Cyber threats are often cited as the leading threat facing businesses in Canada today. From ransomware to phishing, the threats are multiplying, and the costs incurred from security incidents can leave small businesses facing bankruptcy.
The cyber insurance sector has expanded in parallel with this growing threat, offering businesses loss mitigation against cyber-related breach events. Cyber insurance has become a fundamental part of the security jigsaw for many companies, and while coverage varies depending on the policy, common areas of protection include:
-
- Incident response and investigation. Insurance can cover expenses incurred in responding to and investigating a breach event, such as mobilizing an incident response team, hiring investigators to probe the cause of the breach, and costs that result from the need to shut down critical systems.
-
- Legal fees and expenses. Insurance can cover legal fees encountered following a breach. This might include legal advice on regulatory compliance, or mounting a legal defence in response to a legal challenge.
-
- Fines and penalties. Cover can be granted against fines and penalties issued by governments and regulatory bodies.
-
- Data recovery and system repair. Recovering data and reinstating compromised systems can be a costly endeavor. Insurance can cover the costs involved in these efforts, such as the expenses involved in hiring specialist IT engineers and data recovery consultants.
-
- Business Interruption losses. Insurance offers protection against losses that arise due to operational disruption, such as revenue loss, refunds, and inventory wastage.
-
- Public Relations Expenses. Insurance can be helpful for recouping costs incurred through public relations activities which aim to restore a business’s reputation and public standing following a breach event.
How to Build a Cyber Readiness Roadmap for Insurance Success
So far, we’ve talked at length about the positive impact of cyber security readiness on insurance outcomes. We’ve looked at the advantages of cyber security assessments, highlighted the importance of security awareness training, and talked broadly about the growing need for cyber insurance in today’s volatile threat landscape.
Now, let’s focus more closely on the controls, policies, and practices an insurer will expect your business to have in place to be considered eligible for coverage. We have already mentioned a couple of these elements, but we want to reiterate them so that you can use this article as a talking point with your IT team. This will help you implement a cyber readiness roadmap that covers all bases. Here are 5-steps to cyber readiness that will help your insurance application get approved and ensure you’re on firm ground should you need to make a claim.
Strong Identity and Access Controls
Identity and access management (IAM) is a fundamental requirement for obtaining cyber insurance. Insurers want to see evidence of rigorous identity and access management governance across your accounts and devices. This requires the application of:
-
- Secure Authentication Practices. Multi-factor authentication and secure password policies should be enforced to prevent unauthorized access to sensitive data.
-
- Risk-Conscious access management. System and data access restrictions should be applied, which give employees access only to the resources they need to fulfil their job roles. This reduces data privacy risks and limits the spread of harm should user accounts fall into the hands of a threat actor.
There are a number of access control practices out there that can be used as a basis for enforcing access policies and restrictions, including role-based access control (RBAC) and attribute-based access control (ABAC). You may wish to use a combination of these frameworks depending on your business’s data privacy obligations, risk profile, and other factors.
Vulnerability Assessments
The regular and comprehensive use of vulnerability assessment has become a key expectation of cyber insurers. Not only that, but insurers also typically have stringent requirements relating to the quality, scope, and frequency of assessments. Applicant businesses are expected to display a continuing commitment to scoping out and addressing security vulnerabilities system wide.
For small to mid-sized businesses, it can be helpful to partner with an external provider who can carry out these assessments on your behalf, as the process must be undertaken by fully qualified personnel. Insurers expect assessments to feature industry-standard tools and methodologies. Any risks identified must be prioritized and remediated, and each assessment should be extensively documented, with reports covering the findings, the risks posed by discovered vulnerabilities, and the actions taken to address them.
Threat Prevention Measures
It should come as no surprise that insurers expect applicants to take risk-proportionate measures to prevent threats compromising the security of digital systems. Consider where data resides in your IT system, the sensitivity of this data, and how the way it’s handled affects its risk exposure. Then, consider the following security controls as required, to prevent threat escalation and keep your digital systems secure:
Wi-Fi Security – Use access controls, secure passwords, and encryption to reinforce the security of your wireless networks and prevent unauthorized intrusion.
