As many business owners know, cyber insurance coverage can be difficult to navigate, but it’s also getting increasingly difficult to secure. Organizations of all sizes now face a greater number of sophisticated cyber threats, and must defend a blurrier network security perimeter, with many employees working some from remote locations, using work and personal devices alike. Cyber insurers are responding by tightening their underwriting guidelines and, increasingly often, denying coverage to organizations that don’t have specific cybersecurity controls in place.
Instead of relying on cyber liability insurance coverage to act as your cybersecurity program, business now need to build relevant, scalable, manageable cybersecurity programs that reduce reliance on cyber insurance. Cyber insurance is not cybersecurity.
In relevant terms. Buying cyber liability insurance as your cybersecurity program is like buying homeowner’s insurance so you don’t have to buy smoke detectors. When you have a fire, your homeowner’s insurance claim will not save your family.
It should be quite simple: Build a manageable cybersecurity program, reduce your exposure to risk, and, therefore, control your cyber liability rates.
Getting insured will become more difficult in 2022. Businesses that cannot verify proper controls will not be renewed, even if the company has had a longstanding policy in place with a particular insurer. Policy holders will need to prove, with proper documentation, that the controls they say are in place are truly there. The burden of proof will be on the entity, not the insurance company, to prove the controls in the policy were being followed prior to a breach. Below are examples of those controls you may be required to have in place.
Minimum Required Controls
The minimum controls for protecting information assets that carriers want to see implemented to offer terms for organizations all focus on well-known causes of cybersecurity incidents. Here are some of the things you need to do to meet them:
Secure your email: Email is the biggest attack vector for malware because busy employees can’t always tell apart a malicious link or attachment from a legitimate one. Spam filtering and other basic email security elements can go a long way in making email safer to use for everyone.
Take advantage of multi-factor authentication (MFA): Passwords alone don’t provide sufficient protection because a single password leak or brute-force attack can have disastrous consequences. By requiring users to provide two or more verification factors, MFA successfully blocks 99.9 percent of all account hacks.
Implement a basic backup and recovery strategy: A relatively basic backup and recovery strategy that protects key systems and databases is often enough to restore loss data following a breach and minimize its financial impact.
Regularly patch all software: Unpatched software may contain easily exploitable security vulnerabilities, so regular patching is a must. Patch management solutions keep your organization’s a software stack and IT infrastructure up to date.
Invest in cybersecurity awareness training: Employees remain the weakest link in the cybersecurity chain, but they don’t have to be. Regular cybersecurity awareness training can equip them with the knowledge and skills they need to defend themselves.
Baseline Controls
Since the bare minimum is no longer enough to reliably keep increasingly sophisticated cyber threats at bay in 2021, many carriers would consider the baseline controls described below as the new minimum:
Document your incident response plan: The first seconds, minutes, and hours following a data breach are extremely critical because they can be the difference between speedy recovery and prolonged downtime. Having a documented incident response plan is a great way to prevent chaos and ensure that everyone knows what to do.
Have in place a comprehensive backup and recovery strategy: Backing up key systems and databases once in a while is a good start, but there’s a lot more that you can do to protect your data, including regular testing of backups, which you want to store away from your organization’s network.
Establish a secure baseline configuration: A secure baseline configuration is a documented set of agreed security configurations of your operating systems, applications, and services to enable the secure by default deployment of particular infrastructure components.
Filter web browsing traffic: The web is a dangerous place, and there’s a lot of potentially dangerous content that can be easily avoided with simple web filtering techniques.
Use a protective DNS service: One way to filter web browsing traffic is to use a protective DNS service to block suspicious domain name queries before they’re resolved. Protective DNS services are constantly updated, and virtually any device can be configured to use them.
Best Practices
Of course, carriers are satisfied the most when their clients do a lot more than the bare minimum to protect their IT infrastructure and data. Ideally, they want to see them take the following steps:
Encrypt sensitive data: Data encryption greatly reduces the consequences of physical data theft, such as when a thief decides to snatch a laptop or smartphone belonging to a remote employee working from a cozy café, so it should be enabled on all devices that support it.
Use an endpoint detection and response tool: Traditional antivirus software can’t reliably protect against the wide spectrum of rapidly evolving attacks that organizations are exposed to these days. Endpoint detection and response tools make it possible for security teams to continuously monitor all endpoints from a centralized location and respond to threats quickly and effectively.
Conduct regular penetration testing: The purpose of penetration testing is to reveal weaknesses in an organization’s cybersecurity defenses by using the same techniques real attackers would use to exploit vulnerabilities. When a weakness is discovered, it can be fixed before attackers realize that it exists.
Continually monitor all IT systems: Suspicious activity is often the first and only sign of an attack in progress. Continuous monitoring of data from multiple systems enables real humans to analyze alerts in order to determine their validity and provide guidance on the most effective remediation of detected threats.
Segment network traffic: By dividing your network into multiple segments or subnets, you become able to enforce granular policies and make it much more difficult for an attacker to gain access to valuable assets. Furthermore, network segmentation helps localize technical issues and improve monitoring.
Cyber liability insurance should not be the driver for implementing cybersecurity programs. Remember, the purpose of implementing cybersecurity programs is to 1) Reduce and manage risk exposure, and 2) Build business continuity and resilience (reduce business disruption and barriers to growth). The formula is based upon simple principles: Protect your data, protect your clients, protect your employees, protect your core business.
If you already have a cyber insurance policy and would like to renew it soon, then keep in mind that your policy premium could increase substantially unless you have in place the required controls. If you need help assessing the implementation of these controls, call us and we would be happy to discuss further.
Sources: IGI Cybersecurity, OSI Beyond