DMARC and Cyber Insurance
With the rash of ransomware and cyber attacks across the globe, the demand for cyber insurance is increasing, as are the number of claims and subsequently, the cost.
And rising costs are indiscriminate—a small, rural school district in Western North Carolina was hit with a ransomware attack at the commencement of the 2020 remote-based academic year. Luckily, students only missed a day of instruction, and the school had a cyber insurance policy in place; the premium for that year was $6,653. This year, when the school board approved its cyber insurance contract, the cost was $22,318—a 235% increase from the previous year.
Cyber Insurance Drives DMARC Adoption
With rising attacks, claims, costs and payouts, insurance companies are making moves to stay profitable. On cyber insurance applications, underwriters are asking about foundational cybersecurity controls and include DMARC among them. Some are partnering with security solution providers to offer risk management services, sometimes at no cost, to reduce the risk of their cyber insurance customers, and in turn, themselves. Here’s an example of the questions from a cyber insurance application:
- Have you implemented any of the following to protect against phishing messages: SPF, DKIM, DMARC?
- Do you enforce Multi-Factor Authentication (MFA) for email?
- Do you use MFA for cloud provider services (AWS, Azure, Google Cloud)?
- Do you use Endpoint Detection and Response Tools?
- Do you actively monitor all administrator access for unusual behavior patterns? If “Yes,” what is the name of your Monitoring Tool?
- How frequently do you install critical and high severity patches across your enterprise?
- Do you use endpoint application isolation and containment technology on all endpoints?
- Do you use a Security Operations Center (SOC)?
- Do you use a Security Information and Event Management (SIEM) System?
And the list goes on….
As a result, dmarcian is hearing from customers regularly because they need assistance deploying DMARC to meet security thresholds. Because phishing exploits are at an all-time high, not checking the DMARC box on a cyber insurance application is viewed as a liability by insurers. The lack of DMARC and other security controls and systems can lead to a higher premium or lack of payout from an insurance company after a breach. Insurance companies are reducing risks by requiring a base-level cybersecurity practices that are driving adoption of DMARC and other controls like employee training and multifactor authentication.
Changing Landscape of Cyber Insurance
Because of the turbulent cybersecurity landscape and cyber insurance market, Congress called for a study of the U.S. cyber insurance market in the 2021 National Defense Authorization Act to research market trends and challenges. The study, conducted by the Government Accountability Office (GAO), discovered the following key trends:
- Increasing take-up. Data from a global insurance broker indicate its clients’ take-up rate (proportion of existing clients electing coverage) for cyber insurance rose from 26 percent in 2016 to 47 percent in 2020.
- Price increases. Industry sources said higher prices have coincided with increased demand and higher insurer costs from more frequent and severe cyberattacks. In a recent survey of insurance brokers, more than half of respondents’ clients saw prices go up 10–30 percent in late 2020.
- Lower coverage limits. Industry representatives told GAO the growing number of cyberattacks led insurers to reduce coverage limits for some industry sectors, such as healthcare and education.
- Cyber-specific policies. Insurers increasingly have offered policies specific to cyber risk, rather than including that risk in packages with other coverage. This shift reflects a desire for more clarity on what is covered and for higher cyber-specific coverage limits.
The insurance market is in a time of transformation to address rising and evolving cyber attacks and increased claims. And it’s not easy. The GOA noted that insurance companies are faced with building new cyber insurance products without much historical data on cyberattack costs. In addition, figuring out coverages and limits is difficult because of the lack of standardized industry-wide definitions for terms like cyberterrorism.
Many companies have been forced to conduct more and more of their business online; because of this, more financial account information is being migrated online, and more payments are being processed online. Overall, there is a major increase in the online collection and storage of sensitive, personally identifiable information. This is putting companies in a high-risk category for insurance providers. Having effective controls like DMARC in place increases the chance of getting coverage and receiving payouts in the case of a breach.
You can also start a complimentary trial and get help from our expert analysts and support staff along the way.
Want to continue the conversation? Head over to the dmarcian Forum.