Summary: In this episode of Inside the CISO’s Office, I sat down with cyber insurance agent Joe Davis of Houchens Insurance Group. We talked through the security measures that agents and insurance companies look for in a business, how to improve your security posture to make your organization more attractive to insurers, and what to expect from your insurer when you find yourself facing a cybersecurity incident.
What cybersecurity measures do insurers look for?
In the face of a rising tide of cybersecurity threats, insurers are increasingly assessing clients against basic security controls. These basic controls ask fundamental questions, like who has already taken the basic steps to improve their security posture. For many organizations without a mature cybersecurity program, the first step is enabling multi-factor authentication (MFA). Enabling MFA is one of the easiest ways to reduce your risk and is one of the first things insurers look for when evaluating a potential client.
Particularly important is MFA for administrative accounts, not just end users. “We’re also wanting to see that, from an insurance perspective, on the admin access as well,” said Joe. “So, non-forward-facing controls, we’re looking to see MFA on that.” Administrator MFA is part of a robust privileged access management (PAM) strategy, which will be critical to any zero-trust implementation as your cybersecurity strategy matures.
Read more: How to secure your data by implementing a zero trust architecture
In addition to MFA, insurance carriers increasingly look for an endpoint detection and response (EDR) system that goes beyond simple antivirus. Even so, for many carriers, Microsoft Defender is a perfectly acceptable solution. And while many insurers require round-the-clock EDR monitoring, meeting that bar is not necessarily as intimidating as it might first seem.
“I think that sometimes the monitoring 24×7 can be a little bit misconstrued,” said Joe. “Some of those [EDR] programs that you’re talking about, they are 24×7. [Carriers are] just wanting to make sure that if something were to pop up, that you have somebody on staff, somebody that’s got some sort of a notification that they can go ahead and get that taken care of quickly.”
Cyber insurance carriers do operate under certain baseline expectations when assessing potential clients. However, the best thing your organization can do is demonstrate a thoughtful approach to cybersecurity—regardless of your specific technology configuration.
Give yourself more insurance options by improving your security posture
Cyber insurance is a must for any organization with a web presence. Not all organizations, however, are prepared for a highly mature cybersecurity implementation. Businesses that, for whatever reason, still have some catching up to do in the cybersecurity space can take specific steps to make themselves more appealing to cyber insurance carriers and less appealing to criminals looking for easy prey.
The first step, Joe says, is to discuss your security posture with your insurance broker. Developing a detailed plan for updating your security measures can put you in a better position with insurers. “A narrative goes a long way with that. [For example,] ‘We’ve talked to these vendors, we feel like this is going to be a 30-day period to put MFA in… We’ve got a plan that’s put together.’ And a lot of times, they’ll work with you on that.”
Depending on your carrier, they may agree to revisit or modify your policy when certain security milestones are met. Others will prefer to make changes during your next renewal period. But in every case, transparency is critical—and may offer an opportunity for you to take advantage of the carrier’s cybersecurity expertise.
New technology solutions are not the only way to improve your security posture. Education and awareness efforts within your organization are a strong signal to insurance agencies that you take a healthy approach to cybersecurity. Even if you are not positioned to implement new technology measures, you can train users to identify phishing attempts and social engineering. In addition, ensure that you have a robust incident response plan and a strong disaster recovery plan, and test them regularly.
Increasing the chances of securing cyber coverage
When you reduce your cybersecurity risk with good security controls, you demonstrate to insurers that you are a safe bet. Strengthen your security posture with:
- Phishing tests.
- Social engineering awareness.
- Employee cybersecurity training.
- Incident response plans.
- Disaster recovery plans.
Even without specific technology, you can increase your company’s attractiveness to insurers. Strengthen your security posture through education and planning, and work with your broker to incorporate strategic progress into your policy. Additionally, consider leveraging managed security services such as Managed MFA, Managed Endpoint Detection and Response, Patching as a Service, and Managed SOC. These services provide ongoing security posture optimization, helping to ensure your organization remains resilient against evolving threats.
Learn more: Why should you do information security awareness and training?
In the event of an incident, your agency will guide you
In the moment, the experience of a cybersecurity incident can be nerve racking. Make your cyber insurance agency your first call, and they can walk you through your next steps. Cyber insurance policies typically have a hotline number to call when a problem arises. Joe said he also gets the call because his clients are familiar with him. “I’ll usually get the first phone call with that. That doesn’t necessarily have to be that way. I would put the claim in for you, but I would also give you the hotline number so that we’re hitting it from both angles to make sure that that is happening as quick as possible.”
The hotline agent takes down the details of the incident and initiates the incident response. After the intake, the carrier will call you back to establish more detail—what steps you have taken, or what intrusions your systems have detected. The carrier then puts you in touch with expert outside counsel to go over your legal rights and requirements.
“Claims counsel, that’s what they do,” said Joe. “They’ll help walk you through [steps] to make sure that you stay in compliance with… state and federal laws that surround privacy.” From there, your carrier can provide you with additional resources based on the type of incident you are facing.
Cyber insurance carriers deal with security incidents every day and are well-positioned to help you through difficult situations. Be sure to notify your agency of any security events—even minor ones—to guard against unexpected risks later on.
Access the benefits of cybersecurity expertise with CBTS
In addition to consulting on cybersecurity strategy, CBTS can help you lay the foundation for zero-trust architecture and supplement your internal technology team to see the transformation through.
To maximize your chances of getting adequate cyber insurance coverage and to strengthen your overall security posture, contact one of our experts today.
