Cyber-Security Insurance Applications are getting tougher
As cyber-security incidents continue to climb, insurance providers have again responded by implementing even tighter policy screening protocols. Unfortunately, a considerable number of businesses remain exposed, and cyber-security insurance providers logically need to protect themselves from those who don’t follow cyber-security best practices. This article will help your business prepare for the incoming changes.
The fundamentals
Let’s begin by answering the big question, do you really need cyber-security insurance? It’s a fair question! The logical approach is to consider the risk. Here are several eye-openers:
- The average cyber-incident costs an average of $200,000
- Small businesses are three times more likely to be targeted by cybercriminals than larger companies
- 95 percent of all cyber-security breaches are caused by human error
- 60 percent of companies go out of business following a cyber attack
Small businesses are easy targets primarily because they don’t believe they’re targets and do not implement appropriate security. Ironically, all businesses, no matter the size, should follow the same fundamental best practices to eliminate a considerable portion of the risk. These fundamentals do not apply to business size and continue to be used by insurance companies to approve policies.
A business is an invaluable long-term investment. Similar to your home, it’s likely worth significant capital and potentially took decades to build. Even massive businesses with billion-dollar budgets experience cyber-security incidents regularly. It’s no longer a question of if it will happen; it’s when. If we’re talking brass tacks, unless you have the resources and patience to restart entirely or are comfortable walking away, we highly recommend purchasing coverage.
No network or system will ever be 100% secure; this is where cyber-security coverage provides true value.
What are the new requirements?
The following checks were observed reviewing the latest round of cyber-security insurance application forms. Be prepared; They represent a significant jump in due diligence compared to former versions. Altogether, you’re looking at the fundamentals described above, most of which have been around for years. Businesses are now expected to implement them.
Multi-Factor Authentication (MFA)
This is the number one security feature insurance companies expect for services like Microsoft 365, Google Workspaces, and remote access VPN.
By enabling MFA, 99.9% of all account-based attacks are prevented. Multi-Factor Authentication is highly effective because the user is notified when someone tries to log in, and they have the opportunity to approve or deny it. This essentially means even if a third party has the login details, access is blocked unless explicitly authorized by the user on their mobile device. Additionally, the user is made aware that someone has their credentials, allowing the opportunity to change the password immediately.
For clarity, intelligent systems like Microsoft 365 do not require each user to complete the MFA process every time they log in. It typically presents itself when an attempt is made to log in from a new location or device.
Not using MFA is dangerous and negligent.
Endpoint Protection
The term “Endpoint” simply means a computer or user device. Therefore, Endpoint Protection refers to the anti-virus, anti-malware, and anti-ransomware software running on computers or user devices. Endpoint Security is required, insurance companies want it, and it should be used on all computers and servers. Additionally, it should be monitored by your IT team to ensure they know what’s happening. Remember, 95% of all security incidents are caused by users.
EDR (Endpoint Detection and Response) was also observed on the latest application forms. EDR offers extended information that can be used to provide advanced monitoring, telemetry and logging for endpoint security incidents.
Backups
Backups are critical and often the last line of defence for a major incident. This is another mandatory insurance requirement.
Here are the general rules to adhere to:
- Ensure server backups are image-based (they backup the entire server, not just files/folders)
- Ensure you have local and offsite backups of all servers (at least two copies in different locations that are independent)
- Ensure all backups are protected by modern encryption with a strong encryption key
- Ensure all backups are protected by modern encryption while in transit (when being sent somewhere)
- Ensure your encryption key is protected
- Ensure backups are automated and run at least once per day
- Ensure backups are tested at least once every 6-months
- Ensure a cloud-to-cloud backup service protects cloud systems like Microsoft 365 and Google Workspaces
- Try and use backup services that use MFA (Multi-Factor Authentication)
This seems like a lot, but ultimately, if you work with the right backup vendors, you should be covered. But ask the questions! Make sure.
Perimeter Security
Next-Generation Firewalls go beyond conventional firewalls and routers by offering application awareness and advanced security features. They identify which applications are in use and use this data to defend against real-time attacks, malicious activity, or even employees misusing resources while on the job (e.g., pornography or illegal downloads). Based on the latest round of application forms, this appears to be another insurance requirement. Pay particular attention to whether your IT team is using Next-Gen firewalls for:
- IPS (Intrusion Prevention System) – Blocks attempts to exploit vulnerabilities on computers, servers, or services.
- Advanced Threat Protection or Command/Control – Blocks attempts to “call home” to hackers.
- Application Control – Prevents staff or systems from using dangerous applications.
