When it comes to obtaining a cyber insurance policy for your organisation you need to be prepared to meet a wide range of requirements.
Are you aware of what’s entailed?
Whether you’re new to cyber insurance and starting from scratch or going through a renewal, you may have a surprise in store about what you need to have in place.
The same may apply if you already have cyber insurance. You may believe you’re covered, but then later find when you delve into the detail of the policy you’re not.
Insurers are intensifying their scrutiny of businesses’ cyber security tech. They are becoming increasingly pragmatic, demanding a baseline of protective software, tools and processes before they’ll underwrite a policy.
Paul Shears, Senior Tech analyst at North Devon Council, discovered this when he spoke to an insurance provider.
“The level of detail was quite shocking now what cyber insurance requires,” he told us. “A few years ago, you could get cyber insurance and you didn't have to give a lot of evidence as to what you did and what you didn't do.”
He described the approach of insurers as a “lot more stringent” than in previous years.
So, what do you need as a business as a minimum level of security in order to get a policy in place? What will insurers assess?
It’s fair to say every insurance provider is different and their policies and requirements vary. However, many aspects are common across most policies. Let’s explore some of the key ones.
Providers are scrutinising how businesses control access to their privileged credentials more and more closely. It is being highlighted as a particular point of weakness and an area where many claims are being seen.
Paul Shears discovered this during the cyber insurance renewal process. He said: “The cyber insurance provider specifically said we want to see that you've implemented a Privileged Access Management (PAM) solution.”
Privileged accounts allow individuals to perform processes such as installing new software or changing configuration settings. If criminals get hold of the logins, they can steal or delete data, or wreak havoc by making changes to systems, servers, applications and devices.
Traditional identity access management (IAM) tools don’t provide sufficient protection; they work by proving the user is who they say they are before letting them log in. Specialist PAM tools take security up a level, by controlling what users can access, and exactly what they can do.
Insurers will look for additional protection around critical systems, such as backups, which are essential to recover and restore data in the event of a breach such as a ransomware attack. Businesses should ensure their data is backed up to multiple onsite and offsite locations, and that effective access controls are applied to backup systems.
Employees’ laptops, devices and workstations are attractive entry points for cyber attackers aiming to get a foothold in the corporate network. If staff have privileged admin rights activated, this heightens the damage they can do once inside. Insurers will want to see systems are in place to handle the situations where humans make mistakes – for instance forgetting to log out or jumping onto an unsecured Wi-Fi network.
Although privileged accounts, data backup systems, and user endpoints really stand out, there are a number of other stipulations insurers have.
So, what kind of things can you expect a provider to ask you about your organisation when it comes to these critical requirements?
Here are a few for starters:
- How is the business protecting privileged accounts and credentials?
- Who has access to which systems?
- How and when are account credentials updated?
- Are accounts removed as soon as there’s a suspected breach or a member of staff leaves?
- What backup solution is your business using?
- How are you backing up and how are you managing the access control?
- Does the business have tools for multi-factor authentication to cover remote access, remote desktop protocols and emails?
Rather than seeing it as a negative, businesses facing ‘compliance’ with the growing list of cyber insurance eligibility criteria should view it as an opportunity to strengthen their security.
After all, the measures insurers want to see are in place align with best cyber security practices. And ultimately, it’s in insurers’ interest to keep policyholders safe.
Reviewing these requirements should be the first port of call for businesses wanting to apply for or renew a policy.
Want some more help in understanding the requirements and how Osirium can support your organisation?
Get in touch with our team here.