Unsecure at Any Speed… Cyber Liability Insurance in the Driver’s Seat

3 min read
August 31, 2022 at 1:00 PM

Unsafe at Any Speed: The Designed-In Dangers of the American Automobile is a non-fiction book by consumer advocate Ralph Nader, first published in 1965. Its central theme is that car manufacturers resisted the introduction of safety features (such as seat belts) and that they were generally reluctant to spend money on improving safety. As a result of the book and Nader’s work, the first comprehensive automobile safety legislation in United States history was passed in 1966 with the National Traffic and Motor Vehicle Safety Act and the Highway Safety Act.

In December of 2015, the late Becky Base called for a “Ralph Nader” moment for cybersecurity; she calls it the Nader moment because the closest analogy for cybersecurity is his campaign in the mid-1960s to improve auto safety, an effort that had languished for close to 50 years. The automotive analogy suggests that one key driver of the change could be insurance. Cyber risk coverage exists, but many insurers are now reluctant to underwrite all cybersecurity exposures, given the variable nature of the risks they are being asked to indemnify.

How can we limit those variables and reduce risk? By agreeing on a standard set of questions on best practices, cyber hygiene, and behaviors that insurers/underwriters will want you to answer when applying/renewing for cyber insurance. Cyber insurance questionnaires have evolved from the basic computer security that merely checked to see if we had firewalls and antivirus and not much else, to a more robust and in-depth assessment of your cybersecurity controls, processes, and policies.

How you answer the questions will determine if your organization is insurable and will also influence the premium you will pay. Are you doing enough to ensure that you are insurable (managing risk)? The following is a list of questions that could potentially be asked of your organization when seeking cyber liability insurance coverage:

  • Do you perform regular backups and store them in a secure off-site location?
    • In this day and age of ransomware, ensuring that you have a method to restore data is a key step to ensure you can recover from an attack. During the Colonial Pipeline ransomware attack, even after receiving the decryption key, the victims reportedly still needed to restore from backup because the decryption process was taking an excessive amount of time.
  • Are you using Azure? AWS? Google cloud services?
  • Are your backups encrypted and kept separate from the network whether offline or with a specialist cloud service?
  • How do you manage vendor risk?
  • Do you have Privileged Account Management (PAM) deployed?
  • Do you limit remote access to all computer systems by using two-factor authentication?
    • Insurance underwriters are aware of the risk of remote access and want to ensure that users have two-factor authentication (2FA) when using credentials outside of the office to remote into the firm.
  • Do you provide users with password manager software?
  • How do you implement local administrator rights?
  • How many personally identifiable information (PII) records are held on your network?
    • Don’t wait until renewal time to identify and categorize the PII on your network. Personally identifiable information (PII) can be sensitive or non-sensitive. Sensitive personal information includes legal statistics such as full name, social security number (SSN), driver’s license, mailing address, credit card information, passport information, financial information, and medical records. Often you may need to adjust this list depending on your organization and what records you store on your network.
  • Do you provide periodic anti-fraud training to employees?
    • This question is meant to ensure that we are teaching employees to recognize social engineering attempts to steal credentials or commit fraud.
  • Are processes in place to request changes to bank account details including account numbers, telephone numbers, or contact information?
    • Once again, the emphasis was on making 2FA part of the payment process. 2FA is recommended for any external financial or banking transaction.
  • Can users access email through a web application on a non-corporate device?
    • Many firms mandate the use of separate devices for office access. If you allow email access through a non-corporate device, insurance providers want you to protect it with the use of 2FA.
  • Do you strictly enforce Sender Policy Framework (SPF) on incoming emails?
    • Sender Policy Framework (SPF) is an email-authentication technique that is used to prevent spammers from sending messages on behalf of your domain. With SPF, an organization can publish authorized mail servers. It also asked if your desktop email platforms or firewalls provide sandbox capabilities to evaluate attachments.
  • Do you use endpoint protection in the network? What brand?
  • Do you have a Security Operations Center (SOC)?
  • What steps are you taking to detect and prevent ransomware attacks?
  • How long does it take to install critical, high severity patches?
  • Have you implemented a hardened baseline configuration across servers, laptops, desktops, and managed mobile devices?
  • Are end-of-life or out-of-support hardware and systems segregated from the rest of the network?

Assessing and reporting on the controls, processes, and policies that you have in place is a critical part of every organization's information security program and is now part of the cyber insurance renewal process. The good news is that Compass IT Compliance has you covered and can provide the direction you need to answer these questions and mitigate your risk of a breach. Taking time to implement protocols and controls increases the chances of your business being “insurable” and may lower overall insurance costs!

Contact Us

Get Email Notifications

No Comments Yet

Let us know what you think