How To Qualify For Cybersecurity Insurance
Comprehensive cybersecurity insurance is fast becoming an important part of an organization’s security strategy, but what does your organization need to do to qualify for cover?
The battle against cyber-attacks is ongoing and ever-evolving, with the costs of a breach becoming insurmountable for many organizations. In 2022, IBM calculated the average cost of a data breach was USD 4.35m. The risks facing many organizations go beyond financial damage to include data loss via spyware and ransomware, and reputational damage – each with the capability of putting your organization in a critical position.
Cybersecurity insurance can help to alleviate the damage that your organization experiences as a result of a cyber-attack. Insurers are moving into the cybersecurity market, offering cover for a wide range of cyber-related threats – from legal, to loss of earnings, and cost of replacing damaged infrastructure. Understandably, insurers only look to cover organizations who take cyber security seriously and have made attempts to mitigate the risks.
In this article, we will explain what your organization needs to have in place to qualify for a cybersecurity insurance policy. We will cover some of the essential security infrastructure you need, before considering other tools that can decrease your premiums and boost your cybersecurity.
Essential Cybersecurity Insurance Infrastructure
Before offering you a policy, most cybersecurity insurance providers will require you to complete a security audit to understand how your company operates, the risks you are facing, and your level of exposure. Depending on your organization, the insurer, and the type of policy you are looking for, this audit might be as simple as a questionnaire or as detailed as in-depth checks carried out over multiple weeks. Whilst your policy is active, insurers will continue to reassess the state of your cybersecurity set up.
There are some essential tools that a prospective insurance provider will look for in your security infrastructure:
1. Multi-factor Authentication (MFA)
Comprehensive implementation of MFA, or 2FA, is an important feature of your security set-up as it provides assurance that only authenticated users can access your network. With MFA, your users are required to have their identity verified in at least two ways, before being granted access. This solution is simple to put in place and has a good return on investment.
There are three types of authentication factors that are used in MFA: knowledge, possession, or inherence. Knowledge factors (like passwords) can be easy to hack with a brute force attack. Some insurers might require more robust security protocols to be implemented, particularly for privileged access accounts; in this instance, a hardware security key or biometric authentication may be required. Using contextual or behavioral analysis can help to detect if a user is authentic by creating a baseline pattern of behavior. This, too, can help to reassure an insurer that you are serious about cybersecurity.
For more information about how MFA works, read our article here.
2. Antivirus Software
To keep your network safe, all computers and devices should have antivirus (AV) software installed to scan for malicious code that might have infiltrated your devices. Antivirus software works by checking a database of known viruses and malware against the traffic on your devices. If a portion of unknown code is encountered, some AV solutions provide a “sandbox” to run the code in a secure digital environment. This allows the AV software to analyze the code’s behavior and decide if it is safe or not. This way, malicious code can quickly be identified and removed.
It is important that this software is kept up to date to ensure that your network is protected against new and emerging threats. You will need to take special care if your organization has a “bring your own device” (BYOD) policy. In whatever way a user chooses to access your network, they will need to be protected against viruses and malware. With different types of devices, operating systems, and device generations, ensuring that all devices are sufficiently protected requires careful attention.
For more information about how to choose antivirus software for SMBs, read our article here.
3. Network Firewall
Your systems will need to be insulated with a firewall to protect against cyberattacks by blocking unauthorized access to your network. Firewalls are one of the most straight-forward security solutions, but an important one. By blocking all but approved traffic, you can drastically reduce the number of threats that are able to reach your network.
Firewalls can be administered as a software, hardware, or cloud security solution – you will need to consider the way that your organization works to decide which option is best suited to you. Your operating system will probably already provide firewall capabilities, though these might not be robust enough for your insurance broker – you may require an additional firewall from a recognized vendor before they agree to cover your organization.
To read our article about the different types of network firewalls, you can read our article here.
4. Backup And Recovery
The impact of a data being lost or corrupted can be greatly reduced if you have recent, comprehensive backups. Being able to restore a previous back up ensures that any time lost in the aftermath of an attack will be limited. Depending on your sector, regulatory bodies might specify how often back-ups should be performed, and where you should store your backups. If not specified by an industry or federal standard, the 3-2-1 theory is often a good rule of thumb: maintain at least three copies of data, store them in at least two different formats, and keep at least one copy stored in an off-site location. Needless to say, this data should be secure and encrypted to prevent it from becoming the target of an attack.
Data backups are important if, for example, your systems become infected by ransomware, are your files are locked or encrypted until you pay the ransom? In a ransomware attack, the hackers are exploiting your inability to continue working without access to these files and accounts, as this downtime can cost your organization money in unproductive staffing costs, as well as lost revenue. If, however, you have access to these files and accounts via a recent backup, you can use that backup to restore your systems to a point in time prior to the attack and continue working. This nullifies the ransomware.
