Top Tech Concepts in Your Cyber Insurance Application
CalNonprofits Insurance Services
Nonprofit Owned. Nonprofit Serving
Cyberattacks are expensive. From state fines to data restoration to breach notifications and credit monitoring, one cyberattack can siphon your revenue. Add a tarnished reputation and lost customers to the mix and you have bankruptcy-level expenses.
According to IBM’s “Cost of a Data Breach Report 2023,” the average data breach cost $4.45 million in 2023, an all-time high. Cyber liability insurance is necessary in every business risk mitigation plan. The more you can control your data exposure, the better off you’ll be.
Cyber liability insurance applications ask about network and data security, vendor and privacy controls, and response planning. You might not need to hit every item on a cyber application, but it’s good to aim high on prevention measures.
Think of cybersecurity in terms of layered protection. The more complex your operations and networks, the more layers you’ll need to stay safe. A well-planned cybersecurity strategy can strengthen your cyber application.
Here are some measures to take before you apply for cyber insurance.
Add multifactor authentication
Even if you’ve outsourced your cybersecurity to a third party or cloud vendor, you could still be liable for a data breach. The IBM report revealed that 82% of data breaches involved cloud environments, and 39% occurred in hybrid, multicloud environments.?
A top recommendation from the report was to add multifactor authentication (MFA) to your cybersecurity protocols. MFA requires anyone attempting to enter your network to provide their user credentials and one or more other factors to verify their identity. Typically, the second factor is a code sent to another device, such as a cellphone. But it can also be biometric data like a fingerprint.
Pro tip: Most insurance companies require businesses to have cybersecurity protocols like employee training, intrusion response plans and MFA. A typical cyber liability insurance application will ask questions about your cybersecurity. It will also require you to complete supplemental questionnaires based on your business operations and cyberattack risk level.
What to expect from an MFA supplemental questionnaire
An insurance company will scrutinize your cybersecurity based on your operational risk. This involves the type of data you store, transact and process.
For example, regularly processing credit cards is riskier than rarely processing them. Maintaining client medical files on a cloud server connected to application programming interfaces (APIs) is more complex than having an encrypted internal database with limited external access.
The more points of entry you have in your network, the more security you need. That’s why insurance companies consider MFA so important.
MFA is a cost-effective deterrent to unauthorized access for many business operations. Ideally, you should be able to answer “yes” to these questions:
Any “no” answers will require an explanation. Too many “no” responses indicate lax cybersecurity and could result in higher premiums or an application denial.
Pro tip: The insurance company is looking for a rounded approach to MFA, meaning you require it across internal and cloud servers, including the APIs you use. But don’t fib and say you have MFA to get a favorable rate. After a cyberattack, the insurance company will conduct a forensic investigation and deny your claim if you've been untruthful.
The insurance company wants to know that you protect your digital property and operations. But there are cybersecurity measures beyond MFA to bolster your cyber insurance application.
Limit your account access
Limit access to admin accounts and lock down access to sensitive data. This prevents hackers from exploiting entry-level accounts to crawl your system for higher-level targets. Even if they dupe an employee in a phishing attack, they’ll have less to work with once they access the account.
When you get to the network security portion of the cyber application, you’ll encounter questions about your controls. Anything that allows someone to create accounts, manipulate emails, control operations or deploy things on a network should be highly guarded. Restrictions are a good thing.
Segment your network
Segmenting your networks can help cordon off and isolate intruders after they breach your systems.?
Think of a cyberattack like a building fire. After a fire starts, it travels surfaces looking for fuel to burn and grow. But if the building is sectioned off with fire doors, you can slow the spread of the fire and limit the damage.?
Similarly, when you divide your network into subnetworks, the damage caused by a breach can be contained — rather than ripping like an inferno through your entire system. ?
Establish multilevel defense tools
Your cyber insurance application will ask about these multilevel defense tools. They serve different but complementary roles in a layered intrusion detection strategy:
Intrusion detection systems
An intrusion detection system (IDS) is like a security monitoring system. It monitors your network, scanning for suspicious activity or potential threats. If it finds something, it alerts your IT team. An IDS doesn’t act; it just reports.
Intrusion prevention systems
An intrusion prevention system (IPS) detects threats and blocks them. It notifies the IT team and launches a response to deter the intrusion.
Data loss prevention tools
Data loss prevention (DLP) tools automatically detect when someone tries to access data. If an unauthorized or unrecognized user attempts to access, transfer or print data, the DLP tool will encrypt it and stop the transfer.
Modern IPS and DLP platforms use artificial intelligence and machine learning to refine their performance and get smarter over time.
Create an incident response plan
An incident response plan (IRP) is a written document that addresses how you’ll respond after a cyberattack to reduce downtime and keep your business running. It can be part of your general disaster response and business continuity plan or a stand-alone document.
Include an inventory of your business-critical hardware, software and data in your IT recovery plan. It should list where you back up your data, how often you back it up and the critical software and hardware required to access it.
For example, say you need your customer relationship management software (CRM) and integrated voice over internet protocol (VoIP) systems to keep your call center operational. At a minimum, you’d need to:
An IRP also clarifies roles and responsibilities before, during and after a cyber incident. Make a list of people to contact during a cyberattack to avoid confusion.
After you’ve solidified your plan, test it. Then, train your employees on it. And implement an annual cyber awareness training program for your employees.
