Cyber Insurance protects one of the most important assets your company has- your data. With recent high-profile security incidents, requirements are tightening to qualify for reasonable cyber insurance premiums.
Use the questions below to prepare yourself for the questions you will encounter when applying for and renewing your cyber insurance.1. Do you perform regular backups and store them in a secure off-site location?
Regular backups are critical in your defense against ransomware. At least one of the copies of your backup should be sent to an off-site location. Usually, off-site backup locations are in the cloud or a private data center.
2. Do you limit remote access to all computer systems by using two-factor authentication (not just Office 365)?
Two-factor authentication requires both a password and a secondary identifier – such as a code sent to your email or smartphone – to gain access to the network or application. Two-factor authentication plays a critical role in keeping criminals from cracking or stealing passwords and using them to access your systems.3. How many PII records are held on your network?
PII (Personally Identifiable Information) records are any computer files that contain data directly related to an individual. This includes biometric records, birthdates, credit card information, social security numbers, mother’s maiden name, etc. The more PII records that are in your system, the more attractive a target it is for criminals.
4. Do you provide periodic security training to employees?
Cybersecurity awareness training is a must. Your employees can be the weak link in an otherwise strong chain of IT security. Security training helps them understand their role and limits the risk that an employee falls for phishing or social engineering tactics leveraged by criminals.
5. Do you provide security training to employees and contractors upon hire?
The timing of your security training is crucial. If security training is not part of your employee and contractor onboarding process, the gap in time between hire and training is a time of increased vulnerability.6. Do you conduct phishing assessments? If so - how frequently?
Phishing is a tactic used by cybercriminals in which they send emails designed to trick the recipient into clicking on or forwarding a malicious link. Phishing assessments are live “fire drills” in which fake phishing emails are sent to staff to assess whether or not they have understood their cybersecurity awareness training. The more frequently these assessments are used, the more closely you can monitor your staff’s ability to spot and appropriately deal with phishing emails.7. How do you protect privileged accounts (such as Global Administrator in Office 365 or Server Administrator accounts)
Not all account access within your organization is equally valuable to a cybercriminal. Privileged accounts – like an admin account – provide access to more of your systems. Criminal access to privileged accounts gives the bad actors the ability to do more damage than access to a user account. Therefore, your privileged accounts must have more layers of protection.8. Are processes in place to request changes to bank account details including account numbers, telephone numbers, or contact information?
If a criminal can get past your defenses and gain access to data that includes financial and contact information, how quickly can you get that information changed? What steps are in place? Who is in charge of initiating that process? These questions are essential in a response to a data breach.9. Are you using Office 365? If so, do you have MFA enabled? Do you use Advanced Threat Protection?
Office 365 is a first-class tool for office productivity, but if not properly secured, it can become a hole in your defenses. Using MFA (Multi-Factor Authentication) to secure your credentialed login (much like 2FA that we talked about above) helps keep criminals from cracking and using your login credentials. Advanced Threat Protection is a stack of high-impact security solutions that can include, antivirus, cybersecurity management, endpoint agents, email gateways, and network devices.10. Can users access email through a web application on a non-corporate device?
Non-corporate devices don’t fall under the protective umbrella of IT security protocols implemented and managed by your IT team. As a result, accessing company email on a device not protected by the company's cybersecurity protocols can be a security liability.11. Do you strictly enforce SPF on incoming emails?
SPF (Sender Policy Framework) is a security protocol that helps prevent spammers from gaining access to your email systems and sending out messages using your domain. This email authentication technique helps ensure that unauthorized individuals aren’t using your company’s email for nefarious purposes.12. Are your backups encrypted and kept separate from the network whether offline or with a specialist cloud service?
The encryption of backups is a central component of data protection. By using business-class encryption, you can help ensure that your data is only visible and usable by authorized individuals. Even if a criminal can access the data location, data encryption ensures that they aren’t able to read the data they have stolen. As we have mentioned earlier, keeping a separate data copy offsite in the cloud or in a private data center is critical.13. Do you use endpoint protection in the network? What brand?
Every device connected to the internet in your business is an “endpoint.” Because they are connected to the internet, they are a potential point of entry for hackers. Endpoint protection helps secure your computers, tablets, smartphones, and IoT devices against sophisticated malware and zero-day threats. The brand of endpoint protection matters because not all endpoint security solutions on the market are at a business-class level. Some solutions are only intended for home use and should not be applied to business systems.14. How long does it take you to install critical patches from your vendors?
Whenever a vulnerability is discovered in the code of an application or operating system, the developer of that solution makes a “patch” available to close off that potential access point to criminals. Delays in applying security patches result in a timeframe in which your systems are vulnerable to attack.15. Do you have a SOC that is monitoring logs from systems?
A SOC is a Security Operations Center. Usually, SOCs are provided through an IT services provider that specializes in cybersecurity. A SOC will manage your IT security posture, monitor it 24/7/365, and be responsible for responding to any real or potential threats to your IT systems. The monitoring of logs is important because it allows the SOC to spot malicious activity and respond in real-time.16. What steps are you taking to detect and prevent ransomware attacks?
Ransomware has been all over the news. It is a global threat with ties to lone hackers, cybercriminal syndicates, and even rogue nation-states. Fighting against ransomware is not the work of a single IT security tactic such as antivirus, but instead, protecting against ransomware requires a full slate of IT security protocols. The appropriate mix of IT protocols to combat the risk of a ransomware attack on your business depends upon the data you are protecting, your industry, your compliance requirements, and your risk tolerance.17. Do you allow users to have local administrator rights?
Local admin rights give your employees the ability to add software to their own devices. Unfortunately, this ability opens up the possibility of dangerous software (loaded with malware or spyware) being unwittingly installed by the employee. All software should be under the control of and installed by your IT team for optimal security. Therefore, allowing users to have local admin rights isn’t the best practice.18. Do you provide employees with password management software?
To keep employees from wasting time constantly resetting passwords, re-using old passwords, using the same password for multiple applications, or even writing passwords down on sticky notes, it’s important to utilize a password management tool. Password management software helps ensure that the passwords employees are using are not compromised and are adequately complex.19. Do you segment your network?
Network segmentation is like splitting up your money between two or three local banks. If one bank gets robbed, the rest of your money is secure in another bank. By segmenting your network, you keep a hacker from being able to move laterally throughout the network and accessing all your data. In a segmented network, a data breach can be contained to the network segment that has been compromised.20. Do you have a security baseline in place for servers, laptops, desktops, and managed mobile devices?
A security baseline is a pre-determined set of operating system configurations that are applied uniformly across your company. This IT security baseline forms the minimum protective status of your organization. No longer can a company assume that the stock security configurations on any given device are adequate. By implementing and enforcing baseline security, you can demonstrate to your cybersecurity insurance provider that you are meeting their minimum security threshold expectations.
Cyber insurance is no longer a nice umbrella of protection to have, it has become a necessity in business. But by knowing and documenting the answers to these 20 questions, you will be able to more easily apply for and obtain this essential coverage.
The cost of cyber insurance – like your home insurance – is based on the risk to the insurance company. The more you can mitigate your exposure to cybercrime the more favorably the insurance company will look at your application. Answering the above questions comprehensively and bringing your IT systems in line may require the assistance of a trusted IT partner. In addition, it’s important to document all your processes regarding your cybersecurity practices, so you can demonstrate your compliance to the insurer.