The frequency of customers engaging us for completing cybersecurity insurance renewals has increased, which has made us wonder WHY? Is it that:
- Insurance providers’ claims / costs are going up, therefore they are more diligent and selective in client risk levels?
- Customers are increasingly confused about technical and process controls needed to combat cyber threats?
Turns out BOTH are rapidly surfacing. After reviewing a dozen cybersecurity insurance questionnaires from well-known (AIG, Chubb, Travelers) to lesser-known carriers (Axis, BCS, XL), I decided to give you my “Top 5” analysis areas.
Top 5 things they ask that surprised me:
- Risk Specific (Ransomware and Exchange Hafnium)
- Vendor Management
To clarify, I’m NOT surprised these got asked, as they are good questions. My shock can be better categorized into two buckets:
- The specificity of the asked questions. While I’m accustomed to seeing these in compliance regulated organizations, they feel new and granular for cyber renewals. For example:
- “What specifically did your organization do to counter the Exchange Hafnium breach in March 2021”
- “Who is the named person in the organization responsible for information security?”
- The focus is equal parts protection, detection, and response. We have been stressing for years that it’s not IF, but WHEN, an incident occurs. This emphasis on post-breach efforts with examples below is refreshing, but likely daunting to clients:
- “Do you have an Incident Response Plan and is it written, rehearsed, and tested by the responsible team?”
- “What tools and processes are in place to detect a Business Email Compromise?”
Other notable observations:
Some cyber policy renewal questionnaires are lengthy (30+ questions) while others are pretty succinct (10 or less questions). Which one will your insurance provider give you? Additionally, it seems all providers are interested in limiting their risk relative to your cyber security investment, such as quarterly scans or periodic reviews
Insurance providers mean business. Not completing the questionnaire or providing unsatisfactory answers means your policy is not renewed or rates jump through the roof. There is little to no chance you’ll escape tough questioning as this appears to be an industry trend, not a provider one. How will you backstop company livelihood in the event of a breach?
Top 5 things they asked that did NOT surprise me:
- Security Awareness
- Data Backup
Many customers have solutions in place for these items, and/or combine solutions with a provider who executes for their team. In my analysis, these 5 protection-focused areas are all about execution. Peters & Associates has solutions that cover each of these areas:
- Security Awareness Training – https://www.peters.com/solutions-services/it-support-services-pulse/security-awareness-program/
- MFA (in a Day) – https://www.peters.com/blog/mfa-in-a-day-turn-it-on-lock-it-down-recap/
- Antivirus and Patching – https://www.peters.com/solutions-services/it-support-services-pulse/user-management/
- Data Backup – https://www.peters.com/solutions-services/it-support-services-pulse/backup-management/
Let’s give a couple everyday examples relative to execution:
- Detail Example 1: If the question is “Do you backup your systems?” you (hopefully) can answer “Yes” and move on. If the question is instead “Are your backups tiered to inaccessible areas of your network? Do backups require MFA to access? Are full restoration of key systems tested every 6 months”. This requires a lot more understanding, evidence, and execution of solid process to address.
- Detail Example 2: If the question is “Do you leverage multi-factor authentication (MFA) for all administrator and remote access” you would like to answer “Yes” but you can’t. For administrators, perhaps you have MFA on for cloud apps (Office 365), but not for on-premises (Active Directory). Perhaps some remote access has MFA (VPN), but other methods don’t have it (Citrix, Direct Access) or require justification why a non-traditional 2nd factor is in-place.
How can Peters help?
Peters & Associates has industry-leading turnkey solutions for each of the areas required by cyber security insurance renewals. We are happy to chat with you about your cybersecurity insurance renewal or how these solutions can benefit your company. These solutions reduce your IT burden, strengthen your security posture, and let you keep insurance carrier renewal rates low. Contact us at email@example.com for more information.