Recovery is an important aspect of this as it dictates how long your network will be down for. By using a third-party solution to automate your backups and recovery, you can ensure that your data is stored regularly. This will also allow you to restore your data quickly, ensuring that you do not lose too much time while your network is down. Not only should you be able to restore a system as a whole, but you should be able to recover specific files.
There are reports of hackers gaining access to a system but leaving their malware dormant for a period of time. This allows the malware to be stored in a backup so that, if the current system is wiped, the malware is already planted within the network when it is restored. To combat this, it is important that your AV, firewall and XDR/MDR are properly configured.
For more information about network backup and recovery, read our article here.
5. Security Awareness Training
You can have the most sophisticated security systems in the world, but all it takes is for one user to be tricked into sharing their login details – this might be the result of a phishing or social engineering attack – and an attacker can gain free, undetected access to your network.
Security awareness training (SAT) ensures that staff understand the risks and consequences of their online actions, and what they can do to help keep their own accounts safe. It will also help them to understand what a security system can and cannot protect against. By retaining a cautious and sceptical attitude, your staff can become an asset in the battle to keep your network secure.
Common SAT solutions combine real life case studies with engaging video content and relevant quizzes. You should also be able to perform phishing simulation training to ensure that users are acting on what they have learnt. This allows admins to see who has engaged with the training, and who needs to revisit specific modules.
You can read our complete guide to Security Awareness Training here.
6. Endpoint Detection And Response (EDR)
Endpoint Detection And Response (EDR) is used to monitor your network’s endpoints, identify any threats, then enact remediation to keep your accounts safe. EDR sits behind the firewall, to identify any threats that breach this protection and gain access. The benefits of EDR are two-fold; not only can it identify malware, viruses, fileless attacks, etc., but it can proactively hunt for these threats and resolve them.
EDR monitors each endpoint – from cell phones to laptops, tablets, and IoT devices – to identify any suspicious behavior. Once identified, EDR can intelligently respond to the threat, ensuring that your network is kept secure. Some EDR solutions will also build threat timelines to show how a threat entered your network and suggest how this can be prevented in future.
To learn more about EDR, you can read our article here.
Additional Cybersecurity Infrastructure
Even if you use all the cybersecurity tools previously mentioned, there are still ways to make your accounts more secure. Cybersecurity is an ongoing, ever-evolving problem. In this next section, we will outline some of the additional methods that you can implement to help your business to qualify for cybersecurity insurance. These tools will further secure your accounts, as well as drive insurance premiums down.
1. Cyber Incident Response Planning And Testing
To prove to insurers that you have considered the risks and implications of a cybersecurity attack, you might need to provide details of your response policies. This will include automatic digital remediation – such as offered by EDR or XDR – and human led procedures, such as responsible individuals and device lockouts. Does your organization have a dedicated IT security team? What should users do if they think their account has been breached?
This response should be tested through simulations to ensure it is efficient and effective. Built into this response should be a means of notifying key stakeholders such as admins, affected and unaffected employees, and – potentially – customers, depending on the nature of the attack. This type of testing will also illustrate which insurance policies you should take out. For example, can your data be restored from a backup within a day, or does it take a week? The difference in downtime will significantly affect the value of lost profits, and therefore the value of insurance cover needed.
2. Vulnerability Management
Many cybersecurity insurance policies will be invalidated if you fail to act on a known vulnerability that is then exploited by an attacker. It is important that you maintain good cyber hygiene by ensuring operating systems and software are up to date, and that relevant patches are installed.
There are five steps to managing vulnerabilities:
- Assess – assess your network and identify any vulnerabilities.
- Prioritize – where you have multiple vulnerabilities, decide which pose the highest risk, a decide which need to be remediated first.
- Act – install relevant patches, alter policies, supplement with additional security infrastructure.
- Reassess – consider the degree to which the threat has been mitigated or minimized. Are there further remediation actions that should be taken?
- Improve – with cybersecurity threats constantly advancing, continually assess your infrastructure to ensure your network and devices are as safe as they can be.
3. Cloud Email Security
A cloud email security solution can protect your accounts from incoming threats like malware, graymail and BEC. Secure Email Gateways (SEG) work by using a series of spam filters to catch malicious or nuisance emails before they arrive in your users’ inboxes.
Potential insurers will require an email security solution to provide your users’ accounts with some cover from malicious emails. There are, however, many features that can enhance an SEG to provide more comprehensive and complete coverage. These come under the term Integrated Cloud Email Security (ICES).
An important additional feature is “sandboxing”. This is a secure, isolated area to run potentially dangerous software without the risk of it affecting the wider network. Some solutions will also perform URL analysis, which prevents malicious URLs from being delivered to users’ inboxes.
