Cyber Insurance Guidance


Whether you have cyber insurance currently, or are considering getting it, you have likely heard some increased discussion about new qualifications that cyber insurers are requiring in order to be covered by a policy. 

Here we outline some of the key things that insurance companies are setting as a baseline, as well as some resources for making sure you have your bases covered. 

Please note that not all of the following actions/tools are required by all cyber insurance companies. 

General Requirements

1) Multifactor Authentication

2) Endpoint Detection & Response (EDR)

3) Role-based Permission Restrictions and Network Segmentation

4) Back-up data systems that are air gapped or offline and are regularly tested

5) Security Threat Awareness Training

Additional Review Items

– Effective Patch Management

– End of computer or software lifecycles

– Penetration testing and review of any data exfiltration

– Cyber security plan

– Data breach response plan

Breaking Down the Requirements

Multifactor Authentication

What is it?

Multifactor authentication is an upgraded security process for account users, access to
networks or all privileged access.

After a username and password is provided, a numerical code it
required to gain access. This numerical code is sent to a
separate secure device, such as a text to a cell phone.

When Multifactor authentication is set up, users are also notified
if someone attempts to gain access to their accounts.

How should it be used?

Multifactor authentication should be deployed for all remote access to networks and all local privileged users accounts.

Endpoint Detection & Response

What is it?

EDR tools are technology platforms that can alert security teams of malicious
activity. They also provide continuous and comprehensive real-time visibility into what is happening on the system endpoints.

Behavioral analysis and actionable intelligence is then applied to endpoint data to stop an incident from turning into a breach. The endpoints may also involve the use of software or cyber service vendors, who must also utilize endpoint monitoring.

How should it be used? 

EDR should be used on  100% of endpoints.

Role-based Permission Restrictions and Network Segmentation

What is it?

Network segmentation allows for data to be partitioned according to use or need with appropriate credentials for the data, that is required in each segment or area.

Full system access is only allowed in a very selective
basis, generally with other controls.

How should it be used?

Network segmentation has many benefits. By isolating
segments of a network using firewall rules or air gapped measures a system is limited in the scope of a ransomware attack.

Back up data systems (air gapped & regularly tested)

What is it?

Historically, data back-up
systems have been used to allow restoration of data should a system incur a failure. The historic systems evolved to be very efficient, with real time back up, data drive mirroring or other similar process.

When a data breach occurs, the cyber criminals initially disrupt of encrypt both the primary and back up systems.

An offline, or air gapped, back-up periodically backs up all data, when the backup system is offline. Many also use a tertiary back-up which is complete on a rotation basis in a remote location.

How should it be used?

Back-ups must be performed regularly, and they must be periodically tested to assure reliability.

Security Threat Awareness Training

What is it?

Security threat awareness training is training focused on employees to raise awareness to the types of criminal attempts that are being made to compromise cyber security, such as fake emails or personal information compromises.

Training is also recommended to maintain effective password management processes as another method of preventing criminal access.

How should it be used? 

Security awareness training is not one-size-fits-all. You should consider that there is an element of frequency and customization that can go far in helping to not only train your employees but create a culture of security.

Resources for enacting Multi-Factor Authentication across your organization

More coming

Resources for implementing EDR across your organization

More coming

Resources for navigating network segmentation

More coming

Resources for how to create regular backups/air gapping your systems

More coming

Resources for Security Awareness Training

Check out the following free, text-to-learn platform here.