Meeting The Technical Requirements Of Cyber Insurance

Dec 13, 2023 | Elden Quesinberry

We’re Small – Do We Need Cyber Insurance?

I’ve recently heard small business owners question whether they need cyber insurance. Granted, the data breaches that make the news are typically about larger, well-known companies like Auto Zone, Boeing, and Equifax. This tends to give small business owners a false sense of security. Small & medium businesses are more often targeted because they have enough revenue, hacking attempts are easier due to less IT security, and the media or law enforcement probably won’t publicize the breach. The average data breach at a small business costs $179,000 in recovery expenses, according to a report from data security company Varonis Systems. Businesses not financially prepared to deal with the aftermath of a cyber breach could be negatively impacted or even forced to close.

So I Do Need It, But How Much?

The amount of cyber insurance a given organization needs will depend on several factors. It boils down to the type & sensitivity of data they have access to and the risk of exposure. A company having access to Personally Identifiable Information (PII) such as social security and driver’s license numbers would likely need more insurance than one that only accesses names and email addresses. As you read further, you’ll learn it depends on the number of existing IT security measures.

How Do I Start The Process To Get Insurance?

The best way to start the process and learn more is to speak with a qualified cyber insurance broker. Note I use the word “qualified”. When Layer8 started our search years ago, we called our existing insurer, which held our general liability policy. It didn’t take long to figure out they didn’t understand cyber insurance. A quick chat with a long-time friend revealed his company was a broker for several carriers. Not only did they know the cyber products exceptionally well, but because they also brokered other insurance, such as general liability and E&O, they created a custom insurance package for our needs. If we had bought a typical cyber policy, it would have included some general insurance, which overlapped our general liability policy, and we’d have paid too much. Feel free to contact me for contact information for this excellent broker. Once we got started, they warned us about the crazy applications. Read on…

What’s Up With All The Technical Questions?

Since Layer8 has been doing IT security for over 20 years, and I’m the dude that got that train rolling, I figured “no problem” with a technical application. Wrong! I managed to get through most of it but had to return to our broker rep, who interpreted the questions so that my IT-geared brain could understand. Since we were shopping for the best insurance, we had two different applications to complete. Our broker explained that insurance carriers wrote simple, fairly open policies early on with little to no diligence in verifying the applicant’s IT security posture. In short order, they were paying out far more than they took in and had to adjust rapidly. And adjust they did! A glance at the cyber insurance application forms showed this wouldn’t be a 5-minute exercise!

Here are a few sample questions to be ready for:

  • Is multi-factor authorization utilized and required for all remote access to the network provided to employees, contractors, or any other third parties?
  • Do you have the capability to automatically detonate and evaluate attachments in a sandbox to determine if they are malicious prior to delivery to the end-user?
  • Do you use a privileged user management software to protect administrative log-in?

Top 10 Security Measures Insurance Carriers Look For

From what Layer8 has seen and our own experience with cyber insurance, the following IT security measures (in no particular order) are typically what carriers look for. If your organization does not have all of these measures currently in place, it doesn’t necessarily mean you will be denied coverage. You may have fewer carriers to choose from and may be offered less coverage. I will say that not having MFA and offline backups in the list below will likely result in not getting any coverage at all.

  1. Multi-factor authentication (MFA)
  2. Security awareness and employee training
  3. An Incident Response Plan (IRP)
  4. Encryption (in motion & at rest)
  5. Privileged access management
  6. Offline archiving & backups
  7. Endpoint detection & response (EDR/MDR)
  8. Vulnerability management
  9. Email filtering and other anti-phishing measures
  10. Strong access controls

We Don’t Have Half Of These IT Security Controls – Now What?

We don’t sell insurance, but Layer8 can help. We can simply review what controls your insurance carrier requires and compare them to what you have in place today. Many times, the required controls can be implemented cost-effectively. They don’t need to be overly complicated and expensive. They just need to mitigate the area of risk effectively.

With over 20 years in IT security and network, Layer8 Consulting is well-positioned to assist your organization. Layer8 has helped many of our clients implement cost-effective IT security controls. Contact us today to discuss how we can help you!!!