Cyber Insurance Requirements
By:  Jennifer Yeagley

As someone who briefly sold insurance, I cannot underestimate how many people hate the idea of insurance.  Whatever the reasoning, whether it is the expense or the uselessness of it, people do not want to hear that they need another type of insurance.  Until they need it.

I am not here to tell you that you NEED cyber insurance, but not knowing enough about it may leave you without an opportunity to choose.  However, if you do choose to purchase it, following the requirements is the only way to ensure a payout.  So, let’s look at what cyber insurance actually is and identify common requirements.

What is cyber insurance?

Cyber insurance does what most insurance does:  covers financial loss from qualifying events.  There are various types of cyber insurance, so it is important to make sure you understand what kind you are looking at when doing your research.  In general, you have two main types:  first-party and third-party.  First-party cyber insurance covers the financial loss your organization experiences, such as recovering data or lost income.  Third-party cyber insurance covers the financial loss of third parties, such as claims against your organization for litigation or accounting costs.  You can also find policies that cover a mix of the two to gain more complete coverage.

What are common requirements of cyber insurance?

1. Strong security controls – Think “policies” on this one. You can have all the right software and hardware, but you must back it up with strong policies that require employees and external partners to act in a secure manner.  This may include enacting privileged access for various parts of your system to ensure that your organization is not wide open internally.  Remember, most data breeches start with action from an insider.
2. Multifactor Authentication – I’m not going to lie and say that I personally love this one, but for the sake of security, MFA is a huge saving grace. First of all, MFA is an extra layer of verification when logging in.  This could be a biometric verification like with a fingerprint or facial recognition or a code that is sent to your device of choice.  This step prevents someone from accessing your information with just a password.
3. Incident Response Plan and/or Disaster Recovery Plan – The insurer wants to know that you have a plan that has been tested in the event of a cyber security attack. They want to know that you have tested it, that it works, and that you have updated it as things change.  No one is going to want to pay you while you “figure out” how to deal with the attack.  One critical piece of your plan needs to include regular backups that are maintained securely.
4. Network Security – Firewalls, filters, intrusion detection, and more may be required for coverage. It just makes sense to only want to cover someone who is trying to prevent a problem.
5. Vulnerability Assessment – Just like you have to test your recovery plan, you may need to prove that you test your system to find points of weakness.
6. Regulatory Compliance – This should be a no brainer. If you are part of an industry that requires data restrictions, like through HIPAA or FERPA, you must follow those regulations to qualify for cyber insurance.
7. Endpoint detection and response – Do you have people working remotely? Do you allow cell phones and tablets to connect to your network?  If you do, you should have endpoint detection to recognize the devices and responses to kill the connection or device if it is found to be unauthorized.
8. Updates and Patches – Cyber threats evolve, but so do the systems that work against them. You must follow through with updates and patches.  Be aware of any software that is at or near “end-of-life” as it will not be protected by automatic updates.  Windows 10 is a prime example.  The end-of-life date is October 2025.  After that, Microsoft will stop supporting the software leaving organizations that still use it vulnerable and non-compliant with cyber insurance requirements.
9. Training – Your organization’s biggest asset is also its biggest weakness, your people. If you are investing in your security, include an investment in your people.  Cyber insurance requires it, but it is so beneficial for your people to understand the security measures and how they fit in with taking care of their organization.

You do not have to have cyber insurance at this point, but if you are going to take that step, do it with your eyes open.  Make sure you are following all the requirements they have in place so that you are denied when you need help the most.  We are here to help if and when it is needed.  Good luck and may your organization stay strong and secure!