Companies often ask what they need to do to ensure their company is secure, and the answer is simple: all that applies. Although, “All that applies” is now, in part, the question–as many organizations’ operations have dramatically changed post Covid-19—the controls that apply to the new organization’s structure could most likely be revisited. You will pay one way or another (and, in some cases, both ways). Whether you accept the risk with fewer security controls in your environment, pay a higher insurance premium, and raise your likelihood of experiencing a costly cyber-attack, or implement the controls and pay a lower premium, you still may fall victim to a cyber-attack. Although this sounds disenchanting, all organizations today are at risk and must be decisive in their risk tolerance and strategy.
The simplest way to understand the areas of risk is to place them into two categories: data security (ensuring that no one can see your data who is not supposed to) and data availability (making sure the people who are supposed to see the data, don’t lose the ability to do so).
Data security and availability are at the forefront of most security and continuity solutions, mainly because these are the risks that can put a company out of business. When an organization looks to get an insurance policy to cover them from potential loss from cyber threats, they are looking for you to implement all applicable controls to safeguard your data, or they will assign a higher risk score that will negatively impact the cost of your premiums.
Insurance companies appear to be focused on three areas when evaluating policy details:
- What type of information do you have?
- How are you ensuring the data remains available?
- How are you securing the data?
When looking at the information you have, the insurance companies appear to be focused on several areas:
- General information to get a better understanding of the sensitivity of the data:
- Who is the data about:
- Employee information
- Customer information
- Patient information
- Groups or nations
- What is the data:
- Social Security numbers
- Credit card numbers
- Bank account numbers
- Patient records
- Trade secrets
- International affairs
- Where is the data located:
- On-premise on a server
- In the cloud – Whose cloud? Is this information geographically redundant?
- Dispersed on many devices
- Someone else is storing the data and is responsible for IT safeguards.
- Who is the data about:
- What happens if it is made available to those it should not be or not available to those it should be:
- Are there regulatory fines or required notifications if the data is made available to anyone who should not have access to it?
- Is there production loss if that data is unavailable to employees to perform their jobs?
- Is there proprietary data or trade secrets that if made public could negatively impact the long-term success of the organization?
- Anything that would negatively impact the reputation, continued operation, financial viability, or legal ability to continue to conduct business.
When looking at how the data remains available, we are seeing questions around the following:
- Do you have a Disaster Recovery Plan / Business Continuity Plan?
- Do you maintain an Incident Response Plan?
- Have you defined a Recovery Point Objective (RPO)?
- Have you defined a Recovery Time Objective (RTO)?
- Are your backups encrypted?
- Do you test your backups?
- Do you back up other items such as O365 and SharePoint?
- Have you performed a tabletop test for your incident response plan?
When securing the data, you look for controls placed on known risks in the organization. A security control is a measure or countermeasure implemented to safeguard an organization’s assets, resources, or information systems against security threats. The following shows the top security controls that we see requested in Cybersecurity Insurance Questionnaires:
- Multi-factor authentication (MFA)
- Privileged Access Management (PAM)
- Software Management
- Endpoint Protection Platform (EPP)
- Endpoint Detection & Response (EDR)
- Managed Detection & Response (MDR)
- Network Detection & Response (NDR)
- Security Information & Event Management (SIEM)
- Containment
- Are security tools monitored by a SOC
- Continuous Patching and Updates
- DNS filtering
- Vulnerability Scans
- Email Spam Filtering
- Sender Policy Framework
- Data Classification
- Security Training
- Restricted access based on job function
- Data Retention, destruction, and recordkeeping procedures
- Do you have a Chief Information Security Officer
- Firewall
- Intrusion Prevention & Detection Systems (IDS & IPS)
- Data Loss Prevention Systems (DLP)
- Virtual Private Networks (VPN)
- Penetration Testing
- Enforced minimum password requirements
The reasoning behind these lines of questions is to place a numerical risk value on your data. How much could it cost this organization if this data is compromised ((average breach cost per record X number of records stored) – Mitigating Risk Controls factor = residual risk). This is a highly oversimplified example formula. However, the insurance company must assign a dollar amount to the perceived risk to determine a profitable premium to charge an organization for its policy.
For most organizations, the magic is in assessing how to conduct business un-hindered while simplifying the minimum applicable data availability and data security tools. To learn more about this process, follow us on LinkedIn to ensure your organization continues to thrive regardless of the threats that all organizations face.
Patrick H. Whelan – CISA
