The Guide to Preparing for a Cyber Insurance Audit
The fallout has left business leaders concerned about their own security posture while worrying about how a breach would affect their own business. Consequentially, it is no surprise that more businesses than ever are seeking to protect their digital interests with cyber insurance. Although the cyber insurance market is relatively new, interest in protection has begun to spike. Predictions of the global cyber insurance market suggest that the industry will grow from $8 billion USD to $20 billion USD by 2025. In late 2022, policy prices are doubling and claims are on the rise. Unsurprisingly, there has also been an increase in denials of coverage and claims.
The crux of these denials could be a fundamental misunderstanding of cyber insurance as a whole. Many business leaders have a difficult time getting up to speed on the nuances of cyber insurance and gaining perspective on exactly what it covers. Perhaps more importantly, many simply don’t have a firm grasp on the security assurances their company needs to have in place to qualify for a policy. And it’s understandable. After all, the world of cyber insurance is uncharted waters for most. However, it isn’t as complicated as most think, and the security precautions required to obtain a policy are very practical and reachable.
What Does Cyber Insurance Cover?
Most Cyber insurance predominately focuses on protecting businesses in the event that a cyber breach occurs. If a business has taken required security precautions and still falls victim to malware, ransomware, data theft, an internal cyber-attack, or phishing attack, most cyber liability coverage will take effect.
It is commonplace that most plans will cover the cost of fraud, and reimburse the losses incurred during a business interruption. Many will also cover the cost of data restoration and even reputation management when an incident occurs.
Some plans may also include an investigation into how and where your business was breached and even provide you with access to cyber security experts to facilitate clean-up.
What’s Different About Cyber Insurance?
It is important to know that cyber insurance operates a bit differently than traditional insurance. Because of the volatile nature of the digital landscape, policies are only operative for 12 months at a time – then a new policy must be obtained. And there is no real standardization of requirements at this time.
New requirements should be expected year over year to keep up with new attack methods that cyber criminals aim to use to their advantage. Your security team will need to remain up-to-date and vigilant to ensure that your policy is eligible for renewal. Regular evaluations and updates of your internal security policies, software, and infrastructure will help to guarantee that your policy can re-up after the previous year of coverage.
An important sidenote – most insurers will require a 60-day application process each year to audit and evaluate your security posture. So, if you’re considering applying for cyber insurance, keep that timeline in mind. Also remember, that if you don’t meet the updated requirements, 60 days is not a long time to implement the required security controls for your company.
What are the requirements to qualify for cyber insurance?
Roughly a year ago, carriers began to require that those seeking cyber insurance must have Multi-Factor Authentication enabled for all users across email, VPN, and device authentication. MFA is a hard requirement for businesses to obtain cyber insurance.
If you haven’t yet embraced MFA, you may already have the technical ability to get it going if you have Office 365 licenses. The Microsoft Authenticator App is bundled into your Microsoft license and enables secure sign-in via MFA for your employees.
If you want to stay ahead of the curve and take authentication to the next level, consider embracing biometric, passwordless authentication. Tools like Windows Hello for Business allow users to authenticate via facial recognition.
Helpful Assets to Qualify for Cyber Insurance
Have a Business Continuity and Disaster Recovery (BCDR) Plan
A provision that cyber insurers love to see when auditing for coverage is a Business Continuity and Disaster Recovery (BCDR) plan. A BCDR plan is a policy that defines how the business will mitigate and overcome outages, data loss, malware, etc. It should be tested annually, at minimum, to ensure the intended business continuity capabilities work as intended.
An example of this in a microcosm would be storing resources with a hosting service like OneDrive. Because OneDrive stores use versioning backups, recovery of data is less difficult even if a device is compromised or ceases to work. At large, a service like OneDrive can help your business recover from an incident with little to no impact on productivity.
Ultimately, you’ll want an off-site cloud server to back up your data. Datto backup works great as a reliable source for disaster recovery, file backup, and sync solutions for a BCDR plan. You may use a different vendor; just ensure you’re testing the system regularly.
Endpoint Detection and Response
Endpoint detection and response (EDR) software like Defender for Endpoints or CrowdStrike can be advantageous in passing a cyber security audit. A basic EDR tool will provide ongoing surveillance of your business’s endpoints to detect possible breaches. Then, with a formal setup, the tool’s machine learning capabilities will automate the remediation of threats detected. Adopting an EDR tool is a great way to beef up your security stack and posture. There is also data from IBM’s Ponemon institute showing that companies who use automated threat response have a lower breach rate and a reduced financial impact when one does occur.
A Strategy for User Lifecycle Management and Offboarding
Making sure access is properly removed when employees are offboarded is another important aspect to consider when you are approaching a cyber insurance audit. Without a strategy for user lifecycle management and offboarding your systems will be vulnerable and insurers recognize that. Consider the Colonial Pipeline breach. That attack used a VPN account tied to a former employee. Without an established User Lifecycle Management strategy, VPN access (and other systems) may become stale and forgotten – ripe for the picking of a cybercriminal looking to exploit data.
A Retained Incident Response Team
Retaining an incident response team is something insurers like to see when conducting an audit. A dedicated team with intimate knowledge of your infrastructure can also limit the extent of a breach and get your business back to normal operations swiftly if an incident does occur. It is a good idea to have these pros on retainer.
Adopting passwordless authentication will not only help you pass your cyber insurance audit, but it is also great for your security posture and delivery of employee experience.
Ongoing Security Awareness Training
Let’s be honest, the weakest part of any company’s IT security is the users. Your company should have regular security awareness training, to begin with. The 2022 Endpoint Ecosystem found that an alarming 36% of workers find ways around security policies. That’s a pretty jarring statistic that suggests that many employees don’t understand the importance of the policies established by IT leaders. A well-oiled security training program will improve your company’s security posture at large and give you an extra gold star during a cyber insurance audit.
Unrelenting cybercriminals have really forced the hand of business leaders to pursue cyber insurance. The reality is cyber insurance is a necessity for all businesses. It is best to get prepared sooner rather than later. Obtaining a policy will safeguard your business from a digital perspective, ensure your losses are recoverable, and, ultimately, help you sleep better at night.
Learn More About Preparing for A Cyber INsurance Audit
Andrew is our Digital Marketing Manager and oversees web-based marketing strategies and content creation for the organization. As a marketing veteran, Andrew has worked with organizations of all sizes in a diverse group of industries, from Risk Management to Transportation. Joining the organization in 2021, Andrew is based in Mobile Mentor’s Nashville, TN office.