Cyber insurance is simple in concept, but complicated (to put it lightly) for implementation. It’s a form of insurance which covers expenses related to a cybersecurity breach or similar. But, you’re also getting a cross of the pain points of insurance and cybersecurity. The points make sense when you abstract them a bit, but it’s understanding the what and the why that can be painful.
Business insurance contracts can be confusing and complicated for the exact rules and what pays out what, but cyber insurance can get even more complicated. It covers topics ranging from compliance, to encryption, MFA, security, backups, and outages. You get a little bit of everything on a level most businesses aren’t ready for. It’s not just a technical question, there are rules, and they don’t always make sense.
Most businesses are familiar with PCI and HIPAA compliance, but there are even more standards you may or may not need to pay attention to. Which one does your cyber insurance solution use, prefer, or encourage? There are a lot of standards, but some are more pressing than others.
You also have to consider GDPR and CCPA compliance in some industries and economies. There are even more compliance solutions such as CMMC and similar popping up that are preferred. If these acronyms and letter jumbles aren’t ringing a bell, you may need to read up before applying for new insurance policies.
Cyber insurance providers are going to ask you how compliant you are. You might feel confident, but just how compliant are you actually? Are you actually compliant or do you just think you are? What level of third-party audits are you performing to make sure you’re doing what you need to? What compliance standards are you using and how close are you adhering to them? What are you auditing, what level are you auditing, and how often are you doing it?
Have you been certified for your compliance tasks? Who is the compliance officer for your business or client? What level of credentials do they have to make them able to fill this role? You may not need to answer all of these on the insurance form, but it’s best to have the answers available from a security and business liability standpoint.
Is data wide open or is it encrypted? What about your backups? What level or type of encryption is in use? Cyber insurance companies are going to ask these questions, and dig much, much deeper.
Are you encrypting communications internally and externally? How about VPNs between sites and for remote workers? Or do you use an advanced SASE system instead?
Encryption is a fundamental part of security and one which will come up constantly with cyber insurance offerings. Some plans may not require it for some industries, but it’s always a good plan to have some level of encryption in your security stack. Data exfiltration isn’t just a liability from an insurance perspective; it’s a liability to a business.
At the very least, it’s near trivial to implement an encryption policy for individual devices including desktops, laptops, and phones. You can work to encrypt sensitive data in SQL and similar to protect sensitive applications. You need to also make sure backup solutions are encrypted where possible as well.
There isn’t a one size fits all approach to encryption. Some products you need for your industry may not work as expected with encryption on certain data. Other products may just not have encryption as an option. Cyber insurance providers are aware you may have your hands tied, but they need to know to properly assess liability.
Scope of Data
How much data are you managing? How many individual records are there and how are they classified? Do you have generic data on a million individuals or hugely in-depth, personal data on a smaller set? You don’t need to have exact numbers (necessarily), but you need to have a rough scope of what you’re working with.
The more data you have which is personally identifying, the more it can impact HIPAA, PCI, etc. compliance. How much data you have also impacts how likely you are to be a target. Personally Identifiable Information (PII) is worth a lot to certain groups. The right PII can be used to carry out social engineering attacks or even used to circumvent certain security systems (e.g. biometric data).
What type of data do you have and where are you storing it? Are you using cloud repositories such as Dropbox and OneDrive to store certain data or is it all local? The where is as important as the what, since an insecure onsite backup is less safe than a secured cloud system, but a private cloud (and properly secured) is the safest of the three.
Cyber insurance vendors want to know what kind of data you have and where it is. This determines how large your attack surface may be and what is potentially at stake for your business in the event of a breach.
Multi-Factor Authentication and Credentials
Do you apply Multi-Factor Authentication (MFA) across the site with everything possible? If not, is there a good reason (e.g. nothing of any real value) or is it due to a technical limitation of a service?
MFA solutions will help cut down on the value of a password substantially which increases the inherent security of a system. This leads to a harder time breaching a specific site or data repository. Some cyber insurance providers want MFA applied to virtually everything, others are a little more flexible with the right security setup. Either way, a lack of MFA on core infrastructure and important data sources is a serious security concern.
MFA blurs into protecting and limited access to privileged user accounts as well. Sometimes, you need a specific admin account while the person managing said service needs substantially less access to do their job. Are you using a single account or reducing the chance of being breached by having the admin account locked up somewhere?
