To Obtain Cyber Insurance, Organizations Must Conduct Their Own Due Diligence
Insurers want to be certain that organizations have the proper cybersecurity protections.
Cybersecurity insurance has become essential to the operations of many organizations but more difficult to obtain. In recent years, insurers have paid out significant money in the wake of security incidents, so their requirements have grown stricter, and their policies have become more expensive. In some cases, insurers have dropped coverage for organizations that lack certain security protections.
Many organizations are wondering how to meet insurers’ more stringent requirements and what steps they can take to obtain the coverage they need. Some may opt to go without adequate cyber insurance. To me, that’s risky, like driving without car insurance and hoping that you won’t get into an accident.
A better option is to demonstrate to insurers that your organization is a risk worth taking. In the process, you’ll make the organization more secure and better able to withstand any security incident that might occur.
Prove That Your Organization Has Proper Security Measures in Place
The most important question insurers ask is whether an organization has put in place proactive security measures and has the documentation to prove it. For instance, we know that unpatched software represents a significant cybersecurity risk. Accordingly, organizations should have a documented policy for patching and proof that they have followed it.
Organizations also need asset management software to ensure they know what’s on their networks, especially if they have hybrid workforces or BYOD programs. They also should have a policy for multifactor authentication and a tool that can demonstrate its effect. Ideally, MFA should cover every user and endpoint, but at a minimum it should apply to critical assets, remote users and everyone with administrative network rights.
Further, an organization should be able to document that it conducts third-party penetration tests at least annually and that it has promptly remediated any issues that the testing revealed. An organization should also supplement annual assessments with internal penetration testing or other efforts to find and fix vulnerabilities.
The next area to evaluate is whether the organization will have the proper support if an incident occurs. Incident response experts deal with breaches daily and know how to handle them quickly and effectively. Having an incident response service on retainer is like knowing that you can call the fire department for help if your house catches fire.
Organizations should also review physical security weaknesses that could compromise cybersecurity. Are facilities properly locked down? Can controls prevent unauthorized people from tailgating behind an authorized person to gain entry to sensitive areas?
Assess Cyber Insurance Needs Based on the Potential Business Impact of a Breach
Some organizations must secure dispersed environments, including co-located data centers and offices in multiple countries. These also must be managed to ensure that an infiltration does not compromise the rest of the environment.
Similarly, organizations need to know that cyber insurance will cover their secondary sites. For instance, I live in Texas, but my car insurance becomes void if I drive to Mexico. Across-the-board coverage should include third parties, because as soon as a security incident happens, the blame game will begin. IT leaders should find out whether a policy provides protection if an incident originates in another organization or even another country.
Organizations should review coverage limits to be sure they are adequate for different scenarios, just as we do with car insurance. If that fender-bender becomes a catastrophic accident, will you have all the coverage you need?
The final step is to conduct a business impact analysis to understand the potential effects of a security incident. What would it cost the business to be down for a week, or a month? What would the recovery process look like? Does the organization have the right partners to mitigate damage and recover properly?
Preparing for cyber insurance has become more challenging, but it can also push organizations to implement essential security measures that they may have overlooked. The best way to prepare for a security incident is to ensure that you’ve taken the proper steps to keep the organization secure, that you have the appropriate coverage and that you know whom to call for help.
Story by Mikela Lea, a principal field solution architect with CDW. She is a security engineer with 15 years of experience in technology and consultative sales, with an emphasis on security and e-commerce.