Mitigate Data Risk with Cyber Insurance

Cyber insurance coverage is meant to offset expenses incurred during a data breach or cybersecurity event. These policies should provide coverage for both first and third-party claimants. First-party coverage includes losses to the organization or individual affected, while third-party coverage addresses legal action taken by customers or partners. These policies can vary in terms of coverage and premiums but typically account for organization type, service provided, data risk and exposure, and current security policy. Cyber insurance can help recoup costs associated with:

  • Recovering compromised data

  • Legal settlements and regulatory fines

  • Hiring experts to identify and repair damage

  • Notifying customers, and providing identity and credit monitoring

  • Business interruption, network downtime, and lost employee productivity 

Cyber insurance can be a great option for companies that are looking to improve their resilience. That said, as ransomware attacks increase and compliance frameworks become more strict, many companies are being refused coverage for failing to meet security standards. Many insurance companies do not pay claims if the covered party fails to maintain a secure environment through a lack of documentation or controls. If your business is looking to pursue cyber insurance, you should work closely with your IT team to meet provider standards.

A thorough cyber insurance provider will require clear documentation of your existing cyber security strategies. They want to ensure you have already implemented solutions that support the health and resilience of your infrastructure - before an insurance policy enters the picture. They may require any/all of the following cyber security controls:

  1. Application Whitelisting - a security solution that allows organizations to specify what software is allowed to run on their systems, in order to prevent any non-whitelisted processes or applications from running.

  2. Asset Inventory- a list of all IT hardware and devices an entity owns, operates, or manages. Such lists are typically used to assess the data being held and security measures in place on all devices. 

  3. Custom Threat Intelligence - the collection and analysis of data from open source intelligence (OSINT) and dark web sources to provide organizations with intelligence on cyberthreats and cyberthreat actors pertinent to them.

  4. Database Encryption - where sensitive data is encrypted while it is stored in databases. If implemented correctly, this can stop malicious actors from being able to read sensitive data if they gain access to a database.

  5. Data Loss Prevention - software that can identify if sensitive data is being exfiltrated from a network or computer system.

  6. DDoS Mitigation - hardware or cloud based solutions used to filter out malicious traffic associated with a DDoS attack, while allowing legitimate users to continue to access an entity's website or web-based services.

  7. DMARC - an internet protocol used to combat email spoofing - a technique used by hackers in phishing campaigns.

  8. DNS Filtering - a specific technique to block access to known bad IP addresses by users on your network.

  9. Email Filtering - software used to scan an organization's inbound and outbound email messages and place them into different categories, with the aim of filtering out spam and other malicious content.

  10. Employee Awareness Training - training programs designed to increase employees' security awareness. For example, programs can focus on how to identify potential phishing campaigns.

  11. Endpoint Protection - software installed on individual computers (endpoints) that uses behavioral and signature-based analysis to identify and stop malware protection.

  12. Incident Response Plan - action plans for dealing with cyber incidents to help guide an organization's decision-making process and return it to a normal operating state as quickly as possible.

  13. Intrusion Detection System - a security solution that monitors activity on computer systems or networks and generates alerts when signs of compromise by malicious actors are detected.

  14. Mobile Device Encryption - when encryption is enabled, a device's hard drive will be encrypted while the device is locked, with the user's passcode or password acting as the special key.

  15. Multi-Factor Authentication - where a user authenticates themselves through two different means when remotely logging into a computer system or web based system. Typically a password and a passcode generated by a physical token device or software are used as the two factors.

  16. Network Monitoring - a system, utilizing software, hardware or a combination of the two, that constantly monitors an organization's network for performance and security issues.

  17. Penetration Tests - authorized simulated attacks against an organization to test its cybersecurity defenses. May also be referred to as ethical hacking or red team exercises. 

  18. Perimeter Firewalls - hardware solutions used to control and monitor network traffic between two points according to predefined parameters.

  19. Security Info & Event Management - system used to aggregate, correlate, and analyze network security information - including messages, logs, and alerts - generated by different security solutions across a network.