Make a plan
Getting cyber liability coverage can be challenging if you don’t have a documented cybersecurity and risk plan. You’ll need to reapply for cyber coverage each year, so maintain and improve your programs. As your security layers become more robust, you could reap the benefits of better coverage, lower premiums, or both.Cyberattacks are expensive. From state fines to data restoration to breach notifications and credit monitoring, one cyberattack can siphon your revenue. Add a tarnished reputation and lost customers to the mix and you have bankruptcy-level expenses.
领英推荐
According to IBM’s “Cost of a Data Breach Report 2023,” the average data breach cost $4.45 million in 2023, an all-time high. Cyber liability insurance is necessary in every business risk mitigation plan. The more you can control your data exposure, the better off you’ll be.
Cyber liability insurance applications ask about network and data security, vendor and privacy controls, and response planning. You might not need to hit every item on a cyber application, but it’s good to aim high on prevention measures.
Think of cybersecurity in terms of layered protection. The more complex your operations and networks, the more layers you’ll need to stay safe. A well-planned cybersecurity strategy can strengthen your cyber application.
Here are some measures to take before you apply for cyber insurance.
Add multifactor authentication
Even if you’ve outsourced your cybersecurity to a third party or cloud vendor, you could still be liable for a data breach. The IBM report revealed that 82% of data breaches involved cloud environments, and 39% occurred in hybrid, multicloud environments.?
A top recommendation from the report was to add multifactor authentication (MFA) to your cybersecurity protocols. MFA requires anyone attempting to enter your network to provide their user credentials and one or more other factors to verify their identity. Typically, the second factor is a code sent to another device, such as a cellphone. But it can also be biometric data like a fingerprint.
Pro tip: Most insurance companies require businesses to have cybersecurity protocols like employee training, intrusion response plans and MFA. A typical cyber liability insurance application will ask questions about your cybersecurity. It will also require you to complete supplemental questionnaires based on your business operations and cyberattack risk level.
What to expect from an MFA supplemental questionnaire
An insurance company will scrutinize your cybersecurity based on your operational risk. This involves the type of data you store, transact and process.
For example, regularly processing credit cards is riskier than rarely processing them. Maintaining client medical files on a cloud server connected to application programming interfaces (APIs) is more complex than having an encrypted internal database with limited external access.
The more points of entry you have in your network, the more security you need. That’s why insurance companies consider MFA so important.
MFA is a cost-effective deterrent to unauthorized access for many business operations. Ideally, you should be able to answer “yes” to these questions:
Any “no” answers will require an explanation. Too many “no” responses indicate lax cybersecurity and could result in higher premiums or an application denial.
Pro tip: The insurance company is looking for a rounded approach to MFA, meaning you require it across internal and cloud servers, including the APIs you use. But don’t fib and say you have MFA to get a favorable rate. After a cyberattack, the insurance company will conduct a forensic investigation and deny your claim if you've been untruthful.
The insurance company wants to know that you protect your digital property and operations. But there are cybersecurity measures beyond MFA to bolster your cyber insurance application.
Limit your account access
Limit access to admin accounts and lock down access to sensitive data. This prevents hackers from exploiting entry-level accounts to crawl your system for higher-level targets. Even if they dupe an employee in a phishing attack, they’ll have less to work with once they access the account.
When you get to the network security portion of the cyber application, you’ll encounter questions about your controls. Anything that allows someone to create accounts, manipulate emails, control operations or deploy things on a network should be highly guarded. Restrictions are a good thing.
Segment your network
Segmenting your networks can help cordon off and isolate intruders after they breach your systems.?
Think of a cyberattack like a building fire. After a fire starts, it travels surfaces looking for fuel to burn and grow. But if the building is sectioned off with fire doors, you can slow the spread of the fire and limit the damage.?
Similarly, when you divide your network into subnetworks, the damage caused by a breach can be contained — rather than ripping like an inferno through your entire system. ?
Establish multilevel defense tools
Your cyber insurance application will ask about these multilevel defense tools. They serve different but complementary roles in a layered intrusion detection strategy:
Intrusion detection systems
An intrusion detection system (IDS) is like a security monitoring system. It monitors your network, scanning for suspicious activity or potential threats. If it finds something, it alerts your IT team. An IDS doesn’t act; it just reports.
Intrusion prevention systems
An intrusion prevention system (IPS) detects threats and blocks them. It notifies the IT team and launches a response to deter the intrusion.
Data loss prevention tools
Data loss prevention (DLP) tools automatically detect when someone tries to access data. If an unauthorized or unrecognized user attempts to access, transfer or print data, the DLP tool will encrypt it and stop the transfer.
Modern IPS and DLP platforms use artificial intelligence and machine learning to refine their performance and get smarter over time.
Create an incident response plan
An incident response plan (IRP) is a written document that addresses how you’ll respond after a cyberattack to reduce downtime and keep your business running. It can be part of your general disaster response and business continuity plan or a stand-alone document.
Include an inventory of your business-critical hardware, software and data in your IT recovery plan. It should list where you back up your data, how often you back it up and the critical software and hardware required to access it.
For example, say you need your customer relationship management software (CRM) and integrated voice over internet protocol (VoIP) systems to keep your call center operational. At a minimum, you’d need to:
An IRP also clarifies roles and responsibilities before, during and after a cyber incident. Make a list of people to contact during a cyberattack to avoid confusion.
After you’ve solidified your plan, test it. Then, train your employees on it. And implement an annual cyber awareness training program for your employees.
Make a plan
Getting cyber liability coverage can be challenging if you don’t have a documented cybersecurity and risk plan. You’ll need to reapply for cyber coverage each year, so maintain and improve your programs. As your security layers become more robust, you could reap the benefits of better coverage, lower premiums, or both.