Gone are the days when antivirus software was enough to protect businesses from cyber threats and malware attacks. Modern cybercrime is constantly evolving to produce more complicated, stealthy attacks that require companies to employ proactive security solutions. In this new landscape, endpoints are often the most common target with 81% of companies reporting malware attacks on business devices.1 Fortunately, endpoint detection and response (EDR) solutions are available to provide complete visibility of all endpoint devices and activities, which is vital to discovering adverse incidents with the potential to cause data loss, system intrusions, or malware attacks (source 1).
WHAT IS ENDPOINT DETECTION & RESPONSE (EDR) AND HOW DOES IT WORK?
EDR is a cyber security solution that gathers and examines potential threat data from network endpoints like a smartphone, desktop, or laptop to quickly identify and respond to cyberattacks or security breaches in real time. In conjunction with endpoint monitoring, robust EDR solutions generally handle threat data collection, threat pattern analysis, deployment of automatic threat response, and forensic analysis of any cyber incidents.1 Because EDR solutions monitor network events across all endpoints and workloads, they give security teams a more comprehensive network view. For example, EDR solutions can spot unusual activities like login attempts at strange times or from unknown devices, enabling IT security teams to rapidly address potential threats to system or data integrity, confidentiality, or availability.
HOW CAN EDR HELP PROTECT YOUR COMPANY?
The average IT department manages thousands of endpoints across a company’s network, including not only desktops and servers, but tablets, laptops, smart watches, digital assistants, and smartphones. The number of endpoints requiring management continues to grow as remote work becomes more popular across many industries. As the number of endpoints expands, so does the opportunity for cybercrime. While today's antivirus solutions can accurately identify and block many new types of malware, hackers constantly create more that easily go unnoticed because they’re difficult to detect. For example, recently developed fileless malware operates in the computer's memory, successfully avoiding malware signature scanners. However, employing EDR solutions in partnership with Multi-Factor Authentication (MFA) can help protect company networks or systems from a variety of threats including stolen login credentials, malicious scripts, and fileless malware.2
Companies that utilize EDR technology benefit from leveraging machine learning and artificial intelligence to continuously build knowledge around user behaviors, which makes it easier to detect when a user engages in suspicious activity, such as trying to access restricted information. The activity is then flagged for further investigation by an IT administrator. In addition, a solid EDR solution is also capable of tracking the malicious tactics, methods, or techniques used by adversaries, and tracing attack paths back to the initial entry point, making EDR a foundational piece of any strong cybersecurity plan.
Clients will find that as the cybercrime landscape continues to change, the barrier to entry for procuring cyber insurance coverage will mean utilizing EDR and MFA to mitigate evolving risks. While implementation of MFA and EDR was previously the exception, it’s now more of a rule. It’s anticipated that adoption of EDR will increase dramatically over
the next few years with EDR sales growing by nearly 26% each year, ultimately reaching more than $7 billion by 2026.2 These days underwriting expects cyber coverage submissions to include details around the precautions insureds are taking to prevent falling victim to a cyberattack. In fact, the majority of carriers placing cyber business currently require that insureds utilize MFA, and failing to do so can result in a declination of coverage.
EDR is also considered highly important, and those approaching renewal may find themselves at risk of losing coverage if it’s not in place. If coverage is still offered, failing to utilize EDR will alternately mean paying a higher premium for a policy that sub-limits extortion, ransomware, or other cybercrime. If a company is approaching renewal and is unsure where to turn for assistance in implementing EDR or MFA measures, clients can reach out to their current cyber carrier for assistance as they often have a panel of vendors available that can provide needed services at a discount.
WHY IS EDR IMPORTANT TO UNDERWRITING?
Having an EDR system in place can play a pivotal role in the insured’s cyber renewal as it provides valuable insights into an organization’s cybersecurity posture, incident response capabilities, and potential risks.
