Source: Photon Photo via Shutterstock
Businesses using a managed detection and response (MDR) provider cut their median response time to a cyber incident by half, and saw a commensurate — and dramatic — reduction in the impact of each incident, according to an analysis of insurance claims data. At least one cyber insurance firm is exploring offering discounts on policy premiums based on what kind of technology the organization has in its environment.
By adding the skilled expertise of cybersecurity professionals to major endpoint detection and response (EDR) platforms, companies had fewer incidents and what incidents they did have were less serious, according to cyber insurance firm Coalition. Based on the analysis, the company offers credits to cyber insurance premiums for its policyholders based on whether they have deployed MDR and which one, says Tiago Henriques, vice president of research for Coalition.
"What we're seeing from our data is that there's a set of foundational security controls that actually move the needle," Henriques says. "We're going to try to focus our policyholders on spending their money on things that actually matter — no more buying blinky lights just for the sake of buying blinky lights, spend your money on things that actually improve your security."
Unmanaged endpoint detection and response (EDR) platforms, however, do not merit the discount, he says.
The cyber insurance firm's findings are not surprising. Because cybersecurity and incident-response experts deal with security events on a regular basis, managed detection and response (MDR) services save their clients significant time, reducing the cost of incident response and saving the time of cybersecurity professionals, says Jeff Pollard, vice president and principal analyst with business intelligence firm Forrester Research.
The average customer tends to save 33 hours per incident to identify actual malicious activity, 16 hours to investigate and determine the severity, and 16 hours performing root cause analysis, according to Forrester survey data.
"Because these companies do nothing but provide MDR, they are focused on building out better integrations, increasing their accuracy, and creating more automation," Pollard says. "Those are all things the average SOC analyst inside a company barely has time to do because they are spread so thin."
Collecting Data on Business Risks
Managed detection and response platforms are not alone in being recommended by cyber insurance providers. Last year, Coalition found that organizations using Google Workspace had only 43% of the financial transaction fraud (FTF) claims rate as companies using Microsoft Office 365, while insurtech firm At-Bay saw that firms using Microsoft 365 had double the claims of Google Workspace.
Insecure email systems are a major source of insurance claims, with business email compromise accounting for 26% of Coalition's cyber claims and email in general accounting for 41% of At-Bay's claims, the firms stated.
Coalition plans to continue to crunch their numbers to determine what other technologies may lower claims rates, Coalition's Henriques says.
"We want to pick the best technologies that have the most positive impacts for our customers, because that's our incentive," he says. "Right, we have a financial incentive that our customers don't get hacked, and if they do, that the severity of that event is reduced."
In its Cyber Threat Index 2024 published on Feb 21, the company also found that more than 10,000 businesses are running instances of Microsoft SQL Server 2000, an end-of-life product, which is reachable from the Internet. In addition, Coalition will not insure companies with open ports for the Remote Desktop Protocol (RDP), because of the easy with which it can typically be compromised. Scanning for the open port increased by 59% in 2023, the firm said.
Insurance Firms as Cybersecurity Reviewers?
Overall, the data-focused approach to insurance pursued by insurtech firms like Coalition could result in collecting the most accurate data on what cybersecurity products are working, and which are not. The savings on policies could set cyber insurance firms on the path to recommend specific solutions to businesses based on which lead to fewer — and smaller — claims.
To some degree, that discussion is already occurring, says Coalition's Henriques.
"Our clients come to us at the end of the day, and they're like, 'I've got X amount of budget to spend in InfoSec next year, which technology should I pick for backup, ... who should do EDR for me who should do MDR?" he says. "And if you work with a modern insurtech that uses data that is familiarized with cybersecurity services, yes, you should contact your cyber insurance provider and ask for this advice."
Yet, the most secure technologies may not be worth the policy savings, says Forrester's Pollard. While everything will eventually become a service, because the skills to operate and maintain technology are not widely distributed, whether they make sense for a specific business depends on the economics, he says.
In the end, businesses may have to accept higher premiums for their particular IT environment, or may not be able to get insurance at all.
"I don’t think cyber insurers will lead to better products, but we’ve predicted that cyber insurers will become less willing to insure unreliable or problematic cybersecurity products that have numerous issues or vulnerabilities," he says.