Throw away the misconception that cyber insurance frees a firm from its cybersecurity responsibilities. Here are ways to get cyber-insured deservingly!

In light of the ever growing threat of cyberattacks, many organizations are considering, or have signed up for cyber insurance.

However, purchasing cyber insurance is not simple. It is not a one-size-fits-all exercise. Insurance firms will consider the risks and the potential damages for each application, and they will want to understand how well secured an organization already is.

Coupled with the price of cyber insurance soaring, some firms may find it a challenge to get cyber insured at an acceptable price. With that in mind, here is a checklist of questions organizations seeking cyber insurance can expect to be asked — and some tips on preparing for them.

Wahab Yusoff, Vice President (Asia Pacific & Japan), Delinea
    1. How do you identify threats, vulnerabilities and risks, and educate employees?
      Insurers want to know that you understand your risks and have established risk management processes. Understand your organization’s risk profile by conducting a cybersecurity risk assessment. Identifying your vulnerabilities will also help you gauge your company’s cyber risk tolerance.

      Insurers also want to see you conduct regular cybersecurity training beyond simple online tests or signoffs on security policies. Make cybersecurity awareness training a fundamental part of your corporate culture. Updating employees on the latest phishing tactics and social engineering schemes can go a long way towards protecting your organization.

    2. Do you maintain inventories of assets and privileged accounts?
      Having an inventory of all devices, software, and privileged accounts that could be a possible entry point for malicious attacks, including those used by remote workers, will help firms identify all threat vectors and determine the value and scope of the assets that need insurance coverage. Discovery tools for Active Directory accounts and passwords; service accounts and local accounts and applications help identify shared accounts; accounts that have expired; and accounts that are no longer needed.

    3. Do you automate password management or use Multi-Factor Authentication?
      Insurers want to see that you are not relying on manual spreadsheets for password management. Implement a privileged password management tool to track credentials and generate and rotate complex passwords for all your accounts so people will not have to type or remember them. Automation ensures policies are applied consistently and reduce human error.

      Insurers also want to know that a candidate for insurance is authenticating users with more than just a password. Multi-Factor Authentication (MFA) adds another layer of security for access control, and shows insurers that a firm is minimizing exposure to credential-based cyberattacks.

    4. Have you implemented PAM and multiple layers of malware defense?
      By delineating the boundaries of access to its systems, an applicant for cyber insurance shows insurers that it is protecting privileged accounts from malicious hackers. Implement a comprehensive Privileged Access Management (PAM) solution to help control access to systems and sensitive data and comply with regulations. Look for software that automates the identification and analysis of risk to your privileged accounts, along with vaulting, continuous monitoring, and session recording.

      Insurers will also expect a candidate firm has multiple layers of malware defense to protect against viruses and rogue programs deployed by bad actors. Demonstrate to insurers that your firm is taking every feasible measure to implement defense-in-depth, such as implementing and enforcing least privilege access; restricting or removing local admin rights; and layering-in threat intelligence and endpoint protection solutions for both workstations and servers.

    5. Do you backup accounts and passwords or have endpoint security in place?
      When disaster strikes, it is critical to recover quickly. Make sure secrets (passwords and other credentials) are not tied to a single location and can be moved to a safe space if necessary. Any password management or PAM solution should have infrastructure redundancy for break-glass access.

      The increase in remote-working also means that more endpoints, such as laptops and tablets, as well as cloud servers, are prime targets for attacks. If you have an endpoint security tool it will be easier to identify and respond to cybersecurity events. Choose a solution that can provide comprehensive monitoring, alerting and reporting capabilities for privileged behavior on workstations and servers. This will allow your IT security team to identify unexpected behavior and conduct forensic analysis if a breach occurs.

    6. What type of credential monitoring have you implemented?
      According to research, a vast majority of data breaches involve the human element. Empower remote employees and vendors to follow security best practices for privileged account usage, no matter where they work. Leverage a PAM solution that can monitor remote sessions, extend remote monitoring to cloud sessions, and uses Privileged Behavior Analytics to monitor digital identities’ activities to detect anomalies.

    7. What sort of incident response plans and tools do you have?
      Insurers expect a firm to have an incident response plan because this can reduce the risk of a cyber breach becoming a catastrophe and maintain business continuity. Create an incident response plan that matches your firm’s risk profile, regulatory requirements, and organizational structure. Include a checklist of roles and responsibilities and actionable steps to measure the extent of a cybersecurity incident and contain it before it damages critical systems. Conduct incident simulations to help identify areas for improvement and demonstrate to insurers that your firm’s readiness is more than theoretical.

      In addition, insurers know firewalls and antivirus tools are not sufficient to detect and shut down sophisticated cyberattacks. They want to see a potential insure is using tools to detect breaches and coordinate an effective response. Reduce the potential effort and cost of incident response by layering privileged access security across workstations and servers. Choose tools that validate identity, enforce MFA to access privileged accounts, manage passwords, and detect unusual behavior.

    8. How would you fix security gaps that make your organization vulnerable?
      Insurers want to see that a firm has plans to quickly return operations to normal, prevent repeat security incidents, and stem cyber losses. Do not make the mistake of being over-optimistic about your firm’s recovery abilities — many studies show a gap between perceived security level and actual time taken to recover from a cyberattack. It takes an average of 280 days to identify and contain a data breach. Demonstrate to insurers that your firm is realistic, willing to learn from mistakes, and implement continual improvements.

It should be evident by now that cyber insurance is not a replacement for a solid, up-to-date cybersecurity program. Performing this kind of due diligence makes an organization a more likely candidate for being accepted for insurance.