Frequent Questions About Cyber Insurance | BeyondTrust

Frequent Questions About Cyber Insurance

The following questions were answered during "Cyber Claims Part 3 - Forensic Analysis" - a webinar with Fred C. Church, LLC - that explores the claims process and focuses on forensic analysis or the gathering of digital evidence to uncover how a bad actor accessed your network and what it’s going to take to get them out.

How should companies factor in the cost of an actual risk of a ransomware attack vs. the cost of cyber insurance coverage?

While there have been ransoms of multiple millions that make the news, most demands settle for something in the $100,000-$300,000 range. This is very dependent on the size of your organization, so it’s hard to pin down an exact answer to this. One thing we do know is that these threat actors are sophisticated and their number one goal is getting paid, so they’re incentivized to request a ransom that they think the organization can pay.

Understanding what your probably maximum loss is given your IT infrastructure -particularly your backups - will help determine what limit you can buy. Insurance transfers the risk of the financial impact of a loss that you cannot mitigate through your own backups procedures.

Do you recommend paying the ransom?

Paying Ransomware is the last thing anyone wants to do. In order to avoid paying the ransom, there need to be some key elements in place to mitigate having to pay, such as a full Disaster Recovery plan and a Business Continuity plan.

If you don’t have valid backups, if you don’t have a plan in place, and if you haven’t tested or validated your backups, you may feel no choice but to pay it.

What do you do with the questions in cyber insurance surveys that are not applicable to your infrastructure?

Most cyber security insurance questionnaires have a N/A option, but you must provide feedback as a requirement as to why you marked it N/A. Many insurance companies encourage clients to complete an addendum document (a simple word document) along with the application where they can clarify there answer to any question that does not perfectly relate to their industry, network infrastructure, or other circumstance.

For an MSP, do insurance providers take into account if your clients are on 2FA?

Generally speaking, carriers like to see MFA wherever and whenever possible. A zero trust environment is the best environment for obtaining and keeping coverage.

What are your recommendations for companies to prepare and defend themselves from ransomware attacks?

Companies should follow some framework for their security programs. Some follow NIST, some follow CIS Controls, some MITRE, just to name a few. Each framework has slightly different ways of approaching security, but at the core they all do the same, which is provide a methodical security program to protect against bad actors. So consider the various frameworks, depending on your industry, and then build your security program around it.

Following best practices for implementing security controls, creating and testing an incident response plan, and maintaining a comprehensive employee security awareness program are great steps to mitigate your risk.

Do insurers actually offer lower premiums if an infosec program is determined to be "excellent," or is the premium amount relatively static?

Companies with the best cyber risk profiles will get the lowest available premiums. There is no direct relationship between infosec controls and premiums savings like a safe driver credit on auto insurance or a sprinklered building credit on property insurance. However, if your agent is marketing your coverage to multiple carriers (which would be a good thing to do after investing in your network security infrastructure), then that can help you get the best premium available in the marketplace.

What are the top things companies can do to help reduce cyber insurance premium?

It’s unlikely that your insurance premiums will go down year over year (at least for the time being); however, you can best manage how much they go up by presenting the best possible cyber risk profile to the marketplace. A Ransomware Supplemental Application showing key controls are in place is a big factor in this. Having these 5 key controls in place is crucial:

  • Multifactor authentication (MFA) for email, remote network access, and privileged/admin access
  • Backups that are encrypted and kept offline or in the cloud
  • Endpoint Detection and Response (EDR)
  • Employee Awareness Training
  • Cyber Incident Response Plan (that has been tested)

Going beyond those baseline controls, the best pricing will go to companies that have a 24/7 security operations center (whether in house or third party), have total control over their privileged and service accounts, can show a proper patching cadence, and have no exposure to open ports. Most carriers do some kind of external vulnerability scan that detect these things. A good score helps push you into that best pricing category.

Can companies perform due diligence ahead of time, anticipating reports insurance companies may ask for?

We recommend completing a Ransomware Supplemental Application early. Consult your internal and external IT teams about any 'no' answers and review their recommendations with your business leaders to plan implementation.

Insurance providers want MFA in place. Is this cloud resources (i.e., MSO365), or also for internal network and active directory login credentials?

Providers are primarily concerned with MFA for email, remote network access, and privileged admin access. Many also want any type of login to datasets, whether it be local, in the cloud, applications, etc., to be configured with MFA authentication.

Are some cyber insurance companies better than others? Are general liability insurance providers knowledgeable enough to provide cyber insurance?

Not all carriers are created equal. This is where a good insurance agent comes in to play. Many carriers have a cyber insurance offering, but not all truly specialize in it. Some key things that you can look at on your policy to see if you have good coverage are:

  • Full limits for Ransomware/Cyber Extortion with no coinsurance
  • Full limits for Business Interruption
  • At least $1M for Dependent Business Interruption

We know MFA is required for Administrators and VPN connections. Is it also necessary for general users that are in the office?

We encourage companies to enable MFA wherever possible. Most people think of administrators as the ones with privileges; however, when one considers the basic user, their account, and everything their account has access to - these accounts have privileges, too. You need to review an average user, what a typical account has access to - HR Systems, Intranet, Company Apps, etc. Even if an application does not require an Admin login, it may still be considered a privileged account.