Insurance companies continue to sharpen their gaze on IT systems.
Gone are the days when cybersecurity insurance questionnaires were relatively simple to complete. You could answer five basic IT questions and you were approved. Good to go. No further information needed!
Thanks to the explosion of ransomware, insurance companies have changed their approach.
According to Dark Reading, “The average total cost of recovery from a ransomware attack has more than doubled in a year, increasing from $761,106 in 2020 to $1.85 million in 2021. The average ransom paid is $170,404.”
Learn More: Ransomware Recovery Costs
The frequency of questionnaires is increasing and the underwriting requirements are getting stricter.
Integris recently consulted with a client who could not renew their policy until verifying Multi-Factor Authentication (MFA) was active for remote access through Virtual Private Network (VPN) and all Microsoft accounts.
The infamous Colonial Pipeline shutdown of 2021 was triggered by an unsecured VPN connection!
The following eight product categories are part of the new expanded scope of inquiry from insurance companies. We should know; we help our clients complete their applications.
1 – Advanced Threat Protection (ATP)
You know insurance companies are becoming IT subject matter experts when they ask about Advanced Threat Protection from Microsoft.
While we typically recommend Proofpoint (because it’s more comprehensive), the game has changed when vendor partners are mentioning security tools as if they were Chief Information Security Officer (CISO) insiders.
Learn More: The Cybersecurity Landscape 2021
2 – Backups
Backups should be frequent, mirrored, geographically diverse, tested, verified, encrypted and cloud-based.
Insurance companies have a keen interest in reducing single points of failure. This is where the cloud comes in. Local, network-attached storage is fine as long as it’s integrated with cloud solutions that remove the physical risk.
Encryption takes safety measures a step further. Even if your systems are infiltrated, your data and IP are shielded by an impenetrable shell.
3 – Endpoint Detection and Response (EDR)
EDR is considered a form of ATP. Some of the major solution providers include McAfee MVision EDR, CrowdStrike Falcon Insight, VMware Carbon Black Cloud Endpoint, and FireEye Endpoint Security Tool.
In a nutshell, EDR has two main functions: collecting actionable data and insights by casting a wide net across diverse endpoints and remediating the threats in real-time.
The solution is novel because it picks up threat noise that is so new and random, it doesn’t get discovered by traditional security tools.
Learn More: EDR Definition & Examples
4 – Endpoint Protection Platforms (EPP)
EPP refers to anti-virus and SPAM blocking solutions for detecting and blocking file-based malware, and other malicious activity.
Frequently bundled into many of the EDR offerings mentioned above, most of the same companies and other top-ranked peers appear in The Gartner Group Magic Quadrant: Symantec Endpoint Protection, Kaspersky Endpoint Security, McAfee Endpoint Security, Microsoft Defender Antivirus, and Trend Micro Apex One.
Although it seems redundant to list this separately, insurance companies give EPP its own line item, so I’d like to make sure you’re prepared.
5 – Multi-Factor Authentication (MFA)
MFA puts an extra step into the user login experience. Once a user ID and password are entered, the user is prompted to request and enter a special code delivered via text or voice to complete the transaction.
It’s effective because a threat actor would have significant difficulty intervening in this process. MFA is a powerful safeguard against a variety of cyberattacks.
Learn More: MFA Cyber Protection Deeper Dive
6 – Patching
Insurance companies demand increased vigilance with it comes to patching, both regularly scheduled and emergency.
Patching gaps are the second leading cause of ransomware infiltration. (Social engineering is the number one culprit.)
While your organization may be actively updating software, fixing bugs, addressing vulnerabilities, and implementing system updates, chances are you’re connected to people and organizations who are less disciplined.
7 – Password Management
Yellow stickies, Excel spreadsheets, and Outlook contact records are not secure repositories for password storage.
Each medium is easy to compromise. And since over 60% of people use the same password for multiple accounts, the breach of one account can lead to the breach of several dozen or more.
For instance, a cyber crook could infiltrate your network, locate your cybersecurity insurance policy (identify exact coverage amounts), and know in advance how much money to demand BEFORE launching an attack on your company.
LastPass, 1Password, Dashlane, and Keeper are just a few password management solutions your insurance company would love to see mentioned on your application.
“Love” may be too strong a word. They just want you to have something in place.
8 – Vulnerability Scanning
How often are you testing, tracking, documenting, and improving the security of your digital estate?
Engaging an independent third party to stress test your fortress is highly recommended. This discipline strengthens your ability to demonstrate proof of due care. You can also get more favorable rates as your scores improve.
According to Roger Grimes of KnowBe4, the world’s first and largest new-school security awareness training and simulated phishing platform, businesses can expect the following bad news regarding insurance:
- Significantly higher premiums
- Less coverage
- More outs
- Fewer options
- Stronger requirements
Learn More: Cybersecurity Insurance Changes
Every company has to figure out a balance that works for their budget and industry-specific risk.
On one hand, you need to check off a number of boxes to appease your insurance provider.
On the other hand, even the most advanced (and expensive) security tools don’t prevent users from responding to fairly low-tech, social engineering tactics, the primary methods hackers employ to break in.
Over 95% of data breaches are caused by humor error which is one of the main reasons companies like KnowBe4 have been so successful in helping to change user behavior.
You can engage with KnowBe4 directly or pay the same amount to have Integris administer KnowBe4 on your behalf, as part of our MSP offering.
We’ll also make sure your IT system requirements are succinctly aligned with your insurance coverage.