Protecting your organization against cyber threats is not just about implementing controls and solutions to improve your security posture. In today’s growing threat landscape, cyber insurance is recommended to mitigate the cost of a data breach or security incident. Policies and cyber insurance offerings vary significantly between providers and industries, and navigating the intricacies of cyber insurance can be challenging.
In this post, we will discuss how cyber insurance requirements have evolved over the years, as well as what requirements are needed to obtain cyber insurance, and how to implement them in your organization.
Why do organizations need cyber insurance?
Cyber insurance helps to reduce the costs of data breaches and security incidents. Depending on your choice of cyber insurance (where offerings and insurance premiums vary significantly), getting cyber insurance helps to reduce the costs associated with forensic investigations, breach notifications, legal costs, recovery costs, and revenue loss during interruptions.
Cyber insurance is highly recommended– especially for businesses that deal with PII and sensitive customer data. While regulations like GDPR and HIPAA require organizations to have data protection measures in place, cyber insurance often covers the costs of fines and penalties in the event of a breach.
Why is cyber insurance getting harder to get?
As the rate of cybercrime and the cost of data breaches continues to rise, cyber insurance becomes more challenging to obtain. As Krysten Bay– CEO of Cysurance– explains, the spike in insurance claims due to phishing-related attacks in 2020 caused insurers to re-evaluate the requirements for cyber insurance. As reported in the State of Cybersecurity, “In 2022, a shocking 30% of organizations experienced sudden changes in their cyber insurance policies – resulting in increased premiums or even policy cancellations.”
In our recent webinar, “Unlocking the Secrets of Cyber Insurance” with Cysurance and Arctic Wolf, Bay shared that the cyber insurance industry increased requirements to mitigate risks because the rise in cybercrime “started to shift the market in terms of [understanding] how we price these products, how we rate insurance policies, and how we determine what should be in place for organizations in terms of security posture.”
As Nigel Brown– VP of Professional Services at Microserve– further explained, “through the renewal process of cyber insurance, we’ve helped our clients answer renewal questionnaires” and as the market progresses, “we’ve seen renewal questionnaires go from one or two pages to 80-100 pages for our biggest clients. The level of depth and specifics [insurance companies] are asking is astronomical compared to what it was in about 2017-2018 where it was easier to get cyber insurance”.
What requirements do companies need to meet to obtain cyber insurance?
To obtain cyber insurance, businesses need to first select a cyber insurance policy. Policies vary vastly and can cover costs related to data breaches, ransomware, business interruption, regulatory fines, and more. After selecting a policy, the insurer provides a quote with an estimate of the premium for the selected policy.
Before purchasing a cyber insurance policy, organizations need to fill out a lengthy questionnaire that describes their security measures and posture. Organizations need to demonstrate that they are taking steps to mitigate cyber risks before obtaining a cyber insurance policy. Questionnaires ask questions about security procedures, access controls, risk assessments, data backups, your incident response plan, and more. The way you answer the questions determines what your premium and deductible costs are.
Security policies and procedures
Cyber insurers minimally require companies to have basic security policies and procedures in place. Cyber insurance questionnaires ask about encryption, network security, managed services, cloud platforms, detection and alerting, hardware lifecycle management, and more.
For example, a cyber insurance questionnaire may ask:
- Where does your company store sensitive data? What technologies are used to protect sensitive data?
- What data is encrypted? Is data encrypted in transit? Is cloud data encrypted? Is mobile data encrypted?
- Does your organization follow security regulations or compliance frameworks such as GDPR, HIPAA, PCI, or others?
- What kinds of security services are you using? What percentage of your IT budget is designated for security? Who is responsible for security?
- Does your company proactively address critical security patches? Does your company update patches? How often are patches completed?
When understanding basic requirements to obtain cyber insurance, Bay advises that “if you can’t prove that you have continuous monitoring, patch management, and vulnerability analysis, we’re seeing reduction in coverage if patches weren’t completed within 45 days. Once you reach 60-90 days, [insurers] are requiring that you pay into 30% of your policy before they will start paying.”
Having identify and access management policies in place is important to obtain cyber insurance. Insurers are interested in knowing who has access to data and devices, and what measures you have in place to ensure data doesn’t get into the hands of the wrong users.
For example, access control questions could be:
- Who has access to data? Is access to sensitive data limited?
- Are passwords complex? Are passwords changed every 90 days? Are default passwords changed?
- Is intrusion detection software in place to detect and alert your company of unauthorized access? Are there policies in place to remediate unauthorized access to data?
