Our recent webinar on Cyber Insurance Is Changing: How to Handle Your Policy with Insurance expert Bryan Hurd from Aon Cyber and Mike Hamilton - the CISO of Critical Insight, generated a lot of interest and good audience questions. You can view the webinar here.
In a blog post about the webinar, we said that we would follow up with the top ten things an organization should do to demonstrate their cybersecurity preparedness to cyber insurance providers and help ensure the ability to get adequate coverage at a reasonable premium price.
Demonstrating that suitable protections, procedures, and plans are in place are now table stakes for getting cyber insurance. All organizations can expect to receive detailed questionnaires from their insurance providers and then be interviewed by security experts acting on behalf of the insurer. This process aims to get a true picture of cybersecurity preparedness to allow the insurer to decide whether to provide coverage and also price coverage at a suitable level to reflect the risk.
The top ten items to lower your cyber insurance premiums are below. These came up in the webinar. These and other actions that all organizations should be doing to prevent ransomware are also in this article by Mike Hamilton.
1. Follow the NIST Cybersecurity Framework
Insurance underwriters like to see a paper trail of evidence that shows the steps taken to implement robust cybersecurity protections. One such source of a paper trail with recommendations and actions to follow is the NIST Cybersecurity Framework.
While adherence to the NIST framework is voluntary in most sectors of the economy, we won't be surprised if it becomes a requirement for cyber insurance providers and also by the Government for any providers of critical infrastructure.
2. Engage External Expertise
Cybersecurity is a specialized task. Only the very largest organizations have the resources to have the required skills in-house. Engaging with specialized external cybersecurity companies is a way to get the experts needed. These companies have the skilled staff on board to provide guidance and expertise to organizations of all sizes about how to bolster their cyber defense strategy and deal with cyber insurance companies at renewal time. To give a concrete example, Critical Insight recently provided a virtual-CISO function to a large organization before and during its cyber insurance renewal. Upon completion, they revealed that having the Critical Insight expertise to assist with process development and artifact collection meant that their insurance cost for the year came in at $400,000 less than projected.
3. Have Demonstrably Secure Backups
Backups are the ultimate safety net to allow recovery from a destructive cyberattack. Typically this will be a ransomware attack that infects and encrypts the data and systems on a network.
While backups will not prevent the attack, they will allow the recovery of IT systems to an operational state at a time before the attack occurred. Cyber insurers want to see that this is possible. There are two significant features of the backup systems in place that insurance providers will look for:
- Air-gapped backups - ransomware actively looks for backup systems on the network to infect and destroy backups. Ransomware criminals don’t want organizations to have a way to bypass paying a ransom. Recent backups must be on systems that are air-gapped from the production network. This can be done via physical separation, with network segmentation (if configured correctly), and possibly with backups on immutable storage systems that any ransomware attack will not be able to encrypt. Talk to your IT infrastructure and backup software supplier about how to provide this air gap for backups or get advice from Critical Insight experts.
- Regularly tested restore procedures - "Untested backups are not backups at all!" An IT industry cliché, but true. Restoration from backup needs routine testing to ensure that the data is retrievable in any disaster scenario.
4. Have 24/7 Monitoring
Cybercriminals don't follow regular office hours. Attacks occur when the bad guys think there is the lowest chance of detection, which means in the middle of the night, on holidays, and on weekends.
Cyber insurance providers will want to see that there is continuous 24/7 monitoring in place for any suspicious activity. This is more than having an IT team member on call. It is proactive monitoring with tools backed by human experts that are required. Many cybersecurity organizations provide this service, including Critical Insight.
5. Use Proactive Defense
This is an adjunct to the 24/7 monitoring, but it warrants a separate discussion. Many indicators of compromise appear on breached networks before destructive activities such as ransomware encryption occur.
Critical Insight's SOC monitoring can detect anomalous behaviors on networks. Organizations can then take actions to eliminate any cybercriminals dwelling on the network and mitigate future risk after analysis to determine how they got in, something Critical Insight can usually do relatively quickly.
Cyber insurers like to see these proactive defense measures in place as organizations that have them are much less likely to be hit with a devastating cyberattack, and therefore the risk for the insurer is lowered.
6. Multi-Factor Authentication is a Must
Multi-factor authentication (MFA), as a part of a strong Identity and Access Management (IAM) system, is soon to be required by all insurers. Many will look for a user and password management system based on a secure directory service like Microsoft Active Directory, with MFA as a must, plus sometimes Privileged Access Management (PAM) layered on top to increase the security of critical systems.
7. Staff Cybersecurity Awareness Training
Surveys show that most successful cyberattacks that deploy ransomware have at their root a human user who clicked a malware link, visited a malicious website, or divulged information they shouldn't have.
Cyber Insurance providers know this, and they will want to see evidence of effective cybersecurity awareness training for all IT system users. They will not be looking for a box-ticking exercise to show that people have access to training, but that it enhances security for the organization.
8. Deploy Endpoint Protection
All devices that are in use should be enrolled in and protected by an endpoint protection solution. This should include anti-malware and anti-virus software capabilities. The ability to remotely quarantine and wipe mobile devices (including laptops) should be part of the endpoint protection, as well as the ability to update devices remotely or exclude them from the network if they are not up to date with the latest operating systems and security updates.
9. Vulnerability Management
Cyber insurance providers will want to see vulnerability management procedures in place to deploy security and operating system updates and patches quickly. Not just for endpoint devices but also for servers, network equipment, perimeter protection, and anything else that has access to the network and is a potential target for cyberattack.
10. Documented Incident Response Plans
How people within an organization and their external security providers respond to a developing cyberattack often has a large impact on how damaging and costly the attack turns out to be.
Everyone in an organization is part of the defense. Therefore, everyone must have the awareness training mentioned above, but they should also know what to do in the event of anything suspicious happening.
Easy-to-follow incident response plans for both users and the IT team will need to be in place to minimize ongoing attack damage. Cyber insurers will want to see these plans and that everyone is aware of them and knows what to do. Critical Insight specializes in all aspects of incident response, including assisting with Documented Incident Response Plans that get periodically practiced in tabletop and functional exercises.
Having good cybersecurity is now a core part of every organization's business operations. Demonstrating good cybersecurity planning and protection is also becoming a core part of administrative procedures. To get cybersecurity insurance at a reasonable cost, with suitable cover and deductibles, will require following the insurer's assessment process.
Critical Insight's cybersecurity professionals are focused on the threat landscape. These experts, combined with our SOC’s 24x7 monitoring teams, can deliver the cybersecurity expertise your organization needs to deal with your cyber insurance providers. And Critical Insight will work to ensure you get the coverage you need for the lowest cost.