Solutions like ITGlue (despite being a documentation product, it manages passwords as well) can help limit this access and provide a way to audit who has accessed a given resource. You get a system to account for who has what access and when they use it. This allows for better monitoring of credential usage and allows a gatekeeping process for privileged accounts.
What AV solution are you using? Are you using a Next-Generation Antivirus (NGAV) solution, an Endpoint Detection and Response (EDR) system or similar across the business? What about next-generation firewalls like Palo Altos or similar which can work at layer 7? Are you using zero trust architecture?
Security may also include services or processes such as a SOC, NOC, SIEM, proactive monitoring, proactive auditing, etc. How aware are you of every change to every asset for your business and how do you make sure that everything is complying with your security policy? How often are you installing patches? What legacy software or solutions are in use? Are you using protective DNS services to prevent bottom-of-the-barrel attacks and similar? Do you have an isolation policy or the ability to easily isolate compromised assets?
Many cyber insurance vendors also dive into email and phishing. Are you using DKIM, SPF, and DMARC to help detect spoofed or otherwise questionable emails? Are you using advanced spam filters and similar to reduce the attack surface even further? There are far more questions any good MSP or security provider should be asking.
These questions are ones you should be asking yourself regularly anyway, but cyber insurance brings them to the forefront. Here at The 20, we try to have solutions to virtually all of these questions which fit the needs of secure industries without making work painful. Security requires a balancing act between absolute security and functionality. The right education and the right security solutions can keep your business running smoothly.
We touched on some parts of backups previously, but cyber insurance dives into this process deeply. The difference between a business with a good Disaster Recovery (DR) policy and one without getting ransomware is the difference between a bad day and bankruptcy. Are you backing up important infrastructure and data? Are you checking your backups and making sure that things are working as expected? Do you keep cold backups or an air-gapped solution to keep data safe? Are you encrypting your backups to prevent exfiltration or exposure in the event of a backup provider having a breach?
These are all best practices for backups at any level, and solutions like Unitrends and similar have made the process relatively easy. What backup provider are you using and how are you making sure it doesn’t become a liability? In the post-security world, it isn’t a matter of if but when you’re breached that makes all the difference. Downtime is extremely expensive.
Standard security policies need to be applied to backups as well. Are you making sure that there aren’t shared credentials or similar to prevent easy exfiltration? Do you use some kind of system to control access to credentials with correct privileges to prevent accidental access? Are you using MFA where possible to limit access to replication vaults or backup appliances where possible?
How much uptime do you have? When is the last time your site went down and how long was it for? Why did you have downtime and what could you do differently? All of these are going to be lines of near-inquisition from a cyber insurance vendor.
You can tell them what you plan to do, but no plan survives an encounter with the enemy. What happened when you actually had to test your plan? Were you down for a few minutes or down for days? Are you making sure to shore up said issues or are there ticking time bombs at your business?
Security is meaningless if someone bypasses it or if the response doesn’t work. Post-security also means that prevention is only one half of the equation to a proper defense for your business. Do you have a track record of your assets going down or is your infrastructure resilient?
The more likely a business is to suffer negative downtime, the harder it is to justify insuring said business. You can have everything great in theory, but how has it been tested? Or has it?
The cyber insurance process is extremely complex, but all of the questions asked will make sense. They want to know what you do, how you do it, and how it’s worked out. Virtually every question on a cyber insurance application is one you should already have in your primary security and business plan for yourself or your client (even if the form isn’t the same).
Are you adhering to compliance standards which affect your industry? How do you know? Are you encrypting any and all data that makes sense? How much data are you working with and where is it? Do you use MFA where possible? What is your proactive and response security like and what all are you throwing at keeping your business safe? How good are your backups and are they actually functional? How much downtime have you had, what caused it, and how did you respond?
Asked this way, all of these questions boil down to a basic security plan. You just need to know every detail and every facet to ensure that your business is actually secure, and a way to put it in something that can be converted to financial details. Can you walk the walk or just talk the talk? Use a cyber insurance checklist (or ideally multiple checklists) as a roadmap for your own business success.
Contact us at The 20 to learn more about what we can do to make your business grow.