Takeaway: As cybersecurity risk increases, large enterprises and government agencies are, increasingly, forcing smaller vendor companies to obtain cyber insurance to help manage the risk of a data breach. To prepare for an annual cybersecurity insurance renewal or initial application, consider the following practices which could help address the risks most concerning to an insurer.
Although cybersecurity risk is a persistent concern for law makers and regulators, a national regulatory standard in the United States does not appear imminent. If, however, your company has applied for cybersecurity insurance recently, the application process may have seemed like a compliance audit. Cybersecurity insurance questionnaires, as complex as they have become, are usually inquiring about common practices that most businesses should feel confident investing in and implementing.
For the most part, the cybersecurity practices desired by insurance underwriters – in the ever-changing world of cyber risk management – are the same, or similar in nature, to the administrative and technical safeguards required under various State and federal security standards. To prepare for an annual cybersecurity insurance renewal or initial application, consider the following practices which could help address the risks most concerning to an insurer and, perhaps even, reduce the insurance premium.
Implement Written Information Security Policy (WISP) and Incident Response Plan (IRP) – The objective of a WISP is to guide the implementation of the proper technical, administrative, and physical safeguards needed to protect an organization’s data. An IRP helps reduce the impact of a breach by creating a structured and systematic plan of response in the event of an incident affecting an organization’s systems, network, or data, including any data held by outside vendors or service providers. The IRP will also govern contingency plans like encrypted backups of your IT system and data.
Password Management and Multi-Factor Authentication (MFA) – Anyone accessing a system, network or data should be asked to provide multiple methods of validating their identity. A WISP may enforce a strong password policy, or even mandate the use of a password manager, which dissuades attackers, but an MFA policy often leverages location, biometric data, and/or unique keys as an additional means of validation.
Training and Awareness – Employees and vendors present the most prevalent vulnerability in most companies. A well-trained workforce, galvanized by a culture of security, however, can help mitigate human-centric vulnerabilities and reduce overall breach risk. There are numerous resources and tools available to help build an effective cybersecurity training and awareness program.
Patching – Companies should have a plan to inventory, patch, and update all software and hardware in their environment. Consider the NIST Guide to Enterprise Patch Management Technologies.
Endpoint Threat Detection and Mobile Device Management (MDM) – Monitoring endpoints (any device on a network) is a great way to reduce the risk of a security breach. Threat detection helps to identify ransomware and malware on devices by continuously monitoring for anomalous behavior and conditions. MDM provides a mechanism to track physical devices, patch their systems and software, and remove data in the event the device is lost or stolen.
Insurance companies are in the business of managing risk. As cybersecurity risk increases, large enterprises and government agencies are, increasingly, forcing smaller vendor companies to obtain cyber insurance to manage the risk of a data breach. Often, those vendor companies do not have the safeguards in place to reduce the risk, and mitigate the effect, of a bad data breach. The practices discussed above are a good starting point for addressing the prevalent risks inquired about in a cybersecurity insurance application.
* This blog is available for informational purposes only and is not considered legal advice on any subject matter. By viewing blog posts, the reader understands there is no attorney-client relationship between the reader and the blog publisher. The blog should not be used as a substitute for legal advice from a licensed professional attorney. Readers are urged to consult their own legal counsel or reach out to any of Pietragallo’s attorneys on any legal questions concerning a specific situation.