Many organizations are having a tough time qualifying for a Cybersecurity Insurance Policy this year. Even organizations that were able to get a Cybersecurity Insurance Policy in prior years are being asked tough questions about what layers of protection they have in place today in order to be able to renew their Cybersecurity Insurance Policy, and they are also requiring that they prove it! Now, more than ever, it is mandatory that you have some type of Cybersecurity Service that goes beyond traditional IT maintenance that typically includes only patching, backups and antivirus.
Here are just a few of the tough questions that you are going to have to answer if you are trying to qualify for Cybersecurity Insurance in 2022:
- Do you have Multifactor or Two Factor Authentication setup for ALL business email accounts?
- Which email security filtering tool are you using?
- Do you conduct regular phishing training and testing?
- How frequently do you back up electronic data?
- Are all of your backups kept separate from your network (offline) so that they are inaccessible from endpoints and servers that are joined to the corporate domain, or in a cloud service for this purpose? If so, describe
- Is multifactor authentication required in order to backup files?
- Have you tested the successful restoration and recovery of key server configurations and data from backups in the last 6 months?
- As part of your data backup strategy, do you maintain at least 3 separate copies of your data stored in different geographic locations (production, local copies, and offsite storage).
- Do you use multi-factor authentication to secure all domain or network administrator accounts?
- Do you restrict employee access to sensitive information on a business-need-to-know basis?
- Do you use endpoint detection and response (EDR) or next-generation antivirus (NGAV) (i.e. Sentinelone, Crowdstrike, CybeReason, Carbon Black, Cylance) software to secure all endpoints? If yes, list providers.
- Do you allow remote access to your network? If yes, do you use a properly configured and secure VPN?
- Do you require Multifactor Authentication (MFA) to secure all remote access to your network?
- Do you have a Business Continuity Plan (BCP) or Disaster Recovery Plan (DRP) in place? If yes, is it tested at least annually?
- Do you encrypt all sensitive and confidential information stored on your organization’s systems and networks and your backups?
- Do you encrypt all sensitive and confidential information on stored mobile devices and in transit from your network?
Many of our clients have sent over similar surveys for us to fill out, and some clients have had to pay for additional layers of cybersecurity protection because they didn’t want to pay for it in years prior.
So is Cybersecurity insurance worth it? It depends, but just like all types of insurance, you need to review any quotes carefully to find out what it does NOT cover and what the limits are. The minimum I policy we recommend is $1 million dollars, and the policy should include cyberextortion.
We do a lot of cybersecurity incident response work, and it is not unusual for clients to spend up to $600,000 just in legal fees. This does not include the cost of downtime and qualified IT help to rebuild damaged computer systems, so you can see how quickly these costs add up and why you should review your coverage carefully.
Unfortunately, it is difficult if not impossible to get a policy that covers wiring fraud, so there are better alternatives to consider like proactive Managed Detection & Response Cybersecurity, incident response containers or secure money wire transfer applications. You should NEVER send money wire instructions by email.
A good homeowners insurance policy is no substitute for a monitored alarm system. In the same way, cybersecurity insurance was never intended to be a substitute for having a managed cybersecurity protection. The two work together to help you manage your risk, and you have to decide how much you are willing to invest in protecting your assets and your good reputation.
Thankfully, we can offer enterprise class protection at an affordable cost for most small to medium sized businesses.
If you trying to qualify for cybersecurity insurance, and if you are are not able to check “Yes” to any of these or other questions, we will be happy to schedule a free consultation to review your policy and discuss any options.