While securing cyber risk insurance and attaining coverage for losses may remain challenging, organizations with a robust cybersecurity compliance posture can use it to their advantage. 

For many organizations, cyber liability insurance acts as risk reduction that limits a data breach’s financial impact. However, cyber insurance carriers have faced financial dilemmas over the last few years. Unprepared for new cyber attack models like Ransomware-as-a-Service (RaaS), carriers faced increased losses. In response to these increased losses, cyber risk insurers increased their rates while limiting their coverage. One report noted that insureds with unique digital exposures or poor loss control measures faced 50-100% rate increases in 2022. 

Although the report never defines a unique digital exposure, companies should look at the devices that they struggle to secure, like the Internet of Things (IoT), Industrial IoT (IIoT), and Internet of Medical Things (IoMT) devices. Despite the value these technologies offer businesses, they also create unique risks compared to traditional devices. For example, while organizations can install anti-virus software on a traditional device or detect security weaknesses with vulnerability scanners, they cannot apply these security risk mitigations to IoT devices. 

Understanding Cybersecurity Compliance and Insurance Fundamentals

While purchasing cyber insurance is critical, many companies fail to realize that coverage is not guaranteed. In short, paying policy premiums does not mean the insurance company will automatically pay a claim. 

According to one report, the following are the top five reasons that cyber insurers denied coverage:

• 43%: Lack of security protocols in place
• 38%: Internal bad actor
• 38%: Human errors like misconfigurations, lost devices
• 33%: Acts of war
• 33%: Did not follow cybersecurity compliance procedures

Understanding the typical coverage provisions and exclusions is critical when trying to untangle this web of coverage issues.

Typical Coverage Provisions

When looking at a cyber risk insurance policy, the first things to review are the coverage provisions, meaning the types of claims that fall within the paid premium. Although organizations can purchase additional coverages, most cyber risk policies begin with the following basic provisions:

• Response expenses: generally defined as reasonable notification costs, crisis management expenses, monitoring services for victims, legal and forensic services 
• Defense and liability: legal fees arising from lawsuits related to the data breach and payments made to plaintiffs

Under the law, insurers have a broader duty to defend, meaning that often they will pay for an insured’s legal costs but then deny liability coverage. If a lawsuit includes an allegation that could fall within the policy’s coverage, the insurer will pay the defense costs. However, when the time comes to pay the plaintiff’s damages, the facts of the case dictate the actual cause of liability, meaning that the insurer may refuse to pay those costs. 

Typical Exclusions

Every policy has exclusions built into it, meaning scenarios the insurance company uses to deny coverage. Although these standard exclusions bind organizations, they can spend additional money to purchase coverage back. However, typically, adding coverage for excluded scenarios becomes cost-ineffective.

Cyber liability policies typically exclude coverage for claims for:

• Reputational loss
• Malicious actions, including knowing violations of law
• Costs to correct a system deficiency, like data security issues
• Costs arising from system shortcomings that the insured knew about before purchasing the policy, like design or maintenance issues
• Data breaches arising from failure to install or improperly installed security updates
• Fines and penalties
• Costs arising from failure to meet a minimum data security requirement
• Intentional violations of the company’s privacy policy 
• Breach of contract

The Overlap between Cybersecurity Compliance and Coverage

Insurance policies respond to costs arising from accidents, and insurers typically focus on an insured’s negligence when trying to deny coverage. While identifying negligence isn’t easy, a general standard that asks, “What would a reasonable person do in this situation?”

With cybersecurity, compliance can help answer those questions. Cybersecurity compliance mandates outline a set of minimum requirements for data security. Failure to achieve these minimum requirements is expressly excluded from coverage. Additionally, compliance provides documentation showing that an organization implemented protections aligned with what a reasonable person would do in the same situation. 

However, reasonable activities within a traditional IT environment may not be robust enough within an environment containing IoT devices. Organizations with these unique digital exposures may want to consider some of the following cybersecurity compliance mandates when identifying best practices:

• ISO 27001: implementing an Information Security Management System (ISMS) that identifies and manages risks related to data owned or handled by an organization
• Health Insurance Portability and Accountability Act (HIPAA): focusing on confidentiality, availability, and integrity of electronic Protected Health Information (ePHI)
• COBIT Framework: governing and managing IT holistically with an end-to-end approach that incorporates business and IT functional areas
• NIST Cybersecurity Framework: mitigating organizational cybersecurity risks using a set of standards, guidelines, and best practices
• FDA Post-Market Guidance for Cybersecurity: evaluating the likelihood of exploitation and criticality of medical devices to patient care and hospital operations 
• IEC/ISO 80001: addressing key properties of safety, effectiveness, and security within health IT infrastructures
• HHS 405(d): leveraging consensus-based best practices and methodologies to strengthen the healthcare and public health (HPH) sector’s cybersecurity posture
• DNV NIAHO®: the recent accreditation requirements, interpretive guidelines, and surveyor guidance for hospitals 23-1 revision include cybersecurity as a critical component of managing HDO security protocols
• The Joint Commission (TJC): the hospital accreditation agency recently released new recommendations on preparing for a cyberattack in Sentinel Alert 67

