5 Things You Can Do to Qualify for Cybersecurity Insurance
Cyberattacks, data breaches, and ransomware are here to stay. I’m not the first to say that, but I won’t be the last. Along with these threats are the risks of a damaged brand, compliance violations with associated financial penalties, and lost intellectual property. Within this chaos, many organizations, small and large, seek cyber insurance to protect themselves.
Before the surge of cyberattacks in the past decade, securing cyber insurance was a fairly mundane process, almost as simple as signing the policy paperwork and paying the annual premium. All that has changed due to the exponential number of attacks and claims filed due to those attacks. Now agencies and their underwriters require extensive documentation to prove every reasonable and effective defensive countermeasure is employed.
I’ll be joining cyber insurance expert, Joseph Brunsman, founder and president of the Brunsman Advisory Group, and MSP360’s Kurt Abrahams next week to discuss the growing challenges with qualifying for cybersecurity insurance, and what you can do about it. While the conversation will be geared toward managed service providers, companies of all types and sizes can benefit from the lively conversation. I encourage you to attend.
If you’re pressed for time, here are five quick takeaways that I plan to discuss in detail with the experts next week:
1. Have a cybersecurity preparedness plan and exercise it regularly
The old adage “nobody plans to fail, but many people fail to plan” holds true for cybersecurity preparedness. Gone are the days of “the circle of trust.” We have to treat every system, device, and application as if it is exposed to the wide open internet in order to protect our data assets from external and internal threats. With a documented plan for prevention, detection, and response, insurers will have greater confidence that you’re ready for whatever comes your way.
2. Keep your ransomware protection and response contacts up-to-date
When the stuff hits the fan, scrambling to find vendor contact information is the last thing you want to be doing. As part of your response plan, you should explain how you will communicate with team members and vendors if your email system is crippled. Cell phone numbers, land lines, fax numbers, alternate email addresses… document everything. You’ll be glad you did.
3. Train and test your employees on cybersecurity awareness
Businesses of all sizes need to establish basic security best practices and policies for their employees, such as requiring strong passwords, using multifactor authentication, and general awareness of the methods used to breach information systems, especially if they have access to sensitive data.
Part of that training is also periodic testing of employees to ensure they don’t become complacent about threats to the business. Documenting a consistently audited (aka tested) training plan goes a long way to demonstrating to an insurance underwriter that you are serious about cybersecurity preparedness. This funny yet educational video that our Wasabi brand team put together as part of their #ThinkBeforeYouClick campaign is a great piece to share with your employees as a reminder of the dangers of opening the wrong email or clicking the wrong link.
4. Don’t use the root account for everything
As part of a Zero Trust framework, every application (and every admin, for that matter) should be assigned its own set of right-sized credentials through the use of your choice of Identity and Access Management (IAM) or Role-Based Access Control (RBAC) tools. In the event that one set of credentials is compromised, this ensures that all remaining credentials are still viable and the “blast zone” for affected systems is kept to a minimum. Wherever possible, use of multifactor authorization (MFA) should be enforced. MFA dramatically reduces the risk of compromised credentials and can help provide advance notice of breach attempts when multiple login attempts are thwarted.
5. Backup everything, including your system configurations
Everything – virtual machines, databases, primary storage, secondary storage, data archives. Back up everything. That also includes the configurations of your IT infrastructure (switches, firewalls, load balancers, etc.) and applications. Add the use of immutability, also known as object lock, to protect your data from accidental or malicious deletion or alteration.
Meeting short recovery time objectives (RTOs) is only possible if you are prepared to restore everything and all of the associated configurations. I also highly recommend periodic testing of your documented recovery processes, without the support of the management team. This approach ensures that your team is trained and ready for anything. It is a time-consuming process, but all things considered, any backup and recovery plan is really only as good as the last time it has been tested.
Tilting the odds in your favor
By implementing these and other cybersecurity strategies, enterprises of all sizes can enhance their level of insurance compliance, increasing their viability to secure a cybersecurity policy and decreasing the likelihood that they will have to test the limits of their coverage.
Note: This article is not a comprehensive list of all the things you need to do to qualify for cybersecurity insurance. Consult your insurance agent or the FTC to learn about their specific requirements and any omissions that could disqualify a claim in the event of a cyber or ransomware attack.
Also, consider joining our webinar, MSP Guide to Cyber Insurance: Protecting Yourself and Your Clients for a deeper dive into this discussion.