The Top 5 Security Controls & Incidents Impacting Cyber Insurance

by

January 20, 2022

Five security controls and incidents impact the cost and scope of your cyber insurance coverage.

Insurers demand increased transparency and want to know where you’ve been and what you have. And there’s no guarantee the policy will cover everything a disaster affects.

We’re analyzing five questions from a cyber insurance application to demonstrate the importance of maintaining compliant technology. Preparation is your best defense.

 

Cyber Insurance Impact #1 – Has confidential customer, client, employee, or personal information been compromised in a breach in the past three years?

This inquiry is a “yes” or “no” question. And they want details. According to Ivanti (as of July 2021), “Nearly three-quarters (74%) of respondents said their organizations have fallen victim to a phishing attack in the last year, with 40% confirming one occurred in the last month.”

If you respond “no,” you’re lucky. But current trends suggest luck is not a long-term strategy.

Breaches originate with phishing attacks. And nearly 50% of us take the bait and click on links that grant access to threat actors. Cyber breaches hit companies of all sizes and the lowest common denominator is human behavior which renders expensive security tools useless.

Source: Top 10 SMB Breach Statistics

 

Cyber Insurance Impact #2 – Does your information security training plan include annual training and orientation of employees, contractors, and third-party vendors?

Some questions are word salads, and this one is no exception. (It’s a word salad bar.) If they mean security awareness training and standard employee onboarding activities, detailed in most current Acceptable Use Policies (AUP), this is an easy “yes.”

AUPs typically spell out all the rules: call to verify the identity of email senders, no webmail or third-party file share sites for company business, do not download unauthorized software, etc.

The marketplace is also overflowing with software as a Service (SaaS) training solutions from companies like KnowBe4, Infosec IQ, and Proofpoint.

These companies combine cyber security education with ethical phishing, reporting, and ongoing testing to assess progress. And the programs are continuously updated and automatically administered to new employees. See TrustRadius for reviews of other vendors.

Please ask your insurance provider to clarify how this applies to vendors. Do they expect you to pay for software training licenses? Or is the scope of training much narrower for third parties? These concerns make it harder to respond with a blanket “yes.”

It may be easier to work with peer-level vendors already doing this independently.

 

Cyber Insurance Impact #3 – Have you implemented Multi-Factor Authentication (MFA) on all business-critical accounts (e.g., administrator accounts, accounts with access to customer or employee data, etc.)?

Implementing MFA is an easy fix. And it won’t break the bank. It’s 9:24 AM, and I’ve already used MFA to log into our network and two other accounts unrelated to our organization.

How does MFA work? Once I submit my email address and password, the system prompts me with a pop-up to enter a verification code they send to me via text.

And I can’t count the times I’ve received a text verification when cyber crooks tried logging into my private accounts from other parts of the country. All I did was click on the red X to block access. It was empowering but scary to know I was on someone’s radar. Unfortunately, we’re all on someone’s radar.

Learn More: Is MFA Worth The Cost?

 

Cyber Insurance Impact #4 – Do your employees have separate accounts for day-to-day business operations (e.g., checking email, etc.) and administrative functions (e.g., applying system updates, etc.)?

The insurance company wants to ensure you’re taking a layered approach to security, with each critical system requiring different credentials for access.

When someone in the IT department clicks on a phishing email and gets infected with malware, it’s on the network and ready to corrupt every endpoint in its path.

Ideally, each function (user email and admin email) is segmented and augmented with MFA.

Identity Theft Resource Center says, “The number of recorded data breaches in 2021 exceeds the total number of events in 2020 by 17%, with 1,291 breaches in 2021 compared to 1,108 breaches in 2020.” And they quoted this figure in October of 2021.

It’s realistic to assume they’re going to get in, so it’s advisable to put additional obstacles in their path.

 

Cyber Insurance Impact #5 – Is your organization currently using any SolarWinds products?

SolarWinds, an IT management software company now known as N-central, has been all over the news since the spring of 2020. The company was at the center of a Russian-orchestrated intelligence-gathering hack that compromised 100+ government agencies and private companies.

MSPs use this software to monitor, manage, and secure client IT systems, many of which were affected by the breach. While every attack is problematic, some perspective is warranted.

As per FireEye, “Despite the compromise of 18,000 SolarWinds customers, the attacks were limited to the networks of 50 companies. And Microsoft experts only identified about 40 customers who were victims.”

Learn More: Companies Affected by SolarWinds Hack

 

What’s Next?

Insurance companies are understandably concerned about exposure. However, no organization is immune to cyberattacks.

Hundreds of technology providers and mainstream companies (insurance providers, too) have been breached or will be.

That’s why combining strategic technology, training, and documentation to demonstrate due care is your best defense. By presenting evidence you’ve fixed the root causes of past failures, you emerge with newfound confidence.

On an optimistic note, technology is just one part of the equation; having a compliant tech stack improves your marketing appeal. When partners, vendors, and clients know you practice strict cyber hygiene, you’ll edge out competitors who don’t.

Integris ties this together for you with exhibits and messaging, so you stand out from less organized and candid competitors. Lead with security. It’s on everyone’s mind.

 

Jed is a Solution Advisor at Integris who has specialized in MSP solution development, sales, and marketing communications since 2003.

Keep reading

The Three Social Engineering Hacks your Company Should Prevent Now

The Three Social Engineering Hacks your Company Should Prevent Now

Since 2020, Google has identified and delisted 2 million websites for launching phishing attacks—an army of nefarious websites that Cisco says have hit 86 percent of all global companies. But it’s the social engineering behind those attacks that’s the scary part,...

5 Ways Cloud Communications Improve Corporate Culture

5 Ways Cloud Communications Improve Corporate Culture

There are five ways cloud communication tools improve your corporate culture. QVALON defines corporate culture as “…the values, behaviors, and habits reflected in interactions between management, employees, and customers. And it’s seen in how people act, dress, and...