Data Encryption – Consider using encryption to protect sensitive data in situations where it’s most at risk. Use device encryption to secure remote devices in the event of loss or theft. Use a VPN to create an encrypted tunnel that staff can use to securely access the resources they need, and consider email encryption to keep sensitive communications private.
Firewalls and Network Security – Network security infrastructure remains a vital security safeguard. Use hardware and software-based firewalls as appropriate, and apply rules designed to shield your network from external harm. Configure device firewalls on laptops, tablets, and mobile phones used for remote work.
Anti-malware Solutions – Insurers require that businesses deploy up-to-date, securely configured anti-malware protections across their entire digital estate, including all endpoints and servers within the business network. Real-time protection and response automation should be implemented to ensure inbound threats can be quickly repelled.
Proactive Patch Management – Software vulnerabilities should be addressed in a timely and proactive manner, using a clearly defined process for regularly patching and updating software across all systems and devices.
Incident Response Planning and Data Backup
Insurers require that all businesses have a detailed plan of action in place, outlining how they intend to detect a security incident, contain any active threat, and implement their post-incident recovery. An incident response plan should be comprehensive and tailored, covering everything from initial detection to recovery, and reflecting the business’s needs and risk profile. The plan should define clear roles and responsibilities, with plan implementers named, and all duties clearly specified. There is a growing expectation that incident response procedures be regularly tested or simulated, with exercises conducted on a periodic basis to maintain staff readiness and allow deficiencies to be identified.
Incident response efforts should work in lockstep with a secure and reliable data backup solution. This system should be operated in line with industry best practices, be subject to frequent testing to ensure its integrity, and be updated regularly to reflect changes in the business’s operations and IT infrastructure.
Employee Training and Awareness Programs
Insurers expect to see evidence of a commitment to cyber security demonstrated through an ongoing and comprehensive employee training and awareness program. This program should feature content covering a wider variety of cyber security topics, and should be customized to account for business-specific cyber risks. Other elements that ensure successful alignment with cyber insurance requirements include:
A Culture of Cyber Security. Insurers expect a training and awareness program to act as the fulcrum for a cyber aware culture within the business. This means the program should be unfailingly implemented and extended to employees at all levels of the business: from senior management to junior employees.
Training that’s Relevant to Modern Threats. Businesses should adapt their training programs to reflect the changing nature of the threat landscape, with emerging threats prioritized to boost awareness and cyber hygiene practices. The program should also be modified in response to the risk environment; for example, a business that operates remotely should have a training program that places great emphasis on remote access threats.
Fastidious Record-keeping. Training sessions, learning outcomes, and staff performance should be carefully tracked over time using detailed records. These provide insurers with insights into the effectiveness of training, and provide evidence of the program’s scope and rigorous enforcement.
Tier 3 IT Solutions – Maintain Cyber Readiness, Optimize Insurance Outcomes
Cyber security is a journey, not a destination. Maintaining cyber readiness is an ongoing endeavor, one that requires proactivity, commitment, and vigilance. Here at Tier 3 IT, we can help your business optimize its cyber security strategy, so that you minimize cyber risk across your systems, and maintain compliance with cyber insurance requirements. Our expertly curated Cyber Readiness Program is designed to alleviate the stress that can come with maintaining a robust security posture that aligns with your insurance contract. We offer:
-
- Cyber insurance readiness questionnaires and reviews.
-
- Cyber security assessment services designed to align your security architecture with insurers’ requirements.
-
- Up to 60 days’ free cyber security awareness training (subject to eligibility criteria).
For more information, Contact us today, to find out how Tier 3 IT’s Cyber Readiness Program can help your business achieve the best cyber insurance outcomes.
