IBM reports that the average cost of a data breach is $4.45M.
That’s an unthinkable stat—particularly if your organization does less than $100M in annual revenue.
Cybersecurity insurance provides coverage for losses incurred by a cyberattack. Given the high cost of a data breach, many organizations are turning to this specialized insurance to protect their financial wellbeing.
But not every organization will qualify for cyber insurance. Providers typically define the types of cybersecurity controls that must be in place to qualify. If you don’t have cyber security managed services, it can be hard to know where to start.
While every provider has their own requirements, there are several controls that nearly all providers require. Here are the top 9 controls you’ll commonly need to qualify for cyber insurance.
1. Pentest on file within the last 12 months
When’s the last time your organization used penetration testing services?
This is a rigorous process conducted by a third party. Ethical hackers scope out your network for vulnerabilities, then try to exploit them as a real hacker would. You get a detailed report of any weaknesses found—plus a clear plan to mitigate them.
Cyber insurers typically want to see that you’ve conducted a pentest in the last 12 months. It’s a shorthand way for them to assess your network vulnerabilities (and your commitment to regular pentests).
2. HIPAA or PCI-DSS gap assessment on file (if applicable)
If your organization falls under HIPAA regulation, or if you process credit card information, cyber insurers may want to see the results of your most recent gap assessment. If the assessment turned up any issues, the insurer will want to see documentation of all steps you’ve taken toward mitigation.
If it’s been a while since you did a gap assessment, it may be time to repeat the process. Cybersecurity risks evolve quickly, and insurers will want to see that you’re up to date.
Hint: A partner like Corsica Technologies can help you with your compliance gap assessment.
3. MFA for email (at a minimum)
Email security is a core component of your overall cybersecurity standing.
At the minimum, you should have MFA (multifactor authentication) enabled for all email accounts. MFA is a cybersecurity control that won’t grant access to a system until the user has passed two (or more) types of authentication.
For example, MFA for email might require both a password and secondary verification through an authentication app on a mobile device.
MFA is a powerful control that stops over 99.9% of password attacks. In today’s cyber threat landscape, MFA is a must—and cyber insurers will be glad to see it in place.
4. Security awareness training and testing
Do your employees know how to spot a phishing email?
What about a spear phishing attack—or a criminal who impersonates your CEO with an urgent request?
As a general rule, ISACA recommends that organizations provide cybersecurity awareness training every 4-6 months.
If that seems too frequent, consider the fact that cybercriminals are constantly inventing new schemes. Their goal is to trick employees who have good intentions. This is easy when their victims don’t know what they’re looking at.
Continuous phishing training really is essential to prevent your company from becoming a statistic. This is why many insurers want to see a cybersecurity training program in place when they consider your application.
5. Incident response process in place
Has your organization defined the processes that kick in when a security incident happens?
Do you know who to call?
Do you know who will remediate the situation?
An incident response plan is an essential component of a robust cybersecurity program. You need clearly defined processes, communication chains, and responsibilities for mitigating the unthinkable. Cyber insurers will want to see this plan to help quantify your risk.
6. Backup and disaster recovery in place
What happens if your database server gets hacked and held for ransom?
Even if it doesn’t get hacked, what happens if a team member accidentally deletes essential data from that server?
Backup and disaster recovery is essential to safeguarding your data and systems—and to providing business continuity. Cyber insurers typically want to see that you have processes, systems, and people in place to back up critical data.
Learn more here: Backup and Disaster Recovery Services.
7. EDR (or even better, MDR)
Are you monitoring every endpoint for intrusion?
(For reference, an endpoint is any device connected to a network. PCs, mobile devices, servers, and virtual machines are all endpoints.)
EDR (endpoint detection and response) is a software solution that protects a particular endpoint.
MDR (managed detection and response) is a service in which a trusted partner monitors and protects your endpoints with their software. MDR is typically a better value because it comes with a team of experts ensuring full coverage, monitoring your endpoints, and mitigating threats.
Cyber insurers love to see MDR in place. It signals that your organization is serious about cybersecurity—and it provides a powerful defense against endpoint attacks.
8. Regular vulnerability scanning and mitigation
Does your network present vulnerabilities that an external actor can exploit? This question is answered in part by external vulnerability scanning. (Note that vulnerability scanning only detects weaknesses. A penetration test, already covered above, shows whether an attacker can actually gain entrance through a particular vulnerability.)
External vulnerabilities aren’t the full picture, though. You also need to answer the question, “How easy is it for someone with legitimate access to exploit our internal vulnerabilities?” This question is answered by internal vulnerability scanning.
Cyber insurers will want to see that you’re 1) scanning regularly for vulnerabilities, and 2) mitigating any weaknesses found.
9. Appropriate access controls
Does every user in your organization have the appropriate access on every system?
For example, the clerk at the front desk shouldn’t have the ability to delete essential internal documents from your SharePoint. Even if this person will never commit a cybercrime, an actor who gains access to this low-level account can perpetrate a significant attack if the account has more permissions than it should.
This is the idea behind appropriate access controls. Every user should have only the access and capabilities that they need to do their job—no more. It’s an essential component of a strong cybersecurity program, and cyber insurers will want to see it when they evaluate your application.
The takeaway: Seal your defenses and get insured
It may seem daunting to qualify for cyber insurance, but it doesn’t have to be. A trusted partner can help you put the right controls in place to mitigate your vulnerabilities. It all starts with the first step—contacting an MSSP (managed security services provider) and explaining your situation.
Here at Corsica Technologies, we help companies in all verticals get the cyber insurance they need. Reach out today, and let’s collaborate to give you peace of mind.
