Insurance is an unusual product because you can actually influence how much it costs. Safer behaviors, better rates. When it comes to cyber risk insurance, you may not realize how much control you have over the cost. Before your broker calls to renew your policy, ask yourself these seven questions. Your answers can have a huge impact on the quote you’ll receive.
Are Our Disaster Recovery Plans Up To Date?
Disaster recovery and business continuity plans are probably not the first thing you think of when you start work in the morning, but if you don’t have them in place, you’ll wish you did when there’s a cybersecurity incident. These plans outline how your business will continue operating and recover in the event of a disruption.
Action Items
- Find or create continuity plans for all your business workflows. Start with the ones that impact your cash flow – how will you pay people and get paid if a system is offline?
- It can help to conduct simulated disaster scenarios to test the plan. They don’t need to be complex; it could be as simple as writing up how staff can contact customers if (for example) the email server is down.
- Keep records of these updates and tests.
Documentation for Renewal
- Updated disaster recovery and business continuity plans.
- Records of simulated tests and outcomes.
- Change logs showing plan evolution over time.
What Legal and Regulatory Standards Apply To Us, and Do We Comply With Them?
You might think standards like HIPAA or PCI DSS are only for large corporations, but there’s nothing in them that talks about a business’ size. And from a cyber insurance perspective, being able to demonstrate compliance is a major factor in determining your rate.
Action Items
- Figure out which standards apply to your business, and either hire a firm to do an audit or do a self-assessment against the requirements.
- Address any gaps in compliance.
- Store the records of these compliance efforts, especially third-party assessments if you got one.
Documentation for Renewal
- Compliance audit reports.
- Records of any compliance-related changes or updates.
- Documentation of staff training on regulatory standards.
Are we Using Multi-Factor Authentication?
Multi-Factor Authentication (MFA) is a one of the best things businesses of any size can do to reduce their risk of cyber attack. Let’s say an attacker manages to steal a list of your passwords. Because MFA includes an additional authentication mechanism, it makes re-setting all those stolen password annoying but not catastrophic.
Action Items
- Implement MFA across all critical systems and applications.
- Train employees on the importance and usage of MFA, and audit compliance.
- Document the implementation process and employee training.
Documentation for Renewal
- Records of MFA implementation across systems.
- Employee training logs and materials.
- Policy documents outlining MFA usage requirements.
Do We Have Endpoint Detection and Response Tools In Place?
Endpoint Detection and Response (EDR) tools are vital for monitoring and responding to threats in real-time. These tools provide essential security for network endpoints, identifying potential threats before they can cause significant damage. EDR tools are a key component of a modern, proactive cybersecurity strategy.
Action Items
- Assess and upgrade EDR tools as needed.
- Train IT staff in effective EDR tool usage.
- Document EDR tool deployment and incident responses.
Documentation for Renewal
- Records of EDR tool implementation and updates.
- Training logs for IT staff on EDR tool usage.
- Incident response records involving EDR tools.
When Was Our Last Security Audit?
Conducting regular security audits and penetration tests is crucial for identifying and addressing vulnerabilities in your cybersecurity defenses. If you can afford it, using a third-party to perform the tests is a good idea. Specialists are likely to do a more thorough audit, and the documentation they provide is a strong signal to a cyber insurance broker that you’re committed to keeping your systems safe.
Action Items
- Schedule and perform regular security audits; at least annually.
- If the audit shows any vulnerabilities, make it a priority to fix them.
- Document all of your audits and remediation actions, or if you used a third party, get a copy of their report.
Documentation for Renewal
- Security audit reports.
- Records of vulnerability remediation.
- Audit schedules and frequency documentation.
Are Our Vendors Putting Us At Risk?
It’s not as obvious as the others, but a vulnerability in one of your vendor’s systems can be just as much of a risk to you as a vulnerability in yours. If you accept or send payments electronically, that’s a potential attack vector. And while employees might be trained to ignore and report phishing attacks from unknown senders, would they be able to spot an attack from a compromised vendor when they’ve been exchanging email with that address for years?
Action Items
- Put your vendors through the same criteria that you’re doing as part of this article. Do your vendors have their own business continuity plans?
- Make sure your new contracts include requirements to provide this level of documentation, and go back through and amend existing contracts if they don’t.
- Document all of this.
Documentation for Renewal
- Keep a list of all of your vendors and their compliance with these procedures.
- A physical or electronic folder with all of your vendor contracts (including cybersecurity clauses).
- Documentation of your processes for requiring this information from new vendors.
Do We Align With Established Cybersecurity Frameworks?
Aligning with established cybersecurity frameworks like NIST or ISO 27001 showcases your commitment to following industry best practices. These frameworks provide structured approaches to managing and mitigating cybersecurity risks. If you can demonstrate your alignment with these standards, you’ll be potentially in a better position to get the best rates. Here too, third-party agencies can make the process of documenting compliance easier, especially with ISO 27001.
Action Items
- If you haven’t already, map your business processes against these standards. It’s not a small project, but it’s worthwhile..
- Implement any necessary changes.
- Document all of this.
Documentation for Renewal
- Cybersecurity framework alignment reports.
- Records of changes made to align with frameworks.
- Documentation of staff training on framework standards.
If this list seems overwhelming, a cybersecurity professional can help. Arch Access Control has expert guidance to help you navigate the cyber insurance renewal process and make sure you have all of the material you’ll need to be in a position to get the best rates. Contact us at sdeal@archaccess.com to learn more.