Navigating the world of cybersecurity can feel overwhelming, especially for SME leaders. But here's the thing: insurance carriers aren't just recommending cyber controls for the fun of it. They see real value in businesses that adopt these practices, believing that these organizations are serious about cybersecurity. This isn't just about throwing up digital walls; it's about showing insurance carriers that your business is a safe bet. We've put this document together to help clear things up. It's a straightforward look at these controls, both from what the insurance folks are thinking and from an IT perspective. With this guide, we aim to give you a clearer understanding of why these controls matter, both for keeping things running smoothly and for making your insurance process easier. High Priority (Critical): Implementing these controls can be pivotal in qualifying for cyber insurance coverage.
Require multi-factor authentication for employee email (i.e., Outlook 365, Google Workspace, Web-Based Email Apps): Multi-factor authentication adds an additional layer of security beyond just a password. It's like having a double lock; even if attackers crack one, they're stymied by the second.
Require multi-factor authentication for remote access (i.e., VPN, RDP, VDI): Remote access is a common entry point for attackers. Multi-factor authentication ensures that even if they have credentials, they still need another piece of verification to gain access.
Require multi-factor authentication for privileged accounts (i.e., domain administrator accounts): Privileged accounts hold the keys to the kingdom. By adding multi-factor protection, you make it doubly hard for cyber adversaries to misuse them.
Require offline/offsite backups of critical data and at minimal annual testing to ensure you can fully restore (i.e., 3-2-1 Back-up Approach): Regular offsite backups ensure that even if onsite data is compromised, you have a clean version elsewhere. Testing these backups ensures that they'll work when you need them most.
Written and audited patching cadence plan. Addressing target time for deployment of critical/high priority patches: Staying updated means vulnerabilities get patched promptly. A well-maintained patching plan ensures that you're always one step ahead of potential threats.
Use of an Endpoint Detection and Response Solution (EDR), monitoring all endpoints: EDR solutions are like security cameras for your network, constantly monitoring and responding to threats. They ensure that any malicious activities are spotted and halted in real-time.
Maintain a 24/7 Security Operations Center (SOC) internally or externally: A SOC acts as your cybersecurity command center, offering round-the-clock vigilance. Whether in-house or outsourced, it's a constant eye ensuring everything runs as it should.
Require at minimum annual cybersecurity awareness training of all employees: Knowledgeable employees act as an additional defense layer. Regular training ensures they can spot and report potential threats, reducing risk.
Perform at minimum annual phishing simulations and track performance: Phishing remains a top threat vector. Simulations test employee readiness, ensuring they don't fall for real-life tricks.
Use of a Privileged Access Management (PAM) Tool: PAM tools manage and monitor privileged account activities. They ensure that only the right people have the right access at the right time.
Use of a written and tested Disaster Recovery Policy (DRP)/Business Continuity Plan (BCP)/Incident Response Plan (IRP), inclusive of a portion addressing a ransomware event: These plans are your playbook for when things go awry. They offer structured responses, ensuring swift recovery from any disruptions.
Create a policy that requires portable devices to have full disk encryption: Portable devices are often lost or stolen. Disk encryption ensures that even if they fall into the wrong hands, the data remains unreadable.
Encryption of backups and information stored on mobile assets, enterprise assets, and with cloud providers: Encryption acts as a digital seal, rendering data useless to unauthorized viewers. Whether it's backups, mobile devices, or cloud storage, encryption ensures data privacy.
Use of email filtering tools (i.e., MFA, SPF, DMARC, DKIM, sandboxing, flagging external emails, pre-screening). Email is a prime target for cyberattacks. Filtering tools act as gatekeepers, ensuring only legitimate emails get through while suspicious ones are quarantined.
Additional areas being looked at by the carriers in their underwriting process:
Local admin rights granted on a restricted basis. Meaning not by default: Limiting admin rights ensures that regular users can't accidentally (or intentionally) make high-level changes that might endanger the system. By making this restricted, you're putting a check on potential internal threats.
Identity Management tools: These tools help in ensuring that only the right people have access to your resources. By managing user identities effectively, you keep a tighter control on who can access what, ensuring both efficiency and security.
Removal of all service accounts in domain administrator group (specific to AIG): Service accounts can be a security risk if left unchecked. By ensuring they don't have high-level access by default, you minimize the chance of them being exploited.
Invest in a security information and event monitoring (SIEM) tool: SIEM tools are like a centralized security dashboard, aggregating and analyzing logs from various sources. They help spot patterns and raise alarms, ensuring timely response to threats.
Invest in a tool that monitors data loss (DLP): Data loss can be both accidental and malicious. By having tools that monitor for potential data leaks, you're ensuring that sensitive information stays within the confines of the organization.
While carrier expectations may vary, consistently implementing these controls is often foundational for securing cyber insurance coverage across the industry. It's worth noting that while many of these controls align with broader compliance frameworks, each carrier prioritizes the controls they deem most critical to their risk assessment.
Next Steps:
Understanding Cybersecurity shouldn't feel like you're trying to solve a mystery. Start by chatting with your IT team and use this guide as a conversation starter. It'll help you get a handle on where you're currently at and where there might be room for improvement. Taking the time to really get these controls will not only help protect your business but will also show insurance carriers that you're serious about cybersecurity. In short, it's all about being clear, staying committed, and ensuring your business remains resilient in our digital age.
Conclusion:
Here's the bottom line: insurance carriers really value these cyber controls. It's not just about ticking off boxes on a checklist. They see businesses that use these controls as being genuinely committed to good cybersecurity practices. By really diving into these controls, SME leaders are not only beefing up their defenses but are also signaling to insurance carriers that they're a reliable partner in the cyber world.