Previous articles in this series covered the purpose and history of Cybersecurity insurance as well as the advantages and disadvantages of this specialized type of insurance. Next, we’ll look at the various factors that insurance companies consider when providing Cybersecurity coverage and, just as important, what you should consider when choosing an insurer.
Factors insurance companies consider before providing coverage
When deciding whether to award an applicant with a Cybersecurity insurance policy, many insurance carriers look closely at what the organization is already doing in terms of fortifying their lines of defense.
These are all qualitative measures, because, as it has been pointed out throughout this series, there are currently no known financial models or other types of assessment tools in the insurance industry that can quantify the level of risk that an applicant represents. At the present time, here is what an insurance company typically looks at when evaluating an applicant:
- If perimeter security has been installed. Typically, this includes a mixture of the use of Firewalls, Routers, and Network Intrusion devices. The insurance company wants to be assured that the organization has taken a proactive approach in deploying these tools to protect both their IT and Network Infrastructures.
- Making sure that there is a Security Policy in place and is being enforced. Although this is one of the first items that any business or corporation should address for their own sake, this is one of the of key areas an insurer will look for when an application is submitted for a Cybersecurity Insurance policy. The insurance company wants to see that it the Security Policy is being updated on a regular basis, and that all employees are abiding by the policy rules.
- The implementation of a robust Password Policy. It is important to note that passwords are often the first target that the Cyberattacker will go after. After all, once he or she has this prized possession, they literally have the keys that can unlock the proverbial “crown jewels” of the unsuspecting victim. In fact, in many ecent Cyberattacks, organizations have been blamed for enforcing poor Password Policies. Because of this, many insurance carriers are now scrutinizing business entities to make sure that have an airtight Password Policy in place. Typically, this is what they look for:
- Making sure that passwords are reset at regular intervals.
- Confirming that the passwords used are very difficult to crack.
- Employees are constantly trained in how to create a strong password. To meet the stringent requirements of the insurance industry, it is best if the organization has deployed the following:
- Multifactor Authentication: This is where another layer of security (such as the use of Biometric Technology), in addition to the password, is used to fully authenticate the employee before they gain access to shared resources on the network drives.
- The use of a Password Manager: These are software applications that instantly create very long and complex passwords that are very difficult to break, and even resets the passwords used at regular intervals, without any intervention required by the employee.
- Confirming that there is a regular schedule for the deployment of software patches and upgrades. Even when organization does this, there is no guarantee that their servers, workstations, wireless devices and other software applications won’t be hit by a Cyberattack. But doing this on a timely basis proves to the insurance carrier that the C-Suite is taking a very proactive stance in making sure that their systems are continually being updated.
- Making sure that the network lines of communication between remote workers and the corporate headquarters are secure. This is another area that is a prime target for the Cyberattacker. If they can intercept any sort of communications in this fashion, he or she will likely be able to gain subsequent access through a backdoor in the IT or Network Infrastructure of an organization. As a result, insurance companies also take a close look as to what kinds of preventive measures have been taken in this regard. Key areas that are looked at include the following:
- Has a Virtual Private Network (VPN) been installed?
- Is Two Factor Authentication (2FA) being used? For example, along with the password, is another security measure being used to authenticate the remote employee, such as an RSA Token?
- What standards of encryption are deployed?
- The types of Physical Access Controls that have been installed. As it has been pointed out earlier in this article series, any security breaches caused to the physical premises of a business are not covered by a Cybersecurity Insurance policy. Even so, the levels of physical security that have been deployed by an organization are taken into consideration by the insurance carrier before a policy is awarded.
If the business entity meets or exceeds the above criteria, there is a good probability that it will be accepted as a policyholder by the insurance carrier. But it is also important to keep in mind that once the policy is in place, the C-Suite must be proactive in maintaining their lines of defense, since an insurance company can conduct an in-depth audit at any time if they feel it is necessary.
Proactive steps the C-Suite takes usually include the following:
- Incident Response and Disaster Recovery plans are practiced on a regular basis and the appropriate documentation is updated in real time when and as needed.
