Cyber Liability Insurance

Insurance Requirements

Before businesses can transfer this risk to the Insurance company, they are required to have certain controls to protect and limit their exposure. The level of controls the company has implemented is ascertained in a Cyber Liability Questionnaire which must be filled out by the organization. Questions may include the following:

• Do you have a process in place to regularly download and install patches?
• Do you have an incident response plan to respond to a network intrusion?
• Is Multi-factor authentication for remote access to email and other systems and programs containing private or sensitive data in bulk implemented?

To further limit risks insurers may not cover any acts sponsored by nation-states or in conjunction with a traditional physical war. Two recent incidents believed to be caused by nation-states are the Wanna-Cry incident and the Solar Winds cyberattack. Wanna-Cry affected companies throughout the world in May of 2017 for 4 days and is estimated to have caused losses in the billions, while the Solar Winds cyberattack is estimated to have cost around 90 million which under these new requirements would not have been covered.

Insurance Requirements

CONTROLS

The Cyber Insurance Underwriters put together a list of controls that are aligned with traffic light colors. Red is the minimum standard required by organizations to implement, Amber being requirements above the minimum and are more attractive to underwriters, while green requirements are the most attractive to underwriters.

Red requirements:

• Multifactor authentication (MFA) for:
  • Employee email.
  • Remote access for users to access sensitive data.
  • Privileged accounts / privileged access. These include domain administrators, Chief Financial Officer, Human Resources, and any other individual that access sensitive data.
• Offsite (Preferably offline) backups of critical data.
• Endpoint detection and response (EDR) solution on all managed endpoints.
• Create an audited written plan for patching critical software and hardware.
• Employee cybersecurity training, including phishing simulations.

Amber requirements:

• Strong email filtering tools to limit risky emails being delivered.
• Privileged access account security measures.
• End-of-life unsupported software and hardware segregated from the network with plans to decommission.
• Cyber-incident disaster recovery/incident response plan, and segmentation of your computer network by operation function, data classification, and operational risk.
• Local admin accounts are disabled on endpoints.

Green requirements:

• Organizational Password management application implemented.
• Detailed asset footprint of service accounts with domain credentials, services, and monitoring of these accounts.
• Security information and event monitoring implemented (SIEM).
• Data loss prevention tools implemented.
• Follow an information security framework such as NIST Cyber Security Framework, CIS, or other common cybersecurity frameworks.
• Maintain a 24/7 Security Operations Center (SOC) – internal or external.