SolarWinds, Colonial Pipeline, JBS Foods… these companies have made the news over the past 12 months for the large and sophisticated cyber breaches that impacted their businesses. For every high-profile breach, there are thousands of breaches impacting small to medium sized businesses. These businesses typically don’t have Chief Information Security Officers and they might not even have a full time IT department. But what we do know is that no matter how big or small the business, a cyber security breach will be incredibly disruptive, costing time and money.
With the increased breach activity, the insurance marketplace has had to adjust accordingly. Carriers have become more diligent in their underwriting which has in turn created stress on the insurance buyer by way of changing terms and conditions, increased pricing, and higher retentions.
Here are eight ways to strengthen your Cyber Security now to improve your risk when buying/renewing cyber insurance:
- Cyber Hygiene –Train, Train, and Train again! Make sure that you continually train employees on the importance of good cyber hygiene. Running phishing exercises and other cyber trainings are critical given that most breaches occur when an employee opens the “front door”. Be on the lookout for suspicious emails that ask for you to provide sensitive information in an urgent way.
- Multi Factor Authentication (MFA) – MFA requires users to input a one-time code or other ID in addition to their password to ensure they are who they say they are. MFA should be implemented across an entire organization’s network as well as third-party relationships. MFA is required by almost all cyber insurers.
- Virtual Private Network (VPN) – Minimize access privileges and continually update software. With more employees working remotely now more than ever, this is very important.
- Access Control – Employees should only be given access to what is critical to do their jobs. Take the “least privilege” mindset as the hackers will want to gain access to as many accounts as possible.
- Segmentation – Create segmentation between different data sources, departments, divisions, locations, etc. Different credentials create protection against data breaches across an entire network.
- Backups – Depending on your business need, it may be prudent to have multiple backup sources for the same data. Test your backups often and run breach scenarios to understand how long it would take to restore your data.
- Incident Response – Is your organization prepared if a breach happens? Who is your first phone call? Who within the organization will be part of the breach response team? These questions are critical to understanding your preparedness for a breach.
- Critical Security Controls – Follow the guidelines outlined by the Center for Internet Security. Start with the simple things such as having an inventory of all assets.
In addition to the above, consider also involving your IT personnel in the application phase and review of a cyber liability policy. The underwriting is increasingly technical, and so are the claim scenarios. The limits appropriate for your organization are not necessarily derived from revenue size or number of employees; a cyber claim derives from the value of your data and number of records. As a result, creating a dialogue with your IT team and outside consultants, such as your insurance broker, to benchmark and model your claim scenarios is a best practice to test the above list of items and ultimately obtain a cyber liability policy suitable for your needs and risk tolerance.
Henderson Brothers’ Cyber Practice Group is proactive and intimately involved with its clients and partners with this process and helping other organizations improve their security. We advise clients of all levels of complexity from global corporations to main street storefronts. If you have any questions or want to learn more about cyber liability policies and cyber risk practices, please contact the experts at Henderson Brothers.
Please note that the information contained in this posting is designed to provide general awareness in regard to the subject matter covered. It is not provided as legal, medical, or tax advice, nor is it intended to address all concerns in your workplace or for public health. No representation is made as to the sufficiency for your specific company’s needs. This post should be reviewed by your legal counsel or tax consultant before use.