- Security Awareness Training, especially for employees, is conducted on a regular basis.
- Any known and unknown gaps and vulnerabilities are continually being remediated. This is typically done by conducting an exhaustive Penetration and/or Threat Hunting Test.
- Ensuring that there are an adequate number of controls in place in order to protect the Personal Identifiable Information (PII) and/or other types of regulated data that the organization has been entrusted with to store in their databases.
- Making sure the business entity is up to speed in terms of compliance with both federal and state regulations.
- There are no repeated patterns of any security-related issues not being addressed and corrected.
By being proactive in this manner, the C-Suite can almost be guaranteed that they will receive the full amount of an insurance claim after is has been filed.
What to consider when choosing an insurance carrier
Just as insurance companies take a very detailed and comprehensive look at their applicants before awarding a Cybersecurity insurance policy, the C-Suite also needs to scrutinize the insurance company before they decide on a carrier. Here are some key variables that a business should consider:
- What different kinds of Cybersecurity insurance policies are available? Because of the dynamics of the Cyber Threat Landscape, insurance companies are now being forced to offer more than just one type of policy. If possible, try to obtain a standalone policy, as this will provide far more comprehensive coverage that simply attaching an add-on to an existing policy. Even more importantly, make sure that whatever Cybersecurity insurance policy you intend to get can be customized to your current and future needs.
- Confirm the deductible amounts. As you compare the various Cybersecurity insurance policies you are interested in, take careful notice of the deductible amounts. In fact, this process is almost the same when you evaluate medical and car insurance policies. Don’t assume that paying a cheaper premium is always best. Truth to be told, it is not, and in the end, you literally get what you pay for.
- Carefully examine who is covered specifically by the Cybersecurity insurance policy. Today, many organizations rely on the use of outside, third parties (often vendors) in order to keep up and stay ahead of their production schedules. But it is important to keep in mind that if you rely on an external third party, and if they are impacted by a Cyberattack, ultimately, you will be held responsible for any financial losses incurred. Therefore, it is very important to make sure that you can include such third parties in your Cybersecurity insurance policy so that you will be covered in this regard as well.
- What kinds of Cyberattacks are you protected from. As we all know, many kinds of Cyberthreats exist today, and when you include their variants, the list multiplies by at least 100X. Therefore, you should make sure that the Cybersecurity insurance policy you are about to procure covers any and all kinds of security breaches that may occur, inclusive of its intentionality. For example, was the breach malicious in nature, or was it simply a negligent error caused by an employee? Make sure that Cyberattacks that are initiated by Social Engineering are as covered as well.
- Make sure of the time frames in which your Cybersecurity insurance policy starts and ends. Many of the Cyberattacks that occur today take a much longer time to detect and mitigate than ever before (ranging from months to even years), given the stealthy and covert nature of the hacker. One of these is that of the “Advanced Persistent Threat”, or “APT” for short. It can be defined specifically as follows:
“This is an attack campaign in which an intruder, or team of intruders, establishes an illicit, long-term presence on a network in order to mine highly sensitive data. The targets of these assaults, which are very carefully chosen and researched, typically include large enterprises or governmental networks. The consequences of such intrusions are vast, and include:
*Intellectual property theft (e.g., trade secrets or patents);
*Compromised sensitive information (e.g., employee and user private data);
*The sabotaging of critical organizational infrastructures (e.g., database deletion)
*Total site takeovers.”
Cybersecurity insurance is a relatively new and rapidly-evolving form of protection for today’s businesses. Therefore, it’s critical to understand the factors an insurance company will consider when reviewing your application. Likewise, you will want to understand what types of coverage are offered and what your business needs. Finally, it’s wise to scrutinize various insurance companies and what they have to offer you. Hopefully, you’ll never need to file a Cybersecurity insurance claim. But if and when you do, having the right policy with a reliable insurance company may very well save the day.
Ravi Das is a Cybersecurity Consultant and Business Development Specialist. He also does Cybersecurity Consulting through his private practice, RaviDas Tech, Inc. He also possesses the Certified in Cybersecurity (CC) cert from the ISC2.