Minimum Requirements for Cybersecurity Insurance

The world is changing. There was a time when cybersecurity insurance was easy to obtain. With insured cyber losses of $1.8 billion in 2019 (Hiscox) and cyber incidents growing rapidly, insurance companies are now introducing minimum requirements for businesses. Read on to learn what may be required before they will approve you.

1. Multi-Factor Authentication (MFA)

Multi-Factor Authentication is a login feature that helps confirm your identity when you sign in. It protects against identity-based attacks which are essentially unauthorized parties attempting to gain access to an account. This often takes place due to poor password management (e.g. reusing a password on more than one system or using weak passwords).

Multi-Factor Authentication adds a verification process during login that prevents . Even if a third party knows your login details, MFA will stop them from logging in.

When MFA is enabled, a push notification or random code is sent to your mobile device. You enter the code or approve the login using the prompt on your mobile device. The process takes seconds to complete. MFA should be activated on all cloud and VPN services (essentially, anything exposed to the internet).

To learn more about MFA, check out our article here.

2. Phishing Tests

A phishing scam is the practice of sending fraudulent emails pretending to be from reputable companies or colleagues to convince individuals to reveal personal information, such as passwords and credit card numbers. A phishing email will typically ask you to log in or submit confidential information after clicking a link.

Phishing attacks can compromise security for both an individual and their company. Phishing scams can get quite convincing. Even if an email seems to be from someone you know, it may not be safe. It is possible to fake or ‘spoof’ e-mail addresses to make an email seem legitimate. Sometimes, a phishing e-mail can even come from a compromised account.

One of the best ways to prevent phishing is by conducting phishing tests- a means of intentionally sending out fake phishing emails to train employees to spot them. There are several platforms available to perform tests. We recommend Sophos Phish Threat.

3. Strong Password Policy

A password policy is a set of rules that are meant to protect accounts by forcing users to employ strong passwords and use them appropriately. Password policies are often part of an organization’s cybersecurity protocols. There are a few rules that a password policy should include:

Password history– How often an old password can be reused.

Password age– How long users must keep a password before they can change it.

Password length– How long a password must be to be used.

Complexity requirements– What the password can contain, and how many character types it must use (lowercase letters, uppercase letters, numbers, and symbols).

Password reset– How often passwords reset.

Lockout– Automatically lock and account for X number of minutes after X number of failed logins.

For more tips on policies, check out the article from Microsoft.

4. Local or offsite backups

A local backup is the process of backing up your systems, applications, and data to a reliable local device. This device should ideally be a network-attached storage (NAS) device with redundant disks, unique passwords, and enhanced security.

There are a few advantages to local backups. First, data is much more quickly recovered since the process is not dependent on an internet connection. Second, you know exactly where your data is located. However, in the event of a physical disaster, your local backup device can be destroyed. Theft or a network breach are also risks. Additionally, local backups are not easily scalable- to upgrade, you will have to invest in more hardware and potentially software.

An offsite backup should always accompany local backups. An offsite backup can help protect your data in the event of a physical disaster, theft, or breach.

5. Next-Gen Security Firewalls

A next-generation firewall (NGFW) is “a network security device that provides capabilities beyond a traditional, stateful firewall.” A traditional firewall offers stateful inspection of outgoing and incoming network traffic. However, a next-gen firewall introduces inline features such as application awareness and control, intrusion prevention, and threat intelligence. It’s no longer a simple “block everything coming in and allow everything out” scenario. Everything is scanned for threats in real-time.

For a firewall to be considered next-gen, it must include:

• Standard firewall capabilities (stateful inspection)
• Intrusion prevention
• Application control and awareness; seeing and blocking risky apps
• Threat intelligence sources
• Upgrade paths (such as future information feeds)
• Techniques such as machine learning to address evolving security threats

Most business-grade firewalls offer these services, but you must set them up correctly and maintain your license to ensure updates are available.

6. Endpoint Protection

Endpoint protection, also known as endpoint security, is the process of securing endpoints such as desktops, laptops, and mobile devices from being exploited. Endpoint security is essentially anti-virus, anti-malware, and anti-ransomware software. This is often viewed as the ‘front line’ of cybersecurity.

7. Patching/Managed Software Updates

One of the most important things you can do for your systems is to keep them up-to-date. With 230,000 new malware threats being released per day (PurpleSec), it is critical to stay on top of the latest security updates. New vulnerabilities are being patched all the time. It is much easier for a malicious actor to gain access to your software if your programs are not up to date.

Updates should be executed through a centrally monitored service that has eyes on all your systems to find outliers or devices that are falling behind. Never assume your systems are doing what they should be.

In summary, to obtain cybersecurity insurance, you may be required to have certain cyber-security technologies in place to protect your business:

1. Multi-Factor Authentication
2. Phishing testing
3. Strong password policy
4. Local or offsite backups
5. Next-gen security firewalls
6. Endpoint prevention
7. Patching/managed software updates

One of the best ways to ensure you have what you need is to work with a Managed Services Provider.