A Cyber Insurance for a little guy - underwriting prerequisites (Part 1).
In a world of Cyber Insurance, you are not getting a cyber safety blanket just by paying an annual fee.
To successfully pass the underwriting, you will need to clearly show that your existing cyber resilience capabilities are at the right level. But what does that even mean for a smaller / micro enterprise with barely any IT-qualified resources?
Below are the 5 biggest Cyber Insurance deal breakers (you will be asked and you better have a good answer, with evidence):
Multi-Factor Authentication or MFA – the same layer of authentication that you have for many of the services in your personal life. It helps to prevent unauthorized access even when your credentials are stolen. Your insurer would reasonably expect that you implement it for the most critical systems in your company too (Remote access (especially!), o365 or Google Workspace, ANY kind of privileged or admin accounts). Your SaaS providers normally have those capabilities, you must leverage them.
Endpoint protection – 3000 years ago, antivirus was the baseline, now EDR/MDR/XDR is king. It’s kind of the same, but a bit more intelligent, with much stronger defense against unknown threats, based on behavior and analysis (vs legacy signature-based approaches). Plenty of EDR solutions on the market, and insurer will normally not care which one you use, as long as it’s functional. In many cases insurer can even offer you one as a part of a packaged, and it could be appealing in terms of cost of ownership.
Backups – another personal life analogy applies – it would suck to lose your smartphone with years’ worth of data on it, so most probably you already rely on some form of backups – cloud based or locally stored. You will be expected to do the same for your most critical business data, within all your most critical applications. The rule of thumb is to have a list of business applications, and good managers keep up such inventory for cases like this. Many SaaS solutions offer various backup options, enable the reasonable frequency and try to organize a backup / restore testing to make sure that it will work in case of the incident too.
That’s a strong starting point, but it might not be convincing enough for the insurance company, and they will ask you to establish either an offline or immutable copy of your data to minimize the risk further. It can be painfully time consuming to maintain, but you will thank yourself when the crisis comes at your doorstep.
Patch management – You need to demonstrate that all your work devices are continuously updated to the latest supported version of Windows/MacOS/iOS/Android/Linux, same applies to whatever other appliance you use – databases, servers, your Wi-Fi access point at the office, your Salesforce instance etc. Keep in mind, you have to have a live process to keep updates rolling, not just a one-time compliance snapshot.
Basic access control – It’s super inconvenient, and IT people hate it passionately, but you need to separate admin accounts from user accounts. The fewer rights you use for your daily stuff - the less exposure you have and less damage will be caused by any malware. It’s a good personal habit to have, and for many years I’ve been not asking for an exception to get an admin access even when it would be effortless to justify and approve. Good opportunity to lead by example. Another aspect of access control is to make sure that when you part ways with your employees – you deactivate ALL their access in ALL the systems. This is where your application inventory can come handy, you can use it as a checklist and revoke access one by one.