No successful company expects a cyber claim. The premium is paid for insurance you hope you never have to use. Nonetheless, the carriers and their stakeholders are tired of paying large claims and premium trends reflect their view of increasing risks. It seems carriers are especially determined to make it more painful for those who do not fully disclose risks in applications and penalize those who fail to implement the minimal requirements for the policy to be issued.
What we are seeing today.
1. Policy Limits Cuts
We are seeing new policy clauses that cut policy limits in half when a risk was known to management or should have been known but was not disclosed fully in the renewal application. Failure to adequately disclose a risk comes at a great cost and at a time when you don’t need it. If you say you are addressing a particular risk using a product or service, then be about doing it and be able to prove it! This includes recommended remediation steps from any previous assessments.
2. Double Retention Amounts
We are also seeing policy statements that automatically double the stated retention amounts if the carrier’s underwriters have made a recommendation and you failed to implement their recommended solution. This is especially true when the policy is issued contingent upon you addressing the underwriter’s concerns in the manner stated. Cyber policy premiums are based upon an evaluation of the risks. Risks are assessed based on the answers the company provides on the renewal application. Carriers also take a hard line when a senior company officer signs the renewal application official, but the company has not, for varied reasons, provided a completely true and honest answer on the application. It is my experience that recommendations by the underwriter in writing or via email, during the underwriting and quoting process, are not options but part of the contract to provide the coverage and issue the policy.
Some Good News
What cyber liability carriers are requiring you to do certainly enhances your information security posture, and thus reduces the chances of a claim. Additionally, in all fairness, most of the policies, procedures and products the cyber companies are asking you to implement can save you money in the form of lower premiums right away, as well as reducing claims for years to come.
Your Policy Carrier’s Expectations
Know How Your Data Is Secured
Know where your customer data is located and how it is secured, especially if you hold customer financial data or credit card information. The same is true for sensitive internal company information such as budgets, payroll, tax returns and Human Resource files. You can’t protect something if you don’t know where it exists. Are sensitive documents being stored on work-from-home devices? A detailed network diagram is an effective way to evaluate this and illustrate it for the carrier. Company logins and passwords for any product or service should be maintained on encrypted cloud software designed for that purpose and accessible from anywhere, not on the company network.
Automatic Software Updates
Operating System software and critical third party (customer database?) software must be updated automatically without human intervention to prevent vulnerabilities from going undetected. There are many products that are designed to do this. Choose wisely. Group policies should force update company devices and work from home devices that have missed critical updates. Cyber carriers insist that critical security patches be installed within 30 days of issue. To be certain the updates are effectively protecting the data and your users are not waiving off updates, subscribe to quarterly scans for vulnerabilities. Call us if you are interested.
Backups
Backup or image your data stores and perform quarterly test restores. Most data center customers backup their data several times a day. After each backup image is created and encrypted, a copy of that image file is replicated to a second data center. The logins for the replicated files are not part of the company domain and cannot be accessed by the company domain logins. This is a form of “air-gapped” backup. Having an off-site, encrypted backup means if the company is compromised, the most recent backups are not.
Written Security Policy
Have a written information security policy that is reviewed annually. You should have a company Information Security Officer who is responsible for ensuring the policies are enforced by network settings and user limitations. The best choice may not be the CEO and often not the director of Information Technology. You can’t hold your users responsible for protecting customer data without a plan and a summary of the plan they can reference when needed. Annual training on the plan is required by cyber carriers.
Anti-Virus and Malware
Every device that has an operating system must have active Anti-Virus and Anti-Malware installed and updated. Controlled by group policy, this software should automatically be installed on every device that becomes attached to the network. This includes personal devices allowed to connect to the secured network. Better AV software options do not require virus signatures or human intervention to be effective but use machine learning and artificial intelligence to recognize threats and act upon them automatically, so most cyber carriers are now insisting upon products with Endpoint Detection and Response (EDR) features. New devices and rogue devices should be detected and subject to company security controls. ( See the Blog on Work-From-Home Security)
Firewalls At All Locations
Protect your network with up-to-date firewall devices at every location. Subscribe to the update service and perform an external scan of your outward facing IP addresses and circuits at least quarterly. Firewalls should limit which countries are allowed to send content to you and all others should be blocked. Additionally, firewall content filters can limit the internet categories that can be accessed through your internet for your users. There are specific website “allowed” lists and blacklists you can control. Don’t forget about your guest wireless, which should have equally restrictive settings. Do you really want to have your waiting room guests and employees gambling online or watching violent hate videos or porn on your network? The potential liability is unlimited.
Because we cannot control what is on our employees’ personal user devices, smartphones and tablets (not owned by the company) should only be allowed to access the guest network for internet access and never to the secured network. Additionally, your policies and system controls should not allow back-door access through the firewall even for your IT staffers as all other security controls for the network are then circumvented.
Multi-factor Authentication (MFA)
Multi-Factor Authentication should be required for all user access to the network and all admin level access to servers. This must be a requirement for any remote access, including work-from-home devices and especially for your outside IT Help Desk and third-party access service providers.
Automatic Email Encryption
Encrypt emails of sensitive data automatically. Customers are weary of their personal financial information being hacked and exploited. For Protected Health Information encryption is required. The fines alone are enough to justify the cost of encryption. Most cyber policies direct that sensitive data be limited to only those who need the information to complete their job responsibilities thus, effective group policies can limit access to that data.
Written Disaster Recovery Policy
The applicant should have a formal, written backup policy, including all network device types and software. Additionally, the cyber company requires a formal Business Continuity/Disaster Recovery Plan and more recently, an established Cyber Event Response Plan that all users are trained to follow. The Business Continuity Plan should be tested on a large scale annually and on a smaller scale, at least quarterly. This can vary by cyber carrier. Many companies have a test restore of a significant portion of their customer database monthly. There are many options to consider. (For more information see these blog posts: Disaster Recovery and Backup; Cyber Claims; How to Correctly Answer “No” On A Cyber Liability Application Question.)
Routine Network Maintenance
Finally, cyber carriers expect that routine maintenance of the network is occurring regularly. This does not mean once a year:
Devices
Devices that have not logged onto the network in more than 60 days have missed critical updates and are now the weakest links on your network. These devices should be disabled in Active Directory by group policy on the 61st day. Devices that have been disabled in Active Directory for one year should be deleted from Active Directory by group policy. Every hard drive must be accounted for when destroyed or re-purposed. A list of network devices should be reviewed by the IT coordinator at least quarterly. An inventory of devices should be coordinated annually.
Users
Users who are no longer employed, or have their contract terminated should be deactivated from the secure network immediately by making the Active Directory (or MS 365) account “disabled”. We suggest an immediate group email to key people in the company. If the terminating user’s account cannot be disabled immediately, their password should be changed so that the company can continue to receive the former user’s email. Group policies should automatically disable user accounts that have not signed onto the network in more than 60 days. User lists should be verified against payroll records quarterly.