It has been a year of cyber threats, exploits, and ransomware, and the insurance companies know it.  If you haven’t already,  you will almost certainly be faced with a questionnaire or an attestation form that asks you to certify you have certain security measures in place, when you are renewing your cyber insurance.

Unfortunately, this is the world we live in.  Security company, Checkpoint, predicts that by the end of 2021 cyber damages will total more than 6 trillion dollars worldwide.  Ransomware has become the affliction of businesses and the favorite tool of hackers.  Hackers have increased their ransom demands exponentially, and many companies have called on their insurance to cover it.

Unfortunately, the increase in ransomware payments has had two effects.  First, the hackers are getting bolder and even more prolific.  The big payday that many hacking gangs have received, funds more hacking activity and tempts others into the big business of hacking.  Secondly, it is forcing insurance companies to put stringent requirements on their policy holders, if they want to renew or expand their cyber insurance.

What are the new requirements that you might see?  It really depends on the insurance company that you work with.  Some have a very stringent list and others are just requiring a few adjustments.  You might ask, aren’t these changes likely a good thing anyway, and the answer is a resounding YES.

Here are 10 Cybersecurity measures that your insurance may require this year:

1. Multi-Factor Authentication (MFA). This is the practice of requiring a secondary code, in addition to your normal password to access certain things. We have all done this with banking access. The areas that are most risky are your email (code only required when accessing over the web), and any remote access to your company technology resources. Some insurance companies want MFA for any administrative access to your technology, even if you are inside the four walls of the building.  MFA is a great technology and deters hackers because even if they hack your password, they still do not have access because they don’t have the MFA device that generates or receives the PIN code. MFA is built-in to some email services and just needs to be enabled.  For things like VPN access, typically a subscription to a MFA provider is required.

2. Formal Software Patching Solution. This involves having a formal patch management solution that pushes out security patches in a managed fashion. Microsoft and Apple both create regular security patches and having a management tool that applies these patches is essential. If you work with CTaccess on our Complete Care Plan, we apply OS patches and help you meet this requirement.

3. Next Generation Anti-virus. This is sometimes referred to as NGAV. Next generation antivirus includes features like artificial intelligence, behavioral detection, machine learning algorithms, and exploit mitigation. The goal is to anticipate both known and unknown threats and immediately prevent them.  This upgrade of antivirus introduces these new means of protection and there are many new products in this category.

4. Managed Detection and Response. Some insurance requirements include questions about whether you have 24×7 detection and response or a (SOC) Security Operations Center. To get this type of coverage, you need to go with another subscription-based provider. This type of service increases your protection by not only having extra tools but having eyes on a problem when it occurs.  One of the vendors we like in this category is Huntress.  They have an advanced Ransomware protection system that helps shut down Ransomware, before it spreads across your whole network.

5. Encryption of Data in Motion and at Rest. Encryption is a method of protecting your data by scrambling it with a password. Often the process of encrypting and decrypting is transparent to the user and does not affect their operations. Commonly this can be implemented for data in motion by having encryption rules on your email platform that encrypt messages when certain data appears, or by clicking a button to turn on encryption for a specific email. It is also often required that portable devices like laptops have encrypted hard drives which can be managed through an encryption management tool. This prevents access to the laptop data in the event of loss or theft.

6. Local Machine Administrator Access. It is common in small and medium sized businesses to grant local administrator access to machines. This allows users to install their own software, printers and other updates. Many security professionals and insurance providers are recommending or requiring that this access be removed.  Removing it adds another level of protection, if a user inadvertently clicks on something they shouldn’t.

7. Security Awareness Training Program. Training users at least quarterly on security awareness is a requirement of most insurance policies and a best practice. The best programs include video-based training, then a phishing test, and a reporting policy to track the results.

8. Policy Creation – There are two formal written policies that insurance providers are asking about. The first is a formal written disaster recovery plan. The second is a cyber security incident response plan. These plans differ for every company, but they want to make sure there is a plan and process in place.

9. Backup and Recovery. Some insurance providers are getting granular on this requirement and going beyond just making sure you are backing up. They want to make sure the backup goes offsite either physically or to the cloud. Some are also asking if the backup is “air gapped”.  The question is about whether your backup is offline, so that Ransomware can’t reach it if an infection occurs.

10. Mobile Device Management. Mobile device management is using a management tool to manage phones and iPads. This tool often provides features like encryption of data, remote wipe, and adding security requirements to these mobile devices. I just saw this requirement on an insurance questionnaire yesterday, for the first time.  I believe they are seeing mobile devices as an entry point and are trying to close that gap.

Insurance companies are increasing their requirements to protect their clients and themselves from claims.   These new requirements may seem onerous and difficult, but they are reflective of the environment we do business in. If you have not implemented these technologies, we would welcome a discussion about how to improve your security and make sure you are prepared not just for Cyber Insurance, but to operate securely and reduce your risk of breach.