If you are considering adding cyber liability insurance coverage for your company, I have outlined many of the areas where you will be questioned by the underwriters. Renewals will also be harder and stricter. Many companies are failing to qualify for coverage or renewal since insurance carriers are tightening up their requirements. U.S. cyber insurance prices have increased 79% in the last year. The questionnaires are getting longer and more detailed. Multifactor authentication (MFA) is a requirement with all carriers now and they are expecting MFA beyond email. Resistance is futile.
- The most basic requirement is “EDR” (endpoint detection and response) on all devices. This might be referred to as Advanced A/V, MDX, XDR, or Nextgen A/V.
- The catch here: Do you have it on ALL? If you say yes and a device is breached not having “EDR” then your claim is denied. By the way, unsupported systems such as Windows XP and Windows 7 are instant fails.
- Do you have a cloud backup? Is it encrypted?
- Has the backup/recovery been tested and verified? How often?
- Can you provide proof?
- Do you have a written incident response plan (IRP)?
- Show them, they want a copy.
- Do you have a “qualified” CISO or CSO?
- This can’t just be the receptionist given the title, they must be qualified.
- Do you have a written disaster recovery plan?
- This is not the same as an IRP. This will be reviewed.
- Is all your sensitive data encrypted “at rest?” “In transit?”
This list is just the start. Our cyber insurance questionnaire is about 150 questions long. We can review it with you and score you. It takes about two (2) hours to answer, sometimes much longer if each question has to be discussed. We prepare you to pass your review and can advise you on gaps in your cybersecurity posture.
During our last insurance review, the insurance carrier also ran their own independent penetration test, “adversary view” of our network. We had to address seven (7) additional items they found including website and email domain protections. This is also becoming a requirement to pass their assessment. This is very similar to the PCI credit card scanning performed annually.
Your cyber security rating (score) is very much like the “FICO” credit score. The better the score, the lower your insurance costs. If you do not have a passing score, you probably won’t get coverage, or they could have some severe restrictions on the coverage.
Deductibles are getting higher too. You may not qualify for a $1000 deductible. It could be $5,000 or $10,000 based on any previous “reported losses” or poor security score. Shopping around is getting harder, and you may have to pay an application or assessment fee since the underwriting time, reviewing and paperwork are so extensive. We start the process two (2) months before our renewal date since we do not want to have a lapse in coverage or have to scramble to fix a deficiency.
Do not delay on getting this process started. Our vCIOs at Just Solutions are here to assist you.
About the Author
As the Vice President, David Wolf is a technology visionary and serial entrepreneur with over 30 years of experience in the IT industry. David has achieved the highest industry security certifications of CISSP (Certified Information Systems Security Professional), CEH (Certified Ethical Hacker), and CCISO (Certified Chief Information Security Officer). He enjoys using his technical expertise to help fellow business owners get the most out of their IT.