Cyber is a highly dynamic risk – making it a tall task for organizations to implement cybersecurity measures fast enough to protect data. In just one year, we saw a 141% increase in data breach activity, when comparing 2020 vs 2019, which is the largest increase to be recorded within a single year.
Cybersecurity insurance is critical for businesses of all sizes because attacks are only becoming more frequent and more sophisticated. Organizations will need help staying afloat after an attack. Cyber insurance is a critical component of any organization’s cyber risk management program and can often be the key differentiating factor on whether or not a business can survive an attack. The insurance offers the financial risk transfer to cover the services involved in managing a cyber incident, including IT forensics, Privacy counsel, notification costs, regulatory fines and penalties, public relations, and even the potential revenue loss due to the interruption of your operations.
The Cyber Insurance market has evolved drastically over the past almost 24 months. The pandemic exacerbated the proliferation of ransomware attacks as hackers took advantage of weakened defenses of the remote workforce. As more attacks and ransoms have been paid, the costs incurred by insurers has increased exponentially. Insurers are now adding significant scrutiny to how they underwrite a potential business and are coupling their restrictive appetites with much higher premium rates.
Because the insurance is such a critical piece, organizations should begin preparing today for their cyber insurance renewal. To obtain the best rates and terms, or even to be considered “insurable”, the following items may be necessary:
Multi Factor Authentication
This is the #1 question asked by the insurance markets today! “Do you have MFA?”
Also known as “two-factor authentication”, multi-factor authentication (MFA) is used at the login process and helps to validate the authenticity that a user is who they say they are. It requires two forms of evidence that will confirm identification – most commonly seen as a password accompanied by a text with a passcode to be entered. Insurance carriers will be requiring businesses to have MFA enabled on email access, any and all remote access to the network, and on privileged (administrator) accounts. They will also prefer you to have MFA enabled to access your data backups. These are required by almost all insurance markets today, as having it in place would have prevented a significant number of past ransomware incidents. Many insurance markets will consider a business “uninsurable” without MFA deployed in these areas.
Secured Remote Connectivity
Due to the pandemic, more people than ever before are working remotely. Along with the changes comes a lack of control, due to individuals potentially using personal devices and non-commercial grade software or unsecured remote access. Securing remote connectivity will prevent unauthorized access to an organization’s information. Methods include using a virtual private network, which must also be secured by multi-factor authentication. The insurance carriers will often perform an external network scan to identify if you have any exposed ports or open remote desktop protocol, which is equivalent to leaving the door open for a hacker to enter. A good cyber hygiene practice is to periodically have a penetration test or vulnerability assessment done to identify these potential exposures.
Segregated Backups
Often times in a ransomware attack, the hackers encrypt not only your network, but your data backups because they are stored on the same network, leaving you no choice but to pay a ransom to restore your systems. To combat this, Insurance carriers are seeking clients to have their data backups fully segregated from the network, by storing them either offline (such as tapes) or in a separate cloud service. Best practice again, is to have access to the backups secured by MFA! Additionally, it is imperative to periodically test the efficacy of your backups to ensure they are operating properly.
Employee Training & Phishing Exercises
Employees are the gatekeepers to your organization’s network. As such, they represent one of the biggest vulnerabilities. Employee training can be one of the most effective and low-cost strategies in preventing cyber-attacks. Best practice is to conduct the trainings frequently, meaning more than once a year.
Employee training can be one of the most effective and low-cost strategies in preventing cyber-attacks as many employees, Best practices is for training to reoccur frequently. When coupled with a periodic phishing test, you can identify users who may need retraining beyond what is already required. By providing regular training and phishing exercises, employees will have the tools and the knowledge to better identify risks and fraudulent emails, and you will effectively impact the culture of your organization to take on more of a cyber security focus. Insurance carriers will be asking if you provide any such training to your user base and expect that it is being done AT LEAST annually.
Cyber Incident Response Policies
Despite your best efforts to prevent an attack, the fact remains that you may find yourself facing a cyber incident of some sort before long. What would you do if you start to realize you in suffering a ransomware attack? This is the question you should be asking and plotting out your answer. As part of your broader Disaster Recovery and Business Continuity planning, organizations should prepare cyber-specific incident response policies. Planning in advance what steps you will take, including how you will communicate, who will be involved in decision making, and what resources you will want to engage (especially your broker and insurance carrier to engage the resources covered by your policy), can save you many hours of downtime in the event of a real attack. Furthermore, once completed, a copy of the plan should be printed out old-school style and distributed in a few places because you may not be able to access it on your company network in the event of a real incident! Insurance carriers will be asking if you have a plan, and often have resources and templates to help you in building one if you do not. And best practice is to test your plan by conducting a tabletop exercise, or simulation, of a cyber incident to see if it needs to be modified.
Endpoint Detection and Response Tools
Technology is your friend, especially when it comes to mitigating cybersecurity threats. There are many available tools and platforms that will proactively monitor for threats, and alert you when they occur. Insurance carriers today expect you to have deployed next-generation antivirus software, and are even beginning to ask (and sometimes require) the deployment of Endpoint Detection and Response (EDR) solutions. EDR should be rolled out across all of the “endpoints” to your network, including servers, mobile devices, etc. It allows for continuous monitoring of these devices, but most importantly helps to isolate and prevent the spread of a threat or attack. This is something that is becoming more and more common to consider as part of your cybersecurity measures, and if you don’t have it already, it should be on your radar to consider in the next year.
Encryption on Data at Rest and in Transit
Data encryption protects sensitive information and mitigates the risk of a data breach. Data at rest is data that is stored in databases and therefore, not actively moving through networks. Encrypting data at rest protects an organization’s data, no matter where it is stored. If an employee’s device is stolen, the encryption will protect data, even after the hacker has gained access through a thumb drive. Information will look like a string of random characters when the hard drive is encrypted. This should be implemented on servers and laptops. Furthermore, data in transit is most commonly data being shared over email. There are tools available to automatically encrypt emails that contain potentially sensitive information. Insurance carriers will ask about these solutions and depending on the nature of your operations, it could be imperative that you have something in place.
Patch Management Program
Updates to software are often a direct result of a bug that has created a vulnerability. The process of making these updates is called patch management, and the efficiency in addressing a vulnerability is of critical importance. Often underappreciated, having a sound patch management program is a crucial component of a sound cyber risk management program. A good (or bad) example of this is the Equifax breach of 2017 in which hackers exploited the vulnerability of a piece of software being used by Equifax that Equifax had failed to apply a critical patch for months. This attack would have been prevented if they had good internal processes around the timely deployment of patches to software.
Vulnerability Assessments and Penetration Testing
Get tested! Not just for COVID19 but also for your network vulnerabilities! Penetration testing aims to exploit weaknesses, while a vulnerability assessment can identify pre-existing flaws. Both should be performed by an outside party, preferably annually, to identify any existing weakness in your network infrastructure.
Supply Chain Risk Management
This is a big one. In today’s business world, we are so often dependent on the services of another organization, whether it is our insurance carriers, our cloud service providers, our supply chain vendors, or our clients. And part of these dependencies may involve the sharing of data, or access to our networks. Who you allow to access your data and systems can be the difference between enhanced security, or none at all. Keep careful track of the third-party vendors and organizations who have access to your data and examine how that access is controlled.
It is clear that all organizations, whether a multi-billion-dollar enterprise, or a small internet business that is just getting started, face the risk of cybersecurity attacks. But what sets you apart is your cybersecurity readiness program, and your ongoing focus and engagement in your efforts to protect your data. The strategies highlighted above are a great place to start, and then getting real about cyber security insurance comes next. Do your part and take a stand with us!
