If you’re in the process of reviewing your cyber insurance cover—or negotiating a new policy—it won’t take long to notice the market has changed.
Largely thanks to ransomware, cyber insurance loss ratios are rising to unprecedented levels. This is leading insurers to increase premiums while also considerably reducing their appetite for risk. Gone are the days when the market would offer you cover without much consideration for, or verification of, your cybersecurity practices and controls.
In today’s market, insurers want to look at your risk controls under a microscope. While discounts on premiums are becoming increasingly rare, the security solutions you choose often influence the premium you pay.
Some insurers will simply require that you use certain controls—such as multi-factor authentication (MFA), endpoint detection and response (EDR), or managed detection and response (MDR) — before they will offer a policy at all. Gone are the days of resting easy with legacy antivirus (AV) solutions.
As insurance costs continue to rise and coverage requirements intensify, it’s very reasonable to look again at your cybersecurity infrastructure and determine how well your business is positioned to obtain adequate cyber risk transfer.
As Senior Director for Global Cyber Risk Partnerships at Sophos, one of my main priorities is to bridge the gap between customers and partners, and the world of cyber underwriters, brokers, and claims adjusters. My goal is to ensure our award-winning cybersecurity products and services are creating maximum benefit for customers when they obtain or renew their cyber insurance policies.
My cyber insurance requires EDR…will Sophos Intercept X with XDR qualify?
This is the question I’m asked more than any other. If an insurer stipulates that you must have “next-gen endpoint”, or “EDR”, will they accept Sophos Intercept X endpoint protection and Sophos XDR? And the short answer is: yes, they almost certainly will. (In fact, some of them recommend us.)
Cyber Insurers take a special interest in endpoint protection because ransomware is now by far the most common cause for a cyber insurance loss. The cost of recovery is soaring, too; our State of Ransomware 2021 survey showed the average has more than doubled in the last year—to almost $2 million.
So the fact that Gartner has named Sophos a Leader in Endpoint Protection Platforms—not just once, but twelve times over—is exactly the kind of thing insurers want to see.
With Sophos you have the world’s best protection against ransomware. And unless your insurer has an exclusive tie-in with another vendor, or technology of their own to sell, you can safely expect them to be very happy about your choice.
If you’re using Sophos XDR—our extended detection and response solution—that goes further still. It enables you to detect and respond across endpoint, server, firewall, cloud, email and other data sources. With data from each product flowing into the Sophos Data Lake you can quickly find critical information and respond effectively to suspicious activities.
Sophos Managed Threat Response, Sophos Email, and Sophos Central reduce your risk further
Endpoint protection is just one way your insurer will want to see you reducing your risk. They might well also ask about using managed detection and response (MDR) to back up your team with expert support.
In fact, this is the second most common question I’m asked. If an insurer stipulates that you must have “managed security”, or “MDR”, will they accept Sophos Managed Threat Response (MTR)?
Here, too, the Sophos offering does everything that’s expected—and then goes further. Sophos MTR, doesn’t just notify you about suspicious events; we proactively go out and hunt the threats down. And we take action on your behalf to neutralize problems, either on a case-by-base basis with your permission, or we can operate autonomously and neutralize the threat before you know about them.
Again, your insurer will be reassured to know you have a recognized expert in the field, keeping watch even while you sleep. It’s a proven, popular service; membership has grown by 500% in the last year and we now have over a million managed endpoints.
Other risks start closer to home, with your own users. Insurers want to know about your cyber risk training, but even your best-trained people are only human. So it’s good to talk about email security that limits the potential damage from mistakes—whether that’s by using data loss prevention to stop them emailing sensitive data to the wrong person, or blocking fraudulent emails before they even reach the inbox.
And if you’re using Sophos Central, our cloud-based management platform, to co-ordinate your cybersecurity, that’s worth mentioning too. Because it gives a single, holistic view in one console you’re less likely to miss something. Customers running our next-gen endpoint and firewall products managed through Sophos Central report up to 85% fewer security incidents, and that they identify issues 90% faster; that limits both the threat and the potential impact.
Sophos Rapid Response minimizes post-breach losses
As we’ve discussed, from an insurer’s point of view, limiting risk through proper cyber-hygiene and a strong overall cybersecurity posture are paramount in funding sufficient cyber risk transfer. However, ensuring that costs are controlled if and when something goes wrong, and a claim (loss) has been filed, has just as much potential to impact in your ability to obtain future coverage.
If your Sophos suite is properly installed, maintained, and updated, you’re extremely unlikely to make a cybersecurity insurance claim—whether for malware or intrusion.
(**Side note: this is the main reason Ransomware Warranties offer virtually zero value – losses are almost always caused by endpoints with outdated or improperly configured protection, or endpoints that lack protection altogether. Thus, the likelihood the warranty paying for a covered loss are slim-to-none!**)
But you can also show your insurer that you’re ready to take immediate, effective action to limit the impact if a breach does occur.
That’s important because many of the risks covered by cyber insurance — like business interruption and incident response/forensics costs—start clocking up rapidly from the moment an attack occurs. The faster the organization is back up and running, the smaller the bill for both you and the insurance company; a true win-win scenario.
In short, if you want to reduce your these costs, speed is of the essence. Sophos Rapid Response is waiting in the wings, with teams spread out across the world and working in three different eight-hour shifts to ensure 24/7 availability. It’s not uncommon for Sophos to fully deploy across the network and start the investigation within hours, not days like may other insurance-sponsored digital forensics and incident response (DFIR) offerings.
What’s more, any device already running Sophos Endpoint will have been collecting valuable data that will further help speed up threat identification and investigation.
Rapid Response is called “Rapid” for a reason. Over the last 15+ years I’ve participated in thousands of incident responses, and I can truly say that I’ve never seen a threat neutralization team move as quickly as Sophos Rapid Response. When every second adds dollars to an insurance claim, having that kind of capability on hand—even if you never use it—is bound to make your insurer a lot more comfortable.
If in doubt, reach out
Ultimately, if you’re a Sophos customer, and your system is correctly configured and up to date, it’s highly unlikely that your insurer will have any concerns—we’ve never had a problem yet.
But if you do have questions, or need any more information, we’re more than happy to help here in the Cyber Risks Partnerships team. You’re very welcome to contact us at firstname.lastname@example.org.
In the meantime, if you’d like any more help understanding your cybersecurity insurance cover, our Guide to Cyber Insurance gives a great overview.
And as always, your Sophos representative is on hand to talk you through any of the products or services I’ve mentioned here.