Cybersecurity Controls Insurance Companies Require
I wanted to share the changes I’m seeing with our client insurance renewals for 2022. You may need a consultant to guide you regarding the questions and cybersecurity controls your insurance provider is requiring. We can assist in minimizing insurance premium increases, risk, and liability.
For our clients that are seeing the biggest increases in their insurance premiums, we really see that their organizations have not been paying attention to their cybersecurity hygiene and they have lots of gaps in their controls. Their insurance providers are requiring them to purchase additional insurance to cover these risks. In some cases, the client may need to hire a consultant to help them close these gaps and get their cybersecurity program up to par.
For clients that have been paying attention to their cybersecurity hygiene and have implemented controls to mitigate risks, we are seeing much smaller increases in insurance premiums, or in some cases, decreases. These organizations are being rewarded by their insurance providers for taking proactive steps to reduce their risks.
All businesses will feel the changes in cyber insurance application requirements in 2022. Gone are the 5-10 question applications. Insurance carriers are drilling much deeper to see what security controls an organization has. This goes for new applications and renewals.
Some of the main things they are looking for are:
- 1. Multifactor Authentication (MFA)
- 2. Employee Security Training
- 3. Securing Remote Access
- 4. Security Updates and Patching
- 5. Endpoint Detection and Response (EDR)
- 6. Tested Backups and Disaster Recovery plans
These controls are risk mitigation measures like enforcing multi-factor authentication (MFA) across the corporate network, conducting regular employee training, closing remote desktop protocol (RDP), completing software patches and updates, and if a company has the budget, using endpoint detection and response (EDR) tools to detect and mitigate cyber threats. Large enterprise businesses may ask to see your CMMC or NIST methodologies.
The CMMC or NIST methodologies provide a good framework for implementing security controls, but they are not the only options. There are other risk mitigation measures that can be taken, such as enforcing multi-factor authentication (MFA) across the corporate network, conducting regular employee training, closing remote desktop protocol (RDP), completing software patches and updates, and if a company has the budget, using endpoint detection and response (EDR) tools to detect and mitigate cyber threats. Large enterprise businesses may ask to see your CMMC or NIST methodologies, but they should also be open to hearing about other security measures that you have in place.
Carriers are now requiring MFA in a very broad way – for remote access, privileged accounts inside the network, and all cloud and software-as-a-service solutions. Really, they want MFA enforced for everything where it is possible and feasible. Another thing they’re focused on is the external attack surface; they want to make sure it’s locked down. And they want to ensure that insureds have a strong disaster recovery plan, making sure that their backups are held in a separate, secure location, and they require MFA for access.
There are a few different ways to achieve MFA, the most common being two-factor authentication (2FA) and multifactor authentication (MFA). 2FA typically uses something you know, like a password, and something you have, like a phone. MFA usually adds a third factor, something you are, such as your fingerprint.
With 2FA, a carrier might require that, in order to access an account or system, you first enter your username and password, and then confirm your identity with a code sent to your phone. With MFA, you might be required to do the same thing, but instead of confirming your identity with a code, you would use your fingerprint or another biometric factor.
Are you starting to see these changes in insurance renewal applications? If so, please schedule a call with us to discuss how InData can help fight insurance premium increases, risk, and liability.