We have mentioned before that getting a cyber insurance policy nowadays is much harder work than a year ago. Since COVID-19 began, the FBI has reported a 300% increase in reported cyber crimes. As a result, insurers are more wary about the companies looking for cyber insurance, and therefore put the companies through many more hoops. According to Verizon, out of the breaches over the past year, 45% of them were related to hacking, 17% involved malware, and 22% involved phishing. That explains why insurers check that certain measures are in place as part of the risk underwriting process.
Here is a checklist of security measures you need to get in place before applying for insurance.
Firewalls should be implemented on all company devices. This is to monitor all incoming and outgoing network traffic to protect the computer and network from unwanted parties from gaining unauthorised access.
2. Anti-malware software
Malware is short for malicious software. It is used by hackers to steal data or damage computer systems through viruses, spyware and ransomware. Anti-malware software is important to scan your computer systems to prevent, detect and remove malware. Whilst Macs come with some level of malware protection, insurers generally don’t see it as sufficient, and expect implementation of anti-malware software.
3. Password protection
This one seems like a no-brainer, however, insurers want confirmation that devices are password protected. Moreover, accounts that have regular password updates are implemented at least every 45 days.
4. Multi-factor authentication (MFA)
This requires users to verify their identity using multiple independent methods, instead of just asking for a username and password. It provides extra protection to prevent cybercriminals from gaining access to sensitive information. Some insurers are not providing ransomware coverage as part of their cyber policies if MFAs are not implemented, and some insurers are not even able to provide a quote.
5. Backup Data
This is important to help the business recover from an unplanned event. It is also imperative to keep backup data isolated, i.e. offline from the enterprise network so that it is inaccessible from endpoints and servers. This is important to insurers because cyber insurance provides Business Interruption cover for loss of income in case your business is brought to a standstill from a cyber incident. So they want to make sure you have controls in place to continue the business in case of a cyber incident.
This is to fix security vulnerabilities and bugs within the systems and applications to ensure the assets in your environment are not susceptible to exploitation. Insurers want to see this is in place as it signals that you actively are reducing the security risk to your systems and applications.
This is a set of two tests aimed at discovering which vulnerabilities are present, and then exploiting those vulnerabilities to determine whether unauthorised access or other malicious activity is possible. The aim is to identify which flaws pose a threat to the system and applications. Insurers want to see a copy of the latest VAPT report to ensure that a thorough review by a third party has been completed and that any security issues identified have been addressed. This gives them the comfort that your systems are secured.
According to NetDiligence Cyber Claims Study 2021, the average cost of claims for SMEs is $354,000 which includes the cost of crisis, legal and incident services. Cyber insurance not only protects your balance sheet from these costs, but you get access to the cyber incident response services to help you get back on track during a very stressful period.
How can Anapi help?
We help you navigate the cyber insurance landscape to find the insurer who has the risk appetite for your type of business. We also guide you on exactly what to look out for and make the cyber insurance application as pain-free as possible.
How can Pragma help?
We are able to conduct security testing and implement security measures required to support your cyber insurance application while protecting your organisation from digital threats.
Pragma is a global Cyber Security and Regulatory Consulting firm that helps leading businesses, governments, and not-for-profit organisations strengthen cyber and regulatory resilience with a pragmatic approach.