Across these different cybersecurity compliance frameworks and mandates, several controls remain constant:

• Engaging in a risk assessment
• Establishing and implementing policies and procedures
• Creating and maintaining an asset inventory
• Limiting access according to the principle of least privilege
• Identifying and remediating vulnerabilities 
• Segmenting networks and monitoring network traffic
• Continuously monitoring environments for abnormal behavior that can indicate a potential data security incident

Problematically, very few of these frameworks and mandates address the unique digital risks arising from IoT devices. For organizations across industries, guiding principles taken from the healthcare vertical may offer some insight. Some examples of best practices include:

• Leveraging a passive scanner to identify all IoT, IIoT, and IoMT connected to networks
• Assessing the risks that these devices pose to the organization
• Identifying vulnerabilities on these devices
• Prioritizing remediation activities without compromising device functionality
• Assess device risk during the procurement and due diligence process

Asimily Enables IoT Security and Cybersecurity Compliance 

With Asimily, organizations can implement security controls that protect their networks and provide cybersecurity compliance documentation to support cyber liability insurance claims. 

Create a comprehensive IoT inventory

Asimily’s powerful protocol analyzer and deep packet inspection (DPI) capabilities enable organizations to safely discover and categorize IoT assets, services, connections, and apps to create a device profile that includes:

• Operating system
• IP address
• MAC address
• Port numbers
• Applications
• Hostname
• Version number 

Organizations can create a comprehensive and accurate asset inventory because Asimily integrates with and augments data collected from various IT and security tools like:

• Configuration management databases (CMDBs)
• Traditional vulnerability scanners
• Network Access Control (NAC) tools
• Computerized Maintenance Management System (CMMS)

Identify exploitable vulnerabilities to prioritize remediation

Some companies manage hundreds of IoT devices, each of which creates an attack vector. Simultaneously, every organization has a unique infrastructure that impacts whether attackers can exploit a device’s vulnerability during an attack. 

With Asimily’s patented engine, organizations can identify vulnerabilities and then prioritize remediation activities by aggregating and analyzing:

• Security data that the manufacturer supplies
• Open-source software components that developers used
• Vulnerability criticality 
• Attacker tactics, techniques, and procedures (TTPs) that can use the vulnerability

Asimily’s unique Impact, Likelihood, and Utilization analyses identify the vulnerabilities that attackers can use within an organization’s unique environment, enabling companies to allocate resources to address the riskiest devices first appropriately.

Additionally, Asimily provides ranked, simple fix instructions so that teams can streamline remediation processes.

Identify and respond to cyber threats

Asimily enables organizations to continuously monitor IoT devices and their connected networks to identify abnormal behavior that may indicate an attack. Organizations can set device behavior rules that enable them to misconfigurations that attackers can use or abnormal behavior to respond to potential threats rapidly. Organizations can collect and store forensic data by launching Asimily’s Packet Capture, which works on any device. 

By integrating Asimily’s data into a security event information management (SIEM) tool, security teams can reduce noise with high-fidelity alerts that enable them to take action faster, reducing attacker dwell time. 

Enhance due diligence

With Asimily, organizations can engage in meaningful, data-driven risk assessments during the device procurement process. By simulating device risk scenarios, organizations can more precisely calculate the risk associated with a device with visibility into the most secure configurations and their impact on the overall security posture. 

Identify and Track Key Performance Indicators (KPIs)

Cybersecurity compliance and security are iterative processes. With Asimily, organizations can identify KPIs and then track trends over time for visibility into their security posture. Further, senior leadership and the board of directors need visibility into risk to fulfill their governance duties. With Asimly, organizations can:

• Create baselines
• Identify target objectives
• Track trends over time
• Compare security posture to peers

By incorporating IoT risk management into the overarching cybersecurity compliance program, organizations can apply consistent controls across the entire infrastructure to ensure that they go beyond the minimum best practices necessary for asserting coverage under their cyber liability policies. 

To learn more about Asimily, download our Total Cost of Ownership Analysis on Connected Device Cybersecurity Risk whitepaper or contact us today.