In the early days of cyber insurance, carriers were much more relaxed about writing policies. They didn’t have a good understanding of the risks involved, and as a result, they lost a lot of money on their cyber policies.
Carriers have finally caught on to the real risk and cost of cyber crime and have begun raising their security requirements of their insured. To get a cyber policy today you will have to fill out a questionnaire, providing a detailed explanation of all your security tools and processes. Through these questionnaires, a set of core security controls has been established. If you’re missing any of these 5 controls, your application may get rejected.
1. Multi-Factor Authentication
In the wake of high-profile data breaches, many companies have begun to require multi-factor authentication (MFA) for cybersecurity. MFA helps protect sensitive data by requiring users to verify their identity using multiple factors.
The most common form of MFA requires users to provide passwords, fingerprints, or other biometric identifiers. However, other forms of MFA can also be used, such as requiring a user to possess both a physical token and a knowledge-based factor (such as a PIN).
By requiring MFA, companies can help ensure only authorized individuals can access sensitive data. In the event of a data breach, companies with MFA in place can often avoid costly fines and damages. As a result, MFA has become an essential part of any comprehensive cybersecurity strategy.
2. Security Awareness Training & Testing
To qualify for cyber insurance, businesses must undergo security awareness training and testing. This ensures employees are up-to-date on security threats and procedures, businesses can help reduce their risk of becoming a victim of a cyber attack. By conducting regular mock phishing campaigns (i.e. testing) you’re instilling a baseline level of vigilance in your team towards suspicious emails because no one wants to fail a test phishing email and be enrolled in more training.
3. Separate Backups
Many believe a single data backup is enough to protect them from potential cyberattacks. However, this is not the case. To be fully protected, it is important to keep your backups separate from your environment.
If one backup is compromised, you will still have another safe copy. Furthermore, it is also important to have backups in different locations. This way, your data will still be safe if one location is attacked.
Having separate backups is essential to getting cyber insurance. Without it, you are at a much higher risk of being left without protection if your data is compromised.
4. Endpoint Detection & Response/Managed Detection & Response
One key factor to consider is whether your organization has adequate endpoint detection and response (EDR) or managed detection and response (MDR). EDR and MDR are critical components of any effective cybersecurity program, as they can recognize and shut-down high-risk or unusual behaviors. Our MDR protected us from a zero-day cyber attack, so we have a lot of confidence in this tool.
EDR refers to the tool itself, while MDR is a service where real people will monitor your EDR tool and investigate/respond to threats.
5. Vulnerability Management
Vulnerability management is the practice of detecting, classifying, repairing, and mitigating exposures. It’s a continuous process your organization should embed in its overall security posture.
A vulnerability is a flaw or weakness in an information system, system component, or application a threat actor can exploit to gain unauthorized access to sensitive data or systems. Vulnerability scanning is a critical component of vulnerability management.
It helps organizations identify vulnerabilities in their network before attackers can exploit them. You should conduct external vulnerability scanning periodically to identify any weaknesses external threat actors could exploit. You should conduct internal vulnerability scanning more frequently to identify weaknesses internal users with malicious intent could exploit.
Cyber insurance policies typically require companies to have an active and comprehensive vulnerability management program to qualify for coverage. Cyber insurance providers view vulnerability management as essential to risk mitigation and prevention.
The Bottom Line
Cyber insurance is a complex topic, and there is no one-size-fits-all solution. However, businesses should carefully consider their needs before making a final decision. Without adequate security controls, they may find it difficult (if not impossible) to obtain coverage. It is important to realize that security is constantly evolving. Today carriers are requiring these 5 security elements, but by your next renewal this list may grow to 10 elements. It is important that you stay on-top of security so that you’re not scrambling to catch up next time you’re applying for cyber coverage.