WHAT ARE CYBER INSURANCE UNDERWRITERS LOOKING FOR?
Below is a list of cyber risk management strategies that underwriters are currently evaluating to assess an organization’s cyber insurability, pricing, and coverage scope. These are grouped based on current underwriting standards amongst a cross-section of markets. It is important to note that minimum standards vary, depending on the insurer. Please use the below as a general guide.
Multi-Factor Authentication (MFA) –Mandatory for all remote access, email, VPN, access to backups and privileged user accounts
Data Backups –Segmented from primary network, redundancy, offline and tested restoration protocols.
Incident Response Plan – Written and tested plan, with defined roles and responsibilities, including law enforcement and legal counsel.
Employee Cybersecurity Awareness Training –Regular cadence (at least annual) that includes phishing simulations.
Endpoint Detection and Response (EDR) –Modern EDR or XDR solutions deployed on all endpoints and servers.
Wire Transfer Protocols –Dual authentication procedures in place for preventing loss from social engineering and wire fraud attempts.
Email Security Tools –Advanced filtering, DMARC/DKIM/SPF policies enforced.
Patch Management Program –Documented and timely application of patches, especially for critical vulnerabilities.
Network Segmentation – Particularly separating backups, operational technology (OT) systems from IT systems and sensitive data.
End-of-Life Software Segregation –Ensure software that is no longer supported is segregated from primary network, with decommission plan.
Security Information and Event Management (SIEM) –Centralized logging and alerting; helps detect anomalous behavior.
Vendor Risk Management –Assessment and monitoring of third party access and controls
Cybersecurity Insurance Application Accuracy Review –Annual audits of application answers to avoid misrepresentation claims.
Must-Have’s – Minimum Standards – The information contained herein is offered as insurance industry guidance and provided as an overview of current underwriting trends and is intended for discussion purposes only.
This blog is not intended to offer legal or information security advice, as we are not qualified to provide such guidance. As a general overview, this blog does not accurately depict the differences that may exist among various underwriters or insurers when analyzing cyber risk for insurance coverage eligibility.
Many additional factors, including but not limited to your specific business practices, industry sector, annual revenues, exposure to data loss and claims history are factored into underwriting acceptability, terms, and pricing.
Moving forward, reviewing, and implementing the latest cyber controls for your employees, processes, and technology, can result in better rates and better coverage for your business.
Reach out to Connie Phillips Insurance for more information: https://www.insurance-financial.net/cyber-liability-insurance/ Visit this site and download our flyers