the Impact on Cyberinsurance webinar with Marc Schein, national co-chair, cybersecurity center of excellence, Marsh McLennan Agency, and Jim Brady, vice president cybersecurity and risk management, and CISO at Fairview Health. If you missed the webinar, you can check out the recording here.

A Little History

For context, the first cyber insurance policy was written in 1997 by AIG and, according to The Insurance Journal, “Covered only third party suits arising from breaches originating from outside the company.” Optimism for the insurance industry’s first new product category in decades was high, but as underwriters began entering the market in the early 2000s, the challenges associated with an increasingly difficult threat landscape became evident. The number of threat actors, including lone wolf hackers, criminal syndicates, and state-sponsored adversaries, was growing quickly, and the tools available to them were becoming more effective. As new threats emerged, the insurance industry struggled to keep current.

Fast-forward to 2020 and, with the outbreak of Covid-19, things got bad. In the chaos of a global pandemic threat actors took advantage and began focusing on the use of ransomware. Few organizations were prepared for the attacks, and the insurance industry’s risk calculations were turned upside down. Schein said many “underwriters were paying out more in claims than they were collecting in premiums because they were unprepared for the rise in ransomware.”

Ransomware Disruption

According to Marsh, there were 4,000 ransomware attacks per day in the U.S., and the cost to the insurance industry was $20 billion in 2021. Then, in 2022 with the outbreak of hostilities between Russia and Ukraine there was another sudden shift in the industry’s risk calculus. The potential for acts of cyberwar targeting critical infrastructure and industry, coupled with continued escalating risks for industries like healthcare, forced the insurance industry to make numerous adjustments to its risk assessments, culminating in steep premium increases along with policies and exclusions written with greater specificity.

In hindsight these changes shouldn’t come as a surprise. If anything, organizations that used cyber insurance as a major part of their risk management strategy had been getting a great deal. But as the industry has become more educated on the risks, that experience is now forcing organizations to (finally) take their own cybersecurity programs more seriously. No more cutting corners. Instead, to qualify for coverage, savvy insurers are demanding that organizations be able to demonstrate that they have complete visibility and understanding of their IT estates, and have implemented controls sufficient to protect their assets.

Gain Control

As an early player in cyber insurance, brokerage, risk management, and reinsurance services firm, Marsh McLennan has been a leader in its industry with a deep understanding of what it takes for customers to protect themselves from cyberthreats. The firm offers a list of twelve security controls it requires of its customers that Schein shared during the webinar–along with the caveat that a failure to demonstrate use of the first five is likely to disqualify the organization for coverage. Those twelve controls are:

  1. Multifactor authentication (MFA) for remote access and admin/privileged controls
  2. Endpoint detection and response (EDR)
  3. Secured, encrypted, and tested backups
  4. Privileged access management (PAM)
  5. Email filtering and web security
  6. Patch management and vulnerability management
  7. Cyber incident response planning and testing
  8. Cybersecurity awareness training and phishing testing
  9. Hardening techniques, including remote desktop protocol (RDP) mitigation
  10. Logging and monitoring/network protections
  11. End-of-life systems replaced or protected
  12. Vendor/digital supply chain risk management

The Marsh checklist signals a growing savvy within the industry that knows more information means more accurate risk assessments. As Robert Parisi, North American head of cyber solutions for Munich Re recently told the Wall Street Journal, “The underwriting is aggressively moving toward, ‘How can we get a deeper, more insightful look.’”

What’s missing on this checklist? In the webinar, we raised the question of why asset visibility, security, and segmentation were not included in the list of controls. In fact, the broad “endpoint detection and response”, “patch management and vulnerability management,” and “end-of-life systems replaced or protected” all require visibility into assets and the risks they bring.

Deeper Insight

That requirement for deeper insights into the customer’s risk posture can translate to an advantage for some organizations when shopping for a cyber insurance policy. The ability to provide proof of asset visibility across their entire enterprise can mean a stronger position when shopping for a policy and negotiating with potential underwriters. Brady discussed the advantages Fairview has enjoyed by “coming to the table ready to roll” with necessary controls fully documented. This includes proof the organization has gone beyond an insurer’s requirements by implementing complete asset inventory management and network segmentation to ensure the organization’s ability to quickly detect and effectively mitigate risks.

“How can you even detect something bad going on [with a device] if you don’t even know you have it?” — Jim Brady, Fairview Health

 

“How can you even detect something bad going on [with a device] if you don’t even know you have it?” Brady asked, highlighting the strategic advantage of having complete device visibility across the entire network.

