A Cyber Insurance for a little guy - underwriting prerequisites (Part 2).

by Vitaly GLUSHNEV
CyberInsuranceSMERansomwareCybersecurity

In the first part we reviewed the list of baseline security expectations that make you insurable.

Your inability to maintain those controls can either disqualify you from obtaining cyber insurance or be considered a policy breach if it leads to a cyber incident.

Today we will review security measures that can be placed in a strong “nice-to-have” category, they can have a significant impact on your insurance premium, and they contribute heavily to the overall cyber risk reduction.

Incident response readiness. Do you know whom to call if your files are not accessible? Do you know how you will notify your clients of delays or downtime in delivery of your products and services? Do you know where to start your recovery and who should be involved?

Insurers know that this clarity has a significant impact on the duration of the incident, the financial impact and thus the risk the insurer will be willing to take.

As with all controls in the list, expect a direct correlation between risk and insurance premiums.

Write at least a one-pager with key contacts and critical information that will help you during a crisis (for example, alternative tools that could help you sustain your operations).

Security awareness. In a regulated environment this has been a 101 control for decades, bigger companies have it well industrialized, with closely monitored training campaigns, reminders, and even relevant merchandise. What can you do if you are a smaller company?

You can take one of the freely available cybersecurity hygiene checklists and share it with your employees. Or better, discuss it with your employees, bringing up relevant use cases and personal experience to align this practice with your company’s reality. Alternatively, you can use educational videos from YouTube.

Even in an age of AI, awareness of cyber risks remains one of the best preventive tools.

Device encryption. Many modern operating systems offer this feature by default (BitLocker, FileVault), often it’s user-friendly enough to enable it on all the devices that your employees use to access your business applications. Even if a device is stolen, your data remains protected.

Email security. Since email remains one of the most prominent entry points for an attacker into your company, you should use one of the filtering or spam protection features to minimize the risk as much as possible. It should also be a part of your security awareness – don’t click on the suspicious URLs, verify the sender, etc.

SPF/DKIM & DMARC – you don’t need to know what they are, but whoever is managing your email service will have to configure them properly. Keep this on your to-do list.

Simple logging / monitoring. You need visibility into who is using your business applications, you need to be able to reconstruct the chronology of events if something bad happens. This feature is embedded in most mainstream tools (e.g., Microsoft 365 audit logs).

This will be required for investigation and forensics in case of a breach.

Vendor risk awareness. As a business owner you need to have a good grasp of who your critical suppliers are – Who is supplying the flour to your bakery? Who is supplying spare parts to your repair shop? Who provides the application that you use to manage customer orders? And what is your plan B, if they are not available? This is interconnected with point 1.

Network security basics. You will need a competent person to review the configuration of the network equipment in your office, to make sure that you are not running the default settings, that unnecessary remote access is not allowed. Unfortunately, this will require advanced IT expertise. Bonus points for doing a security scan of those devices – attackers do it all the time, and they never ask for consent.

← Back to Journal