Two other services insurance companies are now asking about are:
- Vulnerability Scanning – This is a service that actively looks for vulnerabilities in your network, allowing the opportunity to patch/fix them before a third party can exploit them.
- Penetration Testing – This is a service performed by third-party security teams. They analyze, test, identify and attempt to break into your systems.
It’s unclear if Vulnerability Scanning and Penetration Testing are mandatory.
Cloud Security
Since cloud services are accessible on the internet, insurance companies pay close attention to cloud security. Out of the box, cloud services are not necessarily safe and often require technicians to lock them down and continually apply changes as best practices advance.
The following were observed on the latest application forms:
- MFA (Multi-Factor Authentication) needs to be enforced for all user accounts (do not activate it manually each time)
- Phishing testing must be performed at least once per year for all employees
- E-mail services must be protected by inbound malware and spam scanning
Interestingly enough, they also review your business’ Microsoft SecureScore too! This helps confirm how compliant your cloud systems are against Microsoft’s cloud security best practices.
Network Security
Network security encompasses a number of areas within your infrastructure. Even with no internal servers, network security is important.
The following were observed on the latest application forms:
- Strong password policies must be used for all accounts
- Staff should not be provided local administrator rights or permissions on their PCs (IT team only)
- Administrator accounts must be separate from user accounts, not accessible to staff, and highly protected
- Hardware, software and systems must not be end-of-life or end-of-support (the vendor actively supports it)
- Hardware, software and systems must be updated frequently through an automated and monitored process
- Your IT team must be able to respond quickly to zero-day vulnerabilities
- You must have an onboarding and offboarding process for employees to ensure access and data are protected
Insurance companies are also starting to inquire if you have a SOC (Security Operations Centre). This is a third-party team or service responsible for monitoring your systems, detecting threats, vulnerability management and incident response.
Some Endpoint Security vendors (discussed above) offer SOC as a part of their services. It’s unlikely insurance companies expect you to have a SOC, but they may in future.
Training
Training has become an expectation from insurance companies to reduce the number of accidental security incidents. Remember, employees, cause 95% of all security incidents. Employee awareness training is expected at least once per year and during onboarding. Financial teams are also expected to receive additional phishing and social engineering training. Although, it should ideally be provided to every employee. Your IT team can source a training partner or service.
Here are some of the standard training topics:
- Password (pass-phrasing, length, reuse, sharing, password managers, etc.)
- Phishing and Impersonation (how do identify phishing or impersonation e-mails or tactics)
- Safe Wireless Networks (what is and is not a safe wireless network)
- General (locking your system, never leaving it unattended, where to save data, etc.)
- Mobile device security basics
- Updates and Software Patching
You must ensure training is tracked and completed. Have your HR team manage this process.
Cyber-Security Budget
Certain insurance companies now ask what your IT budget is and what portion is allocated to cyber security. They likely use this information to confirm if you’re spending enough to protect the business.
Research performed by organizations like Gartner shows businesses spend anywhere from ~2-7% of revenue on technology each year; This includes everything from toner, cell phones, computers, servers, cloud services, internet, cyber insurance and, of course, cyber-security. Basically, anything related to technology falls into this budget.
Our industry is predicted to reach $200-$300 per user per month by 2023/2024 for Managed IT Services with appropriate security services and subscriptions (e.g. Endpoint Security, Vulnerability Scanning, Penetration Testing, Updates/Patching, Phish Testing, Training, etc.). If you initially allocate approximately 3-4% of your revenue to your technology budget, you should have sufficient resources to implement and maintain a strong cyber-security posture. You can then adjust accordingly.
If you currently spend less than 2%, you likely need to review and increase it.
Next Steps
We get it; it’s a huge list. The questions on your mind are likely, what will it cost to implement, and what do I already have?
The best approach is to perform a full audit of your existing systems. Once you have the information, work with your insurance company and IT team to determine priority and cost, and then put a formal project plan together. Prioritize based on risk and be prepared to spend a reasonable amount of time rolling everything out. Get ahead of it, don’t wait until renewal.
Cyber-security requires an ongoing investment, there is no set it and forget it. Even the most secure systems in the world are breached. Be prepared. Cyber-security insurance is surprisingly affordable, offers reassurance and provides a much better chance of recovery.
Finally, if you don’t have a trusted IT team to work with, you’re welcome to reach out to us. For 15 years, we’ve helped businesses around Canada protect their teams and bring their systems into compliance. Our internal teams go beyond the fundamentals to provide even more protection as a part of our Managed IT Services. We enjoy the heavy lifting and building long-term plans; It’s easier than you think with the right partner.