Good News

Schein agreed, and delivered surprisingly good news when he said, “If you are engaging better controls and you do improve your security posture, the marketplace is getting significantly better.” He then shared that, even as sharp premium increases grab headlines, 14% of Marsh’s customers enjoyed a price decrease by aggressively improving their overall security posture.

“If you are engaging better controls and you do improve your security posture, the marketplace is getting significantly better.” — Marc Schein, Marsh McLennan Agency

 

Clearly, security leaders that have invested in maturing their cybersecurity program with asset management, and excellent controls at the core are reaping the benefits by not only hardening their enterprises against attacks, but by reducing their overall risk profile. Many security leaders recognize that Ordr can play a key role in that equation by giving its customers the ability to see across the entire enterprise to continuously discover and classify an organization’s complete connected device inventory. What’s more, the Ordr Data Lake ensures deep insight into every device’s risk profile with a real-time understanding of communications and operational behavior that could signal an indicator of compromise. Those insights can trigger dynamically created security policies that can be quickly enforced to prevent or contain an attack, and also give insurers confidence that they are working with a customer that takes the concept of Zero Trust seriously and employs strong risk reduction practices.

Click through to view the Cybertrends and the Impact on Cyberinsurance webinar. And for a deeper dive into how to use Ordr as a tool to better secure your organization and prepare for negotiating your best deal for cyber insurance, watch Master Class: How Ordr Bolsters your Cyberinsurance Eligibility.

The HIMSS 2023 conference kicks off this week in Chicago, Illinois from April 17 – April 21 2023. This year’s theme is on “Health that connects” and “Tech that cares”. We’re excited to be sharing best practices on securing connected devices in healthcare, implementing Zero Trust segmentation and accelerating medical device security programs. You won’t want to miss hearing directly from our customers including J.D. Whitlock, CIO of Dayton Children’s and Keith Whitby, Division Chair, HTM, from Mayo Clinic in our speaking sessions. We also have a lot of partner activities. Check out everything we’re doing at HIMSS here.

Connect with Us

Join us for demos and discussions with our product experts at our Booth #4333. Book a 1-1 meeting for a deep dive into how we address critical use cases. Attend our speaking sessions.

Accelerating Your Medical Device Security Program

  • Speakers: Keith Whitby, Division Chair, HTM, Mayo Clinic and Jim Hyman, CEO, Ordr
  • When: Wednesday, April 19, 2023, 11:30 am CDT
  • Where: McCormick Center, South Building, Level 1, S105 C

This session is one of eighteen HIMSS CXO Experience endorsed sessions, and one of fourteen sessions that are a part of the HIMSS 23 Digital Health Transformation Series.

Zero Trust in Healthcare is Not an All Or Nothing Option

  • Speaker: Danelle Au, CMO, Ordr
  • When: Monday, April 17, 2023, 10:30 am CDT
  • Where: McCormick Center, South Building, Level 1, S102

Practical Approach to Securing Every Connected Device in Healthcare

  • Speaker: Darrell Kesti, VP Sales, Ordr
  • When: Tuesday, April 18, 2023, 1:15 pm CDT
  • Where: McCormick Center, South Building, Level 2, Hall A, Booth 4309-4333, Cybersecurity Command Center – Theater B

Better Together With Ordr and Our Partners

As an industry, and particularly in a highly targeted vertical like healthcare, we are stronger and better together when we collaborate. We are proud to work with so healthcare, networking and security partners. See first-hand our strong partner integrations with Cisco, Cisco Meraki, ServiceNow, Fortinet, and others at HIMSS:

Cisco:

  • Check out Ordr and Cisco Integrations at the Security Workstation in Cisco (Booth 2225) from April 18-20th in the afternoons
  • Attend our Fireside Chat with CIO J.D Whitlock on Zero Trust on Tuesday April 18th
  • An Ordr and Cisco “Happy Hour” will be held in the booth at 4:00 pm CDT immediately following this fireside chat.

Sodexo:

Sodexo will feature their HTM Cybersecurity managed services powered by Ordr on April 18th, 2023 from 2:30 – 3:30 pm CDT (Booth 8315)

GE HealthCare:

GE HealthCare will feature their ReadySee services offering powered by Ordr (Booth 1712)

ServiceNow:

  • Participate in our ServiceNow partner Bingo Card that will include a visit to the Ordr Booth
  • Attend our speaking session on our integration – “Maintain an Accurate, Real-time Asset Inventory with Ordr and ServiceNow”
    • Speaker: Srinivas Loke, VP Product Management, Ordr
    • When: Wednesday, April 19, 2023, 4:00 pm CDT
    • Where: McCormick Center, ServiceNow Booth3609

CrowdStrike:

Visit an Ordr demo station to see CrowdStrike and Ordr integration up close at Booth#4332

We can’t wait to see you in person!