The following questions were answered during "Cyber Claims Part 3 - Forensic Analysis" - a webinar with Fred C. Church, LLC - that explores the claims process and focuses on forensic analysis or the gathering of digital evidence to uncover how a bad actor accessed your network and what it’s going to take to get them out.
While there have been ransoms of multiple millions that make the news, most demands settle for something in the $100,000-$300,000 range. This is very dependent on the size of your organization, so it’s hard to pin down an exact answer to this. One thing we do know is that these threat actors are sophisticated and their number one goal is getting paid, so they’re incentivized to request a ransom that they think the organization can pay.
Understanding what your probably maximum loss is given your IT infrastructure -particularly your backups - will help determine what limit you can buy. Insurance transfers the risk of the financial impact of a loss that you cannot mitigate through your own backups procedures.
Paying Ransomware is the last thing anyone wants to do. In order to avoid paying the ransom, there need to be some key elements in place to mitigate having to pay, such as a full Disaster Recovery plan and a Business Continuity plan.
If you don’t have valid backups, if you don’t have a plan in place, and if you haven’t tested or validated your backups, you may feel no choice but to pay it.
In this episode, learn why Ransomware victims should never give in to their attackers, and why tech can't solve all of our cybersecurity problems.
Most cyber security insurance questionnaires have a N/A option, but you must provide feedback as a requirement as to why you marked it N/A. Many insurance companies encourage clients to complete an addendum document (a simple word document) along with the application where they can clarify there answer to any question that does not perfectly relate to their industry, network infrastructure, or other circumstance.
Generally speaking, carriers like to see MFA wherever and whenever possible. A zero trust environment is the best environment for obtaining and keeping coverage.
Companies should follow some framework for their security programs. Some follow NIST, some follow CIS Controls, some MITRE, just to name a few. Each framework has slightly different ways of approaching security, but at the core they all do the same, which is provide a methodical security program to protect against bad actors. So consider the various frameworks, depending on your industry, and then build your security program around it.
Following best practices for implementing security controls, creating and testing an incident response plan, and maintaining a comprehensive employee security awareness program are great steps to mitigate your risk.
Companies with the best cyber risk profiles will get the lowest available premiums. There is no direct relationship between infosec controls and premiums savings like a safe driver credit on auto insurance or a sprinklered building credit on property insurance. However, if your agent is marketing your coverage to multiple carriers (which would be a good thing to do after investing in your network security infrastructure), then that can help you get the best premium available in the marketplace.
It’s unlikely that your insurance premiums will go down year over year (at least for the time being); however, you can best manage how much they go up by presenting the best possible cyber risk profile to the marketplace. A Ransomware Supplemental Application showing key controls are in place is a big factor in this. Having these 5 key controls in place is crucial:
Going beyond those baseline controls, the best pricing will go to companies that have a 24/7 security operations center (whether in house or third party), have total control over their privileged and service accounts, can show a proper patching cadence, and have no exposure to open ports. Most carriers do some kind of external vulnerability scan that detect these things. A good score helps push you into that best pricing category.
We recommend completing a Ransomware Supplemental Application early. Consult your internal and external IT teams about any 'no' answers and review their recommendations with your business leaders to plan implementation.
Providers are primarily concerned with MFA for email, remote network access, and privileged admin access. Many also want any type of login to datasets, whether it be local, in the cloud, applications, etc., to be configured with MFA authentication.
Not all carriers are created equal. This is where a good insurance agent comes in to play. Many carriers have a cyber insurance offering, but not all truly specialize in it. Some key things that you can look at on your policy to see if you have good coverage are:
We encourage companies to enable MFA wherever possible. Most people think of administrators as the ones with privileges; however, when one considers the basic user, their account, and everything their account has access to - these accounts have privileges, too. You need to review an average user, what a typical account has access to - HR Systems, Intranet, Company Apps, etc. Even if an application does not require an Admin login, it may still be considered a privileged account.