SPOT Cybersecurity Tip: Cyber Insurance Explained – Part 3

In Part 1 of Cyber Insurance Explained, we explained what Cyber Insurance covers. We learned about:

• Network security and privacy liability
• Network business interruption
• Media liability
• Errors and omission

In Part 2, we explained what to look out for when purchasing Cyber Insurance. We learned about:

• What's at Risk?
• What are the Costs of a Cyber Attack?
• What are the Gotchas when it comes to Cyber Insurance

In Part 3 today, we will explain how to properly answer the questions on your Cyber Insurance application.

The continued increase in high-profile Cybersecurity incidents have tightened requirements to qualify for cyber insurance. Cyber Insurance Carriers now understand that appropriate cybersecurity is more than just a firewall and antivirus. Here are some of the tougher questions insurance carriers are now asking, and how you can properly answer them.

• Are your backups encrypted and is there a copy kept offline (or in the cloud)? You'll need a backup solution that stores both a local copy that is encrypted, and then another copy stored in the cloud, also encrypted. Bonus points if your cloud backups are considered "air gapped" by your cloud provider.
• Have you implemented Multi-Factor Authentication? MFA is the single most important cybersecurity control that you can implement. However, as a business owner, you must implement MFA across all of your different systems that you want protected by cyber insurance - logging into your computer, any and all remote access, administrative access to any system, Microsoft 365 (email and other cloud apps), and any critical cloud application that houses sensitive information.
• Do you have Next Generation Antivirus with End Point Detection & Response (EDR) deployed to all PCs and servers? Traditional Antivirus is no longer enough for end point protection. Most Cyber Insurance Carriers now require an EDR solution.
• Do you require your employees to complete End User Security Awareness training on an annual basis? Your employees are the weakest link when it comes to Cyber threats. Make sure you are training them to recognize phishing emails, social engineering attempts, and the latest Cyber scams.
• Are documented processes in place to verify requests for changes in bank account details, payment details, Personally Identifiable Information (PII), or contact information? Some threats don't come through the computer or email; they come from phone calls. Having processes in place can reduce the likelihood of scams involving changing payment details for vendor payments or employee direct deposit. These types of threats can cause significant financial loss.
• Are you using Microsoft 365? For many organizations, Microsoft 365 is their most important IT system. Not only do they have their email in the Microsoft Cloud, they may also use Teams, SharePoint Online, and OneDrive. Having MFA for Microsoft 365 and using Microsoft 365 Business Premium or higher subscriptions can ensure that you have the right Microsoft 365 cybersecurity controls in place.
• Do you utilize a Security Operations Center (SOC)? While SOCs are not commonly used in SMBs, they are more commonly used in mid-market and enterprise organizations. While not a requirement today, it's possible (or maybe even likely) that SOC services will be required in the future.

Our last advice for Cyber Insurance applications - answer truthfully and make sure you have the required Cybersecurity Controls for any IT system that you want covered under your Cyber Insurance.

We hope you now feel more confident about buying Cyber Insurance. If you'd like to learn more about how to gain the required cybersecurity controls to obtain cyber insurance, reach out to us for a complimentary Cybersecurity Discovery call.