cyber insurance

Cyber insurers are increasing their scrutiny of a business' cyber security software and when it comes to obtaining a cyber insurance policy for your organisation, you need to be prepared to meet a wide range of requirements.

Whether you’re new to cyber insurance and starting from scratch or going through a renewal, you may have a surprise in store about what you need to have in place.

The same may apply if you already have cyber insurance. You may believe you’re covered, but then later find when you delve into the detail of the policy, you’re not.

Insurers are intensifying their scrutiny of businesses’ cyber security tech. They are becoming increasingly pragmatic, demanding a baseline of protective software, tools and processes before they’ll underwrite a policy.

It’s fair to say every insurance provider is different and their policies and requirements vary. However, many aspects are common across most policies. Let’s explore some of the key ones.

Managing privileged access

Providers are scrutinising how businesses control access to their privileged credentials more and more closely. It is being highlighted as a particular point of weakness and an area where many claims are being seen.

Privileged accounts allow individuals to perform processes such as installing new software or changing configuration settings. If criminals get hold of the logins, they can steal or delete data, or wreak havoc by making changes to systems, servers, applications and devices.

Traditional identity access management (IAM) tools don’t provide sufficient protection; they work by proving the user is who they say they are before letting them log in. Specialist PAM tools take security up a level, by controlling what users can access, and exactly what they can do.

Protecting backed-up data

Insurers will look for additional protection around critical systems, such as backups, which are essential to recover and restore data in the event of a breach such as a ransomware attack.

Businesses should ensure their data is backed up to multiple onsite and offsite locations, and that effective access controls are applied to backup systems.

Guarding the endpoint

Employees’ laptops, devices and workstations are attractive entry points for cyber attackers aiming to get a foothold in the corporate network. If staff have privileged admin rights activated, this heightens the damage they can do once inside.

Insurers will want to see systems are in place to handle the situations where humans make mistakes – for instance forgetting to log out or jumping onto an unsecured Wi-Fi network.

Other stipulations

Although privileged accounts, data backup systems, and user endpoints really stand out, there are a number of other stipulations insurers have.

So, what kind of things can you expect a provider to ask you about your organisation when it comes to these critical requirements?

Here are a few for starters:

How is the business protecting privileged accounts and credentials?
Who has access to which systems?
How and when are account credentials updated?
Are accounts removed as soon as there’s a suspected breach or a member of staff leaves?
What backup solution is your business using?
How are you backing up and how are you managing the access control?
Does the business have tools for multi-factor authentication to cover remote access, remote desktop protocols and emails?

Problem or solution?

Rather than seeing it as a negative, businesses facing ‘compliance’ with the growing list of cyber insurance eligibility criteria should view it as an opportunity to strengthen their security.

After all, the measures insurers want to see are in place align with best cyber security practices and ultimately, it’s in insurers’ interest to keep policyholders safe.

Reviewing these requirements should be the first port of call for businesses wanting to apply for or renew a policy.

Written by James Nadal, Product Specialist, Osirium.