“Post-delivery” protection can enhance your security hygiene by preventing sensitive data from being shared. This reduces the risk of social engineering and account fraud. Administrators can set policies based on objective rules (for example, no passwords can be sent via email) or based on users (such as, only specific users are able to share files via email). Not only will this cloud email solution keep your accounts and data safe, but they will also ensure you are complaint with relevant regulation, and able to evidence this for auditing purposes.
4. Vendor/Supply Chain Risk Management
In 2021, an Apple supplier was reportedly the target of a ransomware attack. The hacker group attempted to use leverage USD $50 million from Apple, by halting operations at one of their main manufacturers. Unfortunately, this type of attack is becoming increasingly common. While you might do everything within your power to eliminate risks to your organization, how do you know what steps your suppliers and vendors are taking?
It is incredibly difficult, if not simply unfeasible, to eliminate the risks you inherit from your suppliers. You should, therefore, consider the risks that you cannot directly mitigate, and develop a strategy for minimizing that risk, like finding alternative suppliers in case of an emergency.
As part of a supplier risk strategy, you should be aware of how a cyber-attack on your organization might affect your suppliers. Strategies should include assessments, continuous monitoring, data analysis, and risk mapping to ensure that your organization can continue to operate if a supplier is affected.
5. Privileged Access Management (PAM)
Often abbreviated to PAM, privileged access management is a way of monitoring which users have access to critical parts of a network. With every user having their own login credentials, admins can create highly specific policies that allow access for certain users and restrict it for others.
By preventing all accounts having the same level of privilege, PAM allows admins to increase user privilege upon request. Although this is a relatively simple, manual process, it ensures that there is a valid reason for that user having that level of access. This limits the number of accounts that an attacker can use to gain access to your network.
Many PAM solutions will also store credentials to a privileged account within a secure vault and automatically rotate login details. This prevents stolen details from being used in an attack. This type of solution will offer strong tracking and auditing features to ensure that there is accountability.
Under this heading also comes the need for implementing a secure provisioning process. This is the process by which user accounts are created, maintained, and decommissioned. It is important that users don’t have more privileges than are required for their job role – this is sometimes referred to as a “just-in-time” policy. This helps to prevent an attacker accessing critical accounts by spreading laterally though the network. It is also important to ensure that accounts are properly deleted when not in use, otherwise these dormant accounts could provide discrete access for a hacker.
For a list of the top 10 PAM solutions, read our article here.
Other Cybersecurity Insurance Requirements
Depending on the nature, size, and industry that your organization works in, insurers might require additional assurances of your cyber security setup. This is particularly relevant for industries where personally identifiable information (PII) and tight regulation are present.
In industries where there is regulatory oversight, insurers will want to know that you comply with the relevant legislation. This ensures that you do not run into legal disputes further down the line. By adhering to a regulator’s cyber security recommendations, your organization will be well placed to react to an attack. Regulators depend on the industry and country your business is operating in, but some common regulations are:
- Sarbanes-Oxley Act (financial industry)
- HIPAA (health)
- TIXAX (automotive)
- GDPR (EU data protection)
Cybersecurity Risk Analysis
As alluded to in the introduction, there are different ways that an insurer will seek to understand your organization, and the type of cover you require. This may be as straightforward as a questionnaire that is filled out by the organization, or as complex as a detailed risk analysis and infrastructure assessment. It is important that this risk analysis is kept up to date to ensure your organization is ready to respond to an attack, and that you are still covered by the insurance company.
There are a lot of different frameworks out there designed to help you monitor you business’ cyber risk, such as the National Cyber Security Centre’s (NCSC) list of 14 principles to consider as part of its Cyber Assessment Framework risk analysis.
Some insurers are looking for a relatively low number of administrators. This reduces the number of privileged accounts that can do a lot of damage if hacked. This also ensures that the individuals running these accounts will be highly skilled and knowledgeable, and more aware of the risks associated with accessing critical accounts.
Your network will be more resilient to a cyberattack if it can be segmented. This means that one part of your network can be shut down and isolated from the rest of the network if it is attacked. This ensures that parts of your organization can continue running, whilst an issue is resolved in one area. Having “firebreaks” built into your network is an important security feature that reduces the amount of exposure your network faces.
There is no single, comprehensive list of features that insurance brokers are looking for. Rather, they are looking for a proactive attitude, and the successful implementation of features to protect your network.
When applying for cybersecurity insurance, think getting cover not as the end goal, but as another asset to your cybersecurity set up. Once you have cover, the relationship between you and the broker will be ongoing and require flexibility and adaptation to ensure your organization is prepared to respond to a cyber-attack.