Getting a policy to cover costs related to cybersecurity incidents is increasingly becoming a normal part of business. So what should your organization do to prepare for cyber-liability insurance coverage and get the best outcome moving forward?
Along with traditional threats such as a fire, flood, or civil liability, organizations are at an even higher risk of being the victim of a security incident, which could lead to downtime, data breaches, ransom and other serious consequences.
If you have decided to get cyber-liability insurance because these threats are serious enough to your business, it’s important to remember that insurance is a safety net, not your primary way of avoiding risk.
Insurers want to cover organizations that have skin in the game when it comes to managing cyber-risk, just like traditional insurers want to know about cigarette smoking, traffic violations, flood plains, and other factors that make a potential claim more likely for a policy holder.
Naturally, individuals and organizations that do more to mitigate risks are cheaper to insure, get better policies and pay more competitive rates.
Below are a few technology management controls, which are commonly found on insurance applications or questionnaires. Adopting these IT management practices will lower your security risks and improve your organization’s insurability.
1. Security Awareness Training
One of the first areas you need to address, but is often overlooked, are the personal vulnerabilities of your own staff.
Many cybersecurity incidents can be avoided entirely with proper behaviors from end users. You can usually point back after an incident to specific actions by team members that, if they had gone a different way, may have avoided the fallout.
Fortunately, creating security awareness does not require rigorous education.
Depending on the size of your organization, the data you need to protect, legal and compliance issues and other factors, you probably just need to have regular check-ins with your team where threats like Phishing, Ransomware, Social Engineering, and maintenance procedures are reviewed. Also, your staff needs to be aware of what they need to do during a security incident, as their actions during an attack will make a noticeable impact in the overall outcome.
2. Supportable Hardware/Software + Patch Management
You should have a timeline to support and upgrade or replace your devices and software to ensure they are supported by the manufacturer and receive up-to-date security patches.
Many of the major cyber-attacks you hear about exploit vulnerabilities in technology that were already identified. While there are novel attacks going after new weaknesses that the security community is catching up on, it’s much easier for the bad guys to attack technologies that are “low hanging fruit” so to speak. Every day that a product is past its end-of-support date the riskier it becomes, as exploits are unaddressed and pile up.
Disciplined planning sessions with your IT decision makers can help address this. Being proactive about keeping your hardware and software updated not only lowers the security risk to the organization, but also makes you easier to insure and less stressed about IT lifecycle management.
3. Network Equipment that Supports Security
Depending on your office setup, where your employees work, your server needs, etc., you will need network equipment to support the security goals of the organization.
Good networking equipment includes:
- A firewall on the perimeter of your network - this will allow good traffic in while blocking unauthorized traffic.
- Wireless Networking Equipment - this should provide sufficient encryption to make traffic in the air unreadable without the encryption key.
- More sophisticated hardware depending on your specific needs.
4. Anti-virus/Anti-malware/Endpoint Detection/Other Endpoint Security
Most people are familiar with commercial Anti-Virus software. It became a standard tool to install with the purchase of a new PC years ago, so it comes as no surprise that insurance carriers want software like this deployed on your endpoints like PCs, laptops, and servers.
The type of endpoint protection you get for your business will vary based on a few factors such as:
- The threats you need protection from
- The size and scope of your technology infrastructure
- Other factors
Many organizations are deploying Endpoint Detection and Response (EDR) solutions that take a much more aggressive approach to stopping threats like Ransomware as compared to traditional Anti-Virus solutions.
Regardless of what kind of insurance you end up with, know that you will need something to protect the endpoints from common threats.
5. Sensitive Data Identification and Policy
While you definitely want to protect your systems, the more important part of security is protecting the data, particularly data that is considered sensitive in some way or another.
This data could be sensitive due to legal or compliance purposes, trade secrets, Personally Identifiable Information (PII), or just data you don’t want to lose or be responsible for leaking into the public.
The first step to achieve this is to define sensitive data within the context of your specific business:
- What data are you collecting every day?
- Where is your data stored?
- How do you back up your data?
- Who are you allowed to share data with and through what means?
You need to create standards and rules that define what it is and how you are supposed to use it. That information can then be used with your technology experts and insurance carriers to come up with protections that fit your needs.
6. Authentication, Identification and Rights Standards
Access to technology assets is something you need to have strong control over.
Given the serious risks associated with ransomware and other cyber threats, you are trusting a lot to your staff when you give them an account so they can do work for your company.
In general, I’m sure you trust your employees to use their best judgment when it comes to the use of technology. However, even with trust it is important to establish best practices around how employees log in and what they have access to.
The reality is that in 2021, passwords are made to be broken. Third party data breaches, poor encryption standards, bad password standards, and simple bad luck can compromise a password.
The Dark Web is an active marketplace where usernames and passwords are sold so that cybercriminals can commit fraud. The following practices will go far in helping reduce your risk of being breached:
- Multi-Factor Authentication (MFA): Whenever you can, use MFA to add a constantly changing token that makes it much harder to break into an account.
- Password Complexity: Continue to use best practices when it comes to passwords, like different types of characters, minimum length, etc.
- Access Rights: Whenever your staff does log in, it’s important to make sure that the level of access they have aligns with their job role. If your authentication measures fail, it may help minimize the damage if the breached account was limited in the first place.7
7. Management and Organization
Someone at every business needs to be the “champion” when it comes to making sure technology goals are hit.
This may be the most important aspect of being prepared not just for Cyber-Liability insurance, but also general security management. It also needs to be someone who works directly for the business, as there needs to be a connection between business goals and what the technology you invest in accomplishes.
While every business will need IT resources outside the organization, including people, it is critical that the mission of technology is owned by the business.
Management challenges often have very little to do with the “bits and bytes” of technology, but rather making sure that everything continues to move in a productive direction and that changes happen when they are needed. Insurers want to know that the business hasn’t taken an approach that divorces them from the technology entirely, as vendors, personnel, products, and services are all temporary by their nature.
As always this is not an exclusive list. Many of the things I mentioned will be of higher or lower priority depending on a variety of factors, and there’s a good chance that something that hasn’t been mentioned will be very important to your business when getting Cyber-Liability insurance as well as protecting your systems from the threats that are out there.
If you want to learn more about setting yourself up for technology success as well as securing your data, contact us today!