  20. Vulnerability Scans - automated tests designed to probe computer systems or networks for the presence of known vulnerabilities that would allow malicious actors to gain access to a system.

  21. Web Application Firewall - protects web facing servers and the applications they run from intrusion or malicious use by inspecting and blocking harmful requests and malicious internet traffic.

  22. Web Content Filtering - the filtering of certain web pages or services that are deemed to pose a potential security threat to an organization.

A great cyber insurance provider will have an intimate knowledge of compliance requirements, remediation tactics, coverage plans, and considerations that are unique to your industry. Here are five things to look for when choosing your cyber insurance provider:

  1. Products and Coverage - understand what 1st and 3rd party losses are included in your coverage, such as: breaches, ransomware, cyber-crime, and risk analysis tools.

  2. Pre-Breach Services - your company should have timely and appropriate analysis of your cyber risk in financial terms. 

  3. Breach Response Services - know what to do after a breach, such as PCI re-certification services, notification expenses, foreign notification, PR expenses, overtime compensation, reputational harm, etc.

  4. Distribution - you need an insurance provider that can work directly with your MSP and IT teams.

  5. Cyber Tools - solutions such as threat monitoring, DDoS mitigation, credential monitoring, and patch management go a long way in improving your overall cyber posture.

Cyber Security Insurance

Compliance Roadmap

Identify Risk

Compliance starts with visibility. Conduct a 360° Security or Compliance Benchmark assessment.

Incorporate a Framework

Classify data according to the most relevant and restrictive compliance frameworks. Customize controls to meet organization-specific requirements.

Enforce Policies

Maintain data protection and retention policies, monitor user access, and field suspicious activity. 

Top Regulatory Compliance Frameworks

Top Regulatory Compliance Frameworks

  • circle-item
  • GDPR

    The EU General Data Protection Regulation (GDPR) is effective as of May 25, 2018. It affects all organizations that hold personal data on EU citizens, regardless of where the organization is based in the world. Implementing a data protection strategy that includes encryption and anti-malware security is vital.

    General Data Protection Regulation
  • HIPAA

    The Health Insurance Portability and Accountability Act (HIPAA) applies to any organization that collects, stores or shares protected health info (PHI), including health plans, healthcare clearinghouses, and providers who conduct financial and administrative transactions electronically, like hospitals.

    Health Insurance Portability and Accountability Act
  • CIS

    The CIS Critical Security Controls provide a catalog of prioritized guidelines and steps for resilient cyber defense and information security mitigation approaches. This gives organizations an organized security action plan to stay compliant with major industry regulations like HIPAA, PCI DSS, and more.

    CIS Critical Security Controls
  • NIST

    The National Institute of Standards and Technology Cybersecurity (NIST) framework consists of standards and best practices to manage cyber risk. It was developed with a focus on industries vital to national and economic security, including energy, banking, communications, and the defense industrial base.

    National Institute of Standards and Technology Cybersecurity
  • MITRE ATT&CK

    The MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) framework models cyber adversary behavior, attack lifecycles, and commonly targeted platforms. MITRE provides strategies across disciplines including intrusion detection, threat hunting, security engineering, risk management, etc.

    MITRE ATT&CK
  • PCI DSS

    The Payment Card Industry Data Security Standard (PCI DSS) is a set of twelve security standards to ensure all companies and vendors that accept, process, store, or transmit credit card and financial information secure it to protect cardholders against misuse of their personal information (PII).

    Payment Card Industry Data Security Standard
  • SOX

    The Sarbanes-Oxley Act of 2002, aka the Public Company Accounting Reform and Investor Protection Act, responded to a number of major corporate and accounting scandals. All publicly-traded companies are required to comply, and a number of the Act’s provisions apply to privately held companies.

    Sarbanes-Oxley Act
  • ISO/IEC 27001

    ISO 27001 is an international standard published by the International Standardization Organization (ISO). It provides methodology for business information security management. The focus of ISO 27001 is to protect the confidentiality, integrity, and availability of a company’s information.

    ISO/IEC 27001