Posted on September 20, 2022

Cyber insurance helps cushion the financial impact of a data breach, but did you know that insurance carriers expect policy holders to meet them halfway? A company applying for a cyber insurance policy must demonstrate that it has effective cybersecurity policies and countermeasures in place. For example, many carriers require the applicant to prove that it is using an Endpoint Detection and Response (EDR) solution, before they will issue a policy.

Even when a company has a cyber insurance policy, its claims may still be denied if the carrier determines that it has not been diligent enough in risk mitigation, a problem known as “failure to maintain” an adequate security posture. This article explores why EDR is essential for getting cyber insurance and how the technology helps ensure that cyber insurance claims will not be rejected.

The increasing need for cyber insurance

Does a business need cyber insurance? The short answer is “yes,” because there’s a high likelihood that a company will experience an event where it will need the coverage. In contrast to car insurance, for example, where a policyholder might go for years without having an accident, in cyberspace, the accident is almost guaranteed to occur at some point in the near future.

Consider that data breaches are getting more common and expensive with every passing year. A study by the CyberEdge Group found that 85% of organizations experienced a successful cyberattack last year. They also discovered that 40% of organizations suffer more than six successful attacks a year.

Why is this happening? Risk factors like remote employees and distribution of digital assets across multiple cloud environments and third parties are increasing. According to IBM’s 2022 Cost of a Data Breach report:

Remote Work = More Risk, Higher Breach Costs

  • The more employees you have working remotely the higher your data breach costs.
  • When a remote worker is the cause of a data breach, the cost increases by $1 million.
  • $9.44M is the average cost of a data breach in the United States, the highest of any country.

Cyber insurance can help pay for some of these costs.

How cyber insurance policies work

Cyber insurance policies vary in their specifics. And, the way each policy is written increases that variation. In general, however, cyber insurance functions much the same as other types of liability insurance. If the policy holder experiences a cyber attack and has what insurers call a “loss,” then the policy will pay on the claim, up to some agreed-upon limit.

For example, a cyber insurance policy might cover loss events like a data breach or an attack on policyholder data that’s hosted by vendors. The policy will pay for costs related to legal expenses, recovery and replacement of lost or stolen data, customer notification processes and call centers, lost income from business interruption, fees and fines and public relations. Some policies will cover the costs of ransomware extortion.

Why cyber insurance applications and claims get turned down

Insurance carriers are careful about whom they underwrite with cyber insurance. Just as the owner of an old car that lacks seatbelts will have trouble getting car insurance, so too will companies with deficient cybersecurity policies and controls struggle to get cyber insurance. Reasons for rejecting an application for coverage include a lack of preventative security measures, poor security training and awareness and inadequate endpoint security. Claims get turned down if the carrier determines that the policyholder has let its countermeasures lapse—a “failure to maintain” situation.

How endpoint security helps avoid breaches and claims

Cyber insurance carriers emphasize endpoint security, often requiring EDR, because almost all breaches begin at the endpoint. This should make intuitive sense, because the endpoint is where end users encounter potential malware—and where malicious actors can usually find a path into a target network. If endpoints are not well protected, the entire organization is exposed to risk of breach. Additionally, with today’s hybrid workforces or work-from-anywhere business models, the endpoint is considered the new network edge—meaning security protections must reach to every user and their devices.

What is EDR?

According to analysts at Nemertes, Endpoint Detection and Response (EDR) solutions use the enterprise endpoint as a cybersecurity sensor for detecting and helping respond to threats and security events. An EDR solution can incorporate traditional endpoint protection (EPP) functionality, such as antivirus, or it can stand alone.

EDR solutions are increasingly fitted into a broader environment of threat detection and response. Data from the endpoints is integrated into data streams from cloud service, CASB, SSO, and other network and security tools and services. This broader integration is aimed at powering cross-channel analytics with the goal of spotting behavioral anomalies and adaptive persistent threats; it is sometimes called Extended Detection and Response (XDR).

56% of organizations have begun to deploy EDR and another 24% intend to by the end of 2022. Combined EDR and Endpoint Protection Platforms are associated with an 82.5% reduction in serious security incidents.

Source: Nemertes, Secure Cloud Access and Policy Enforcement Research Study 2021

How EDR protects from cyber insurance denials

The insurance requirement to run EDR comes from a consensus that traditional, simpler countermeasures are no longer sufficient to block today’s sophisticated attack vectors. For example, standard signature-based antivirus technologies will miss threats that lack a known signature. This is a common scenario today. EDR may use artificial intelligence (AI) to detect anomalous behavior at the endpoint that suggests an attack is taking place, even if there is no known signature present.

After an EDR solution has detected an attack (the “D” in EDR), the “R” for response kicks in. EDR is able to facilitate an effective response to an attack. This reduces the overall cost of containing the breach and remediating the vulnerabilities that caused it.

For these reasons, cyber insurance carriers usually want to see EDR in place before they’ll issue a policy. The presence of EDR gives them some confidence that losses on the policy will be low in comparison to policies on companies that lack EDR. Having an actively functioning EDR solution in place also protects the policyholder from having a claim denied for a failure to maintain. The policyholder can say, in good faith, that they were being diligent in defending their endpoints.

Still, the best cyber insurance claim is the one never filed

Another compelling reason to consider EDR, even if one has cyber insurance, is that the best claim is often the one that never gets filed. Filing a cyber insurance claim means there’s been a breach. It’s far better to avoid being in that situation in the first place. Even though insurance covers some of the costs of dealing with a breach, it cannot make up for the disruption and loss of reputation that comes with a major breach. EDR helps prevent those outcomes.

Cyber insurance is an essential element of an effective risk management strategy. The policies cover some of the high costs of handling a cyberattack. Getting approved for a policy means demonstrating satisfactory security, however. In many cases, carriers require EDR, because endpoints are critical to defending digital assets and preventing breaches. With EDR in place, an insured organization can detect attacks and mount a robust response. Insurance carriers like that, so they are insisting that their policyholders adopt the technology.

Three tips for implementing endpoint security

Nemertes’ research shows about 47% of organizations using EDR report they also use a SASE (secure access security edge) solution. With the trend in consolidating network and security tools into unified approaches that make them easier to implement and manage, EDR can be an easy extension of other security investments and secure networking initiatives. For instance, Masergy’s SASE solutions come with an EDR add-on.

EDR technology features and management are also key considerations for successful deployment. Want a technology checklist of the automation and integration requirements necessary for advanced capabilities? Check out this informational graphic showing how to compare EDR solutions.

When it comes to management, EDR tools will increase the number of security alerts and events that IT staff will have to respond to. Even with automation, for now this means having a security operations center staffed with certified professionals monitoring events as they unfold—working around the clock to mitigate threats. EDR solutions can come with SOC services, which is often the best bet given today’s security staffing shortages.

Masergy helps companies build turnkey security protection spanning endpoints, multi-cloud environments, and the network. Plus, it’s all backed by 24/7 SOC services. When you need help expanding your security coverage, contact us for a free consultation.

Trevor Parks

Trevor Parks is the director for security solutions at Masergy. He is responsible for guiding the development, evolution and implementation of Masergy's Unified Enterprise Security services platform. Trevor contributed to the development of the patented Network Behavioral Analysis technology at the core of the Masergy’s security solutions aimed at detecting APTs and other advanced threats effecting customer networks.

Related Content