Federal Government Says Cyber Hygiene is No Longer Optional
Was cybersecurity on your calendar this summer? Because it sure was for the federal government.
Incident reporting requirements. Mandatory information security programs. Increased scrutiny of major corporations. The list goes on … and if you’ve been able to keep up with all of the movement, a clear message has emerged:
Cybersecurity must be a core business consideration, and cyber hygiene is not optional.
Discussions on cybersecurity and data privacy are here to stay at the federal level, as regulators continue to zero in on the fact that data is invaluable — something that both the cyber insurance industry and cyber criminals know all too well.
With ransomware on the rise in recent months, we can expect the federal government to remain focused on cybersecurity and preserving data privacy, especially as threat actors switch up their tactics.
“Today, attackers increasingly rely on encryption-less ransomware,” says Sezaneh Seymour, Coalition’s VP and Head of Regulatory Risk and Policy. “In some cases, they don’t even bother locking businesses out of their systems anymore because they understand the threat of disclosing sensitive data can be just as powerful.”
The long-term impact of more federal attention to cybersecurity remains to be seen. However, brokers can demonstrate tremendous value to their clients as cyber advisors by staying informed about major changes in cybersecurity requirements. If you haven’t been able to keep up with recent news, we’ve got you covered below.
SEC unearths ‘material’ questions
Publicly traded companies will soon be required to report significant cyber incidents. The Securities and Exchange Commission adopted new rules on cyber risk management and governance, most notably the requirement to disclose “material cybersecurity incidents” within four business days.
Questions have quickly emerged around what constitutes “material” impact; the SEC is giving companies discretion to determine if an incident is material, though it’s worth noting there are existing standards for assessing materiality. Some have also questioned the feasibility of reporting incidents within the “streamlined” window, but the rule allows for limited exceptions to the four-day window.
Brokers should pay close attention to how this rule plays out in practice, as some clients may face new reporting obligations, potentially including incidents that occur on vendor systems. Given the heightened scrutiny, these companies may look for ways to attest to third-party cyber risk management practices.
“Today, attackers increasingly rely on encryption-less ransomware. In some cases, they don’t even bother locking businesses out of their systems anymore because they understand the threat of disclosing sensitive data can be just as powerful.” — Sezaneh Seymour, Coalition’s VP and Head of Regulatory Risk and Policy
Microsoft under scrutiny for cybersecurity practices
The Cyber Security Review Board (CSRB) announced it will investigate a recent Microsoft incident after the company disclosed that China-backed threat actors obtained a key that allowed them to gain access to U.S. government email systems.
The investigation notably comes after mounting public pressure from elected officials and other figures in the cybersecurity space to “hold Microsoft responsible for its negligent cybersecurity practices.”
Coalition’s independent security findings indicate Microsoft users may be at higher risk for cyber insurance claims. Our team determined that in the first half of 2023, organizations using Microsoft Office 365 (M365) for email were more than twice as likely to experience a cyber insurance claim as Google users, while on-premises Exchange users were nearly three times as likely to experience a claim. Moreover, we uncovered that the lower claims rate for M365 compared to on-prem Exchange applies only to ransomware claims.
The risk of claims for business email compromise (BEC) and funds transfer fraud (FTF) events were found to be equally as bad with M365 as on-prem Exchange. This is in stark contrast to companies using Google Workspace, which experienced a 25% risk reduction for FTF or BEC claims and a 10% risk reduction for ransomware claims. More of our findings will be available in our upcoming 2023 Claims Report Mid-year Update.
New FTC rule consistent with cyber insurance standards
Non-banking financial institutions are now obligated to protect consumer information by implementing an information security program. The Federal Trade Commission updated its Safeguards Rule, which now requires businesses to do things like: conduct a risk assessment, implement multi-factor authentication, create a written incident response plan, and train employees on how to spot common attacks.
Sound familiar? These requirements parallel many of the cyber hygiene measures that cyber insurers have been promoting for years to protect businesses and improve their risk posture. The rule is a strong indicator of the government’s commitment to aligning cybersecurity best practices with business standards.
Brokers would be wise to recognize that organizations with an active cyber insurance policy will likely have an advantage and already meet many of the requirements. The Safeguards Rule went into effect on June 9.
How brokers can take immediate action
Wondering what to do with all of these cybersecurity developments? Here are three ways to use this information to engage with your clients:
If you have publicly traded clients, make sure they’re aware of and prepared for the new SEC reporting requirements. Coalition policyholders can use third-party risk management tools in Control to monitor suppliers and vendors for exposures on their attack surfaces that may pose a threat to their business.
If you have clients using Microsoft for email (you almost certainly do), make sure they understand that on-premises Exchange continues to be among the riskiest of email solutions. Coalition recommends Microsoft email users implement Defender for Office 365, which is not included in Microsoft’s base E3 license and includes important security features, such as impersonation protection and malicious URL protection.
If you have clients that are non-banking financial institutions, make sure they’re aware of the FTC Safeguards Rule and its requirements. Recall that many of the rule’s requirements are also aligned with Coalition’s security services — we provide all policyholders with cyber risk assessments, guidance on incident response plans, and discounted access to security awareness training.
Interested in leveling up your cyber game?
Explore Coalition’s library of Cyber Savvy resources, where we dive deeper into common scenarios and pain points for cyber brokers, including addressing client objections, interpreting cyber risk assessments, and implementing security controls.
This article originally appeared in the August 2023 edition of the Cyber Savvy Broker Newsletter. Subscribe to the newsletter to receive future editions directly in your inbox as we explore the most up-to-date and noteworthy topics in cyber insurance.
This communication is not a proposal of insurance. The information contained herein is offered for discussion and illustration purposes only. The information contained herein is not to be construed as advice of any kind or the rendering of consulting, financial, legal, or other professional services from Coalition. Any action you take upon the information contained herein is strictly at your own risk. Coalition will not be liable for any losses and damages in connection with your use or reliance upon the information. Copyright © 2023. All rights reserved. Coalition and the Coalition logo are trademarks of Coalition, Inc.