Friday, August 11, 2023

Need To Get Cyber Insurance? Here Is A 9 Point Checklist

 


There is no doubt that the world of Cybersecurity is a highly complex, not only navigate through, but to fend off the Cyberattackers from attacking your business.  But now, there is another looming headache on the horizon, and it is a huge one.  This has to do with Cybersecurity Insurance.  Essentially, this is where you have a financial blanket if you are impacted by a security breach, much like if you have a car accident, or have a major medical mishap.

The thinking here is that if you are hit with a security breach, all you have to do is file a claim, and voila, you get your payout days later.  But unfortunately, the world is not working like that at all today.  Insurance carriers have really clamped down on making payments, and worst yet, they are  even being pickier as to who they will accept as a policy holder.

A good example  of this is n if a company pays the ransom if they become a victim of a Ransomware attacks.  Given the frequency by how this threat variant is occurring, many carriers are now fully denying a payout for these types of claims that are made.  Just consider some of these other stats:

*27% of all companies that filed a claim did not receive a full payout (in fact, some were even denied all together).

(SOURCE:  https://www.nedaglobal.com/ned-insights/publications/willis-towers-watson-cyber-claims-analysis-report/)

*The average cost of a data breach is now pegged at over $9 million for just one incident, and globally it has reached a staggering $4,25 million (on a per incident basis).

(SOURCE:  https://www.verizon.com/business/resources/reports/dbir/)

Here are some other examples of what an insurance carrier can do to you to deny coverage, or just make a partial payout:

*100% deny coverage if you do not have the required kinds and types of controls in place.

*If you are selected to be a policy holder, you premiums could be tied to how they view your security posture.  For example, if it is mediocre to average, you will then pay a might higher premium versus a business who has a much stronger posture.

*Impose other kinds of limitations on both coverage and payouts until you security posture has reached a level that is deemed to be acceptable.

So given that the screws are really starting to tighten up now, what can a company do to not only ensure that they can a reasonably good policy, but also be somewhat guaranteed of getting a payout?  Here are some quick tips that you can follow:

*Implement MFA, but to the point where you are no longer using passwords.  Anything but that.

*Segment out your IT and Network Infrastructures, in this regard, your best friend will be the Zero Trust Framework.

*Make sure that you are backing up data on a regular basis, and make sure also that you have multiple copies of them (both on site and offsite).  In this regard, using the Cloud, such as Azure, will be your best bet.

*Have an effective PAM strategy in place.

*Deliver security awareness training programs to your employees, on a regular basis (at least once a quarter is considered to be the bare minimum).

*Make sure you deploy anti virus and anti malware software on all of your endpoints.

*To whatever degree you can, try to have some sort of Security Operations Center in place.  Obviously, this is probably not affordable by many SMBs, but I think you can actually create a virtual one for a very affordable price by using Azure.

*Always make use of a SIEM.  This will show that you are being proactive by monitoring all of the real alerts and warnings that are coming in.  But even importantly, have an effective triaging strategy in place also.

*If you do make use of Azure, make sure that the Azure Active Directory (AAD) that you configure is airtight as possible, in order to avoid any data leakages.  All the controls that you will need for this reside within the Azure Portal.

My Thoughts On This:

Cybersecurity Insurance has always been a gray and murky area to deal with.  It is by no means an easy process to accomplish; it is nothing like shopping for car insurance, or even medical insurance for that matter.  Simply getting a policy is not enough, there are many other add ons and riders that you will need to explore in order to get the exact coverage that you need.  

But honestly, the best way to get started in the application process is to ask for a risk assessment questionnaire from the insurance provider with whom you are trying to get coverage with.  This is a few pages, and simply asks if you have the needed controls in place.  If you do, you can simply check off “Yes”, and if not, you will have some work to do before you can submit it back.

However, it is very important to remember that you cannot attest to the questionnaire your self.  It has to be validated by another person as well, such as your compliance officer or even a vCISO.  This also comes down to another point.  You shouldn’t maintain a strong security posture just to get Cybersecurity Insurance, you should have one to begin with.

Once you have submitted the questionnaire, the insurance company may even come out to an audit before they award a policy, and heck, there is nothing from stopping in doing that as well even after you become a policy holder.  It probably is in your best interest to get some sort of Cybersecurity Insurance now, if you don’t have one.

The reason for this is quite simple:  The cost of data breaches will soon far exceed the costs of what the insurance industry can offer.  For more information on this, click on the link below:

https://assets.lloyds.com/media/35926dc8-c885-497b-aed8-6d2f87c1415d/Y5381%20Market%20Bulletin%20-%20Cyber-attack%20exclusions.pdf


No comments:

Post a Comment

How To Launch A Better Penetration Test In 2025: 4 Golden Tips

  In my past 16+ years as a tech writer, one of the themes that I have written a lot about is Penetration Testing.   I have written man blog...