Risk Assessment. EDR solutions provide visibility into the security posture of an organization’s endpoints (computers, servers, devices). This data helps underwriters assess the level of cybersecurity maturity and potential risks associated with a policyholder.
Incident Response Capability. EDR tools allow organizations to detect and respond to cyber incidents promptly. For underwriters, this means policyholders are better equipped to handle potential cyber threats, reducing the likelihood of large-scale losses.
Loss Mitigation. By using EDR, organizations can identify and mitigate cyber threats before they escalate into significant incidents. This initiative-taking approach can lead to reduced claim frequency and severity, benefiting both the policyholder and the insurer.
Pricing Accuracy. When the policy holder has satisfactory endpoint detection and response capacity, underwriters can make more informed decisions about cyber insurance pricing. They can assess the effectiveness of an organization’s security measures and adjust premiums based on the level of cyber risk.
Regulatory Compliance. EDR tools play a critical role in helping organizations comply with cybersecurity regulations and requirements.
Incident Investigation. In the event of a cyber incident, EDR data can aid in the investigation and analysis of the attack during the event handling process. This information is valuable for understanding the scope of the breach and assessing the impact on the policyholder.
HOW DOES UTILIZING EDR AFFECT YOUR CYBER POLICY?
This cyber control can impact the premium or coverages offered and can even limit the number of carriers willing to provide a quote. Below is a snapshot of how employing EDR can currently affect quotes from our carrier partners.
One carrier indicated that for insureds with over $10M in revenue, Ransomware/Malware Coverage is typically sublimited if an EDR system is not in place. This sublimit may be removed upon implementation of an EDR system. In addition, if an insured employs EDR, credits can be applied to lower the insured’s overall rate. Another carrier shared that if an insured is utilizing EDR, additional premium credits can be applied compared to an insured lacking an EDR system.
A third carrier partner advised that if an insured maintains $250M+ in revenue, MFA and EDR are required, regardless of the limit offered. For those with $100M - $250M in revenue in unchallenged classes, EDR is required to achieve limits or $3M or higher. Challenged classes with $50M - $100M in revenue require MFA for the network and local or remote privileged access, regardless of limit. Once revenue surpasses $100M, these classes also require EDR, no matter the limit. Without EDR in place, various $250K first party sublimits are often included along with a 25% coinsurance requirement.
The pricing impact of EDR can range from a 5% credit to a 100% debit depending on the class of business and revenue size. The coverages commonly affected include Breach Event Costs, System Failure, Dependent System Failure, and Extortion/Ransomware.
Endpoints will continue to be targeted by attackers, and compromised data, networks, or systems are inevitable unless organizations implement adequate EDR solutions. EDR is a vital piece of any thorough risk management plan, offering
advanced threat tracking and intelligence capabilities that can help prevent lost revenue, operational time, or data because of a cyberattack.1 While some companies still assume that EDR is an optional add-on they don’t really need, it’s actually a vital tool that offers advanced cyber threat tracking and intelligence capabilities that can help companies avoid the headache and expense of a breach.1 Reach out to your local CRC producer today to learn more about how we can help protect your clients with specialized insurance solutions.
- Austin Houston is an Associate Broker with CRC Group’s Nashville, TN office and a member of the ExecPro Practice Group.
- Chris Zepeda is an Associate Broker with CRC Group’s Boca Raton, FL office and a member of the ExecPro Practice Group.
- What is Endpoint Detection, and How Can It Help Your Company?, Solutions Review, February 11, 2022. https://solutionsreview.com/endpoint-security/what-is-endpoint-detection-and-how-can-it-help-your-company/
- What is Endpoint Detection and Response (EDR)? McAffee. https://www.mcafee.com/enterprise/en-us/security-awareness/endpoint/what-is-endpoint-detection-and-response.html
- Endpoint Detection and Response Market Analysis, Mordor Intelligence. https://www.mordorintelligence.com/industry-reports/endpoint-detection-and-response-market