Self-Managed VPNs Security Risks & Cyber Insurance: Potential Impact on Renewal Rates

No business is immune to cybersecurity threats. In a rapidly changing technological world, small and mid-sized companies face threats from sophisticated attackers using AI. They must work hard to stay ahead.

Laura Ledbetter, a cyber insurance wholesale specialty broker at Synergy an Accretive Company, said, "Cyber insurance carriers are watching closely. They want to know where organizations might be vulnerable to determine premiums." One area of increasing concern is the self-managed Virtual Private Network (VPN).

Cyber Insurance Underwriting Considerations

Insurers continue to rigorously assess security posture, looking for additional controls like MFA, endpoint security, and network segmentation to mitigate VPN security risks. Self-managed VPNs are currently experiencing significant loss trends. As such, some underwriters are paying special attention with impacts on renewal pricing and sub-limits.

To help clients manage their risks and renewals, agents need to understand self-managed VPNs. They should know how these VPNs work and how they can be breached. Helping clients understand their risks and encouraging them to harden their network defenses shows a vested interest in clients’ overall risk management strategy.

The Exposure

Tim Femister, Managing Principal at cybersecurity firm, Firestorm Global, explained, “A VPN functions as a remote gateway into an organization’s network. In many cases, a VPN connection allows a user into the network through the firewall, which commonly bypasses the firewall inspection that would normally occur with outside traffic.

Threat actors target VPN environments because they are externally visible facilitating an easy pathway to attempt entry. When an organization creates a VPN subdomain, such as vpn.acmecorp.com, it is an advertisement to the outside world of a network entry point. If not carefully secured, it can create an access opportunity for bad actors to establish persistence, putting clients at greater risk for data breaches.

Cybercriminals will commonly attempt to utilize legitimate username and passwords found on the dark web (credential reuse), apply default account passwords and exploit known vulnerabilities to break into VPN accounts and often gain full access to the enterprise network.”

Likelihood of a Claim on the Rise

At-Bay, a company that provides cyber insurance and risk management solutions, reports that "companies using self-managed VPNs are 11 times more likely to experience a direct ransomware attack. Claims frequency of ransomware jumped 64% year over year." 

Overall costs per claim severity are up too, so not only is a claim more likely, but it's also going to be more costly. Coalition, another provider of comprehensive insurance coverage and cybersecurity tools, reports that cyber insurance policyholders are seeing a "10% increase each year in claims severity. The average loss is $100,000." Other markets are reporting similar trends.

What to Expect at Renewal

In the past, MFA (multi-factor authentication) was considered a strong security control for VPN access. However, threat actors have adapted, and MFA alone is no longer enough to prevent breaches. Insurers are now looking for additional controls, such as Zero Trust architectures, endpoint security, phishing-resistant MFA, network segmentation, and continuous monitoring. Companies with self-managed VPNs may face higher scrutiny, additional security assessments, or increased premiums.

Alternative Options

According to Femister, “For clients managing their own VPN infrastructure, it’s critically important they implement multi-factor authentication (MFA), limit active accounts to the absolute minimum (least privilege), remove all default accounts and patch frequently. Surprisingly, many organizations forget to apply MFA to VPN despite implementing across email and other applications, so it’s important to verify MFA is applied as a mandatory control to all VPN accounts.”

Modern organizations are actively limiting or eliminating their VPN environments in favor of cloud-delivered remote access solutions or cloud-based applications. New terms have emerged in the field of security. These include Security Service Edge (SSE), Zero Trust Network Access (ZTNA), and VPN as a Service. They aim to improve security for remote access. Security vendors like Zscaler, Palo Alto Networks and Cisco provide options for organizations to access their private applications more securely while maintaining similar functionality for users, thereby reducing their exposures and potential insurance costs or claims.

Femister added, “Every organization should evaluate its VPN use cases as part of an information security roadmap exercise. In many cases, organizations can identify alternative methods to get to private data and applications traditionally accessed by VPN. In general, the user population requiring VPN for normal tasks diminishes on a regular basis due to the continued shift towards software-as-a-service (SaaS) apps that replace legacy on-premises applications.”

Conclusion

The risks in our digital, AI-driven world are significant. However, businesses of all sizes can find ways to reduce these risks. Just like you take care of your health, a business must watch over its network and cyber security to keep its defenses strong.      

Switching from a self-managed VPN is an important step. It helps strengthen defenses and better protects businesses. This change may also lower cyber insurance costs.

Obtain a Cyber Insurance Opinion

When insurance agents work with a wholesale broker who specializes in cyber coverage, they gain access to useful resources. These resources help clients understand their risks. The broker also assists agents in finding the important coverages their clients' businesses need. "The insurers we work with help companies keep up with the best ways to prevent cyberattacks,” said Ledbetter.