This article was produced in partnership with Tokio Marine HCC – Cyber & Professional Lines Group.
Bethan Moorcraft of Insurance Business sat down with DJ Carlisle, Cyber & Tech E&O Underwriting Manager for Tokio Marine HCC – Cyber & Professional Lines Group, to discuss essential cyber risk mitigation tools and strategies.
Cyber risk mitigation strategies and security controls are more important than ever in today’s fast-paced cyber threat landscape. With businesses of all sizes and sectors facing new threats every day, they cannot rely on their insurance policies alone to mitigate their cyber exposure.
Companies like the Tokio Marine HCC – Cyber & Professional Lines Group, a division of the Tokio Marine HCC specialty insurance group based in Houston, Texas, field questions on a daily basis from brokers and insureds around the topic of cyber risk mitigation, and, according to DJ Carlisle, the group’s Cyber & Tech E&O Underwriting Manager, underwriters are “always very happy to receive those questions because it shows that companies are taking cybersecurity and their cyber safety seriously.”
There are many cyber risk mitigation tools and strategies that businesses of all sizes and sectors can implement if they want to reduce their cyber exposure, Carlisle explained – and many of these solutions come at little to no expense.
Multi-factor authentication (MFA) is one of the most important cybersecurity controls. It requires the user to provide three or more verification methods to gain access to a resource such as an application, online account, a corporate network or a VPN.
As an example, “most email providers make MFA available at no additional cost,” said Carlisle. “That cuts down on social engineering losses, wire transfer losses, and especially ransomware exposure via stolen credentials, as well.”
In the past 18-months, as cyber insurers have grappled with increases in frequency and severity of losses, mostly related to ransomware, MFA has quickly become a minimum standard requirement for cyber insurance coverage.
“As cyber underwriters, MFA is one risk mitigation tool we ask about in the application,” said Carlisle. “We like to see controls in place, such as those who have MFA enabled for remote access to their network. We also require the insured has either offline or off-site backups. Those are becoming the two minimum requirements for us and other cyber carriers. Without MFA enabled, an organization appears to lack a culture and heightened awareness of cybersecurity and network security controls.”
Keeping a regular cadence with updating systems and software as soon as patches are available is another “highly recommended risk mitigation tool,” according to Carlisle, who said that roughly 25% of ransomware losses he’s seen have resulted from out-of-date software.
“They’re not zero-day exploits, and they’re not necessarily highly-skilled threat actors. They’re known vulnerabilities that could have been prevented if the patches were completed,” he said. “So, regular patching is key.”
There are protocols and procedures that businesses can put in place in order to verify and secure cyber transactions. For example, businesses can ensure there are call-back provisions for wire transfers. Carlisle gave the example of a vendor requesting payment after updating their banking information. With a call-back protocol, the insured would contact that vendor at a predetermined number or contact address to verify that they are requesting the payment. That simple provision has been found to solve a great deal of financial fraud issues.
Businesses should also mandate long, complex passwords that expire within 30- or 60-day intervals, according to Carlisle. He commented: “Believe it or not, we still see network breaches, ransomware, or stolen credentials that result from someone’s password being ‘password’. It happens all the time, so having a strong password mandate is necessary to maintain a company’s cyber hygiene.”
Security awareness is all about education and cybersecurity training to help employees understand that every single day, threat actors and cyber criminals are trying to hack into networks to steal funds and sensitive data.
“If every employee is aware of that, they’re going to be much less likely to give up their credentials and click on strange links, allowing hackers into the network,” Carlisle told Insurance Business. “The training should instill a sense of skepticism in every employee regarding clicking on links via email and giving up their credentials. The immediate response of a phishing scam should be: ‘This doesn’t seem legitimate. I need to investigate this.’”
Most, if not all, cyber insurers today will offer value-added services in addition to their financial risk transfer product. Carlisle encourages businesses to make use of those services, explaining that insureds of the Tokio Marine HCC – Cyber & Professional Lines Group have access to a free cyber risk management portal that provides employee training, incident response plans, business continuity plans, educational resources, and cybersecurity consulting sessions.
According to Carlisle, all of the above solutions together would “create a solid foundation for a cybersecurity risk management program.” Beyond that, there are additional risk mitigation tools and strategies that businesses can purchase and implement to protect themselves further.
Businesses should use MFA to protect privileged and administrative accounts within the corporate network. Those are users with the ability to make large changes to the network, modify user permissions, and/or install new software across the corporate network.
“If a threat actor or hacker gets access to a privileged user account, they can deploy malware across the entire network and access restricted information and servers. However, when MFA is required for access to those accounts, it can help mitigate or thwart a threat actor because it prevents the cybercriminals from escalating privileges to execute a successful ransomware and other cyberattacks,” Carlisle explained. “One method includes using a privileged access management (PAM) tool that stores privileged or administrative user credentials on a rotating or temporary basis in a software tool that requires MFA for access. That’s going to cut down most attempted privileged user account misuse.”
It’s “taking standard anti-virus software to the next level,” said Carlisle when describing endpoint detection and response (EDR) software, which should be set up for all critical servers and endpoints.
“If an organization is using multi-factor authentication, that’s like keeping the door to your house barred, stopping hackers at the access point,” he commented. “If, somehow, they’re able to bypass MFA and get into the network, then EDR is going to detect the activity within the immediate perimeter of the network, respond to it, shut it down in real time, and alert your IT staff that anomalous behavior is occurring.”
Cyber insurers are looking for their more complex insureds to engage in regular – “at least annual,” according to Carlisle – third-party penetration testing, including the use of red team exercises, which is where insureds bring in a firm of ethical hackers to rigorously probe and challenge their network security. Carlisle noted that, for larger accounts and those in higher risk sectors like financial institutions, healthcare, and retail, penetration testing would be a critical consideration of the coverage submission.
Carlisle would encourage businesses to set up a 24-7 security operation center (SOC). He said: “With an SOC, there’s always someone monitoring the logs, monitoring the network, and monitoring alerts from the EDR system. There are always eyes on the network watching for any red flags and unusual activity.”
Based in New York City (NYC), DJ Carlisle leads the Tokio Marine HCC – Cyber & Professional Lines Group cyber and technology underwriting team for the Northeast. He joined the company in 2018 as a senior underwriter. In this role, he’s responsible for overseeing the region’s underwriting team, leading sales initiatives and underwriting complex risks. Prior to joining, he brokered large cyber and technology placements at Marsh and Willis Towers Watson as a member of their national cyber teams. DJ is originally from the Los Angeles area and graduated from the University of Southern California. Outside of the office, he enjoys reading fiction and exploring the NYC area.