- Is access terminated when an employee exits your company? Does your company conduct background checks for employees before hiring them?
- Does your company use multi-factor authentication?
“We’re seeing litigation around organizations and MFA,” said Bay. She describes a case where MFA was only partially implemented and there was more than one ransomware attack. It’s important to demonstrate and know that MFA is working correctly. As Bay warns in this scenario, “the insurance company actually sued them to get their premium dollars back. And that’s a very extreme example, but the point is… [MFA] can help you be safer and not have these significant impacts.”
Backup and disaster recovery
A cyber insurance questionnaire will likely include questions about your disaster recovery strategy and your data backups. Insurers want to know that you are backing up your data in a secure location and have a plan to get IT systems back up and running as soon as possible following a cyberattack.
Common backup and disaster recovery questions include:
- Does your company backup sensitive data? If so, how often?
- Is the disaster recovery plan designed to reduce downtime if IT systems fail? How often is this plan reviewed and tested?
- Can threats be contained within an hour? Can IT system failures be remediated within an hour? If not, how long?
“You really want to make sure that every plan has a laid out ‘start to finish’; and that from your perspective, you can take advantage of being not only ready, but proactive,” said Al Dosan– Alliance Director at Arctic Wolf.
Security assessments that help companies assess their vulnerabilities, risks, and overall security posture are helpful to obtain cyber insurance. Because cybersecurity assessments help companies identify gaps in security postures and provide fact-based plans to improve security posture, questionnaires often ask about risk assessments, penetration tests, network security assessments, and more.
Common questions about cybersecurity assessments include:
- Has your company completed a formal risk assessment to identify threats and vulnerabilities?
- Has your company had a vulnerability assessment within the last 12 months?
- Has your company completed a penetration test within the last 12 months?
- How often are cybersecurity assessments conducted?
Cybersecurity assessments run scans of your environments to figure out where there are holes in your security posture. As Brown said, cybersecurity assessments with Microserve also “helps you answer cyber insurance questionnaires by the hundreds of pages. Then, you have the ammunition to know where you actually stand so you know what you have to say ‘no’ to and what you can say ‘yes’ to. And for the answers that are ‘no’s, we’re there to support whatever elements you need to remediate.”
Incident response plan
Cyber insurers typically require a company to have a written incident response plan that details how your organization will respond to multiple security incidences of varying severities. The incident response plan helps organizations plan for the worst-case scenario and reduces risks for both the company and the insurer.
Here are some incident response related questions that could be included in a questionnaire:
- Does your company have a written policy in place to respond to a data breach? Does the policy involve plans to reduce business interruption due to IT failures?
- Does the incident response plan have different responses for different levels of severity of a potential data breach? Does this plan include the names of individuals that need to be involved in remediation of a potential data breach?
- How often is the incident response plan reviewed and tested?
“Having a readiness plan in place will mitigate risk. There’s a lot of different ways that [incidents] can be mitigated; one being the incident response team,” said Dosan. When you have a team that helps you look at the root cause of your issue, and understand what happened and why, you can ensure you mitigate future risk.
Training your employees in their role in cybersecurity is vital to the success of your organization and improves your security posture. It also is often a requirement for cyber insurance companies to approve insurance policies, as employee awareness and training reduces the risk of security incidences due to human error.
For example, a cyber insurance questionnaire could include questions such as:
- Do employees receive annual cybersecurity training? If not, how often are employees trained in their role in cybersecurity?
- Does your company require employees to complete cybersecurity training when they are hired?
When a readiness plan is available for everyone in the office– and when everyone knows where it is and what to do– you’ll mitigate your overall risk. “Creating awareness inside of the organization is really important,” says Dosan. To enable your organization, educate your employees so they know what risks to be aware of.
Bottom line: You need cyber insurance, and to get it, you need cybersecurity partners
In the modern era, cyber insurance can be difficult to navigate. Certain cybersecurity controls and measures are required to obtain cyber insurance, and these controls vary between industry to industry, company to company, and policy to policy.
Working with an IT managed service provider like Microserve is the best way to ensure you pick the right policy, meet the requirements for cyber insurance, and do so without wasting your valuable time. Take a proactive step to ensure you are ready for your next cyber insurance renewal by working with the experts at Microserve to improve your security posture today. With over 30 years of experience, we can help you navigate the nuances of cyber insurance and meet the requirements to be approved for a cyber insurance policy.
If you want to learn more about how to obtain cyber insurance, watch the “Unlocking the Secrets of Cyber Insurance” webinar with Microserve, Cysurance, and Arctic Wolf.