Cybersecurity Insurance Requirements
If there’s one thing that’s been keeping me up at night more than the thought of running out of coffee, and what is going to happen to the Roy children in Succession, it’s the importance of cybersecurity insurance. I mean, who doesn’t love a good insurance policy? It’s like a security blanket for your digital assets – except way less cuddly and way more necessary.
Lately, I’ve been talking a lot about how in the USA, it’s becoming more challenging to get cybersecurity insurance. I said those processes haven’t quite made it to Australia, but now they have.
In this post, I’ll take you through the trials and tribulations that we’ve just gone through in renewing our Cybersecurity insurance and give you some tips on how to avoid them.
Before we get started, no, we haven’t gone into the insurance business, and trust me, I’m not trying to sell you anything (except maybe on the idea that your business needs to consider cyber insurance seriously).
TL;DR
- Cybersecurity Insurance is harder to get in Australia
- You will need to provide more information to the insurer. See some of the questions asked below.
- They are also gathering information about your business and how secure it. They are crawling the web, looking to make sure you are protected.
- If they don’t like what they see, you will not be insured
- Below is the story of the troubles we went through to get insured due to some incorrect information gathering on their behalf
- Most importantly, secure your environment correctly so you can get your insurance and then never have to claim on it.
Why is it hard to get cybersecurity insurance?
Back in the “good ol’ days” of 2018, Cybersecurity insurance was easy to get. This was because insurance companies thought cybercrime was only something big players like Optus, Telstra and the Banks had to deal with.
They thought it would be easy money to sell cybersecurity insurance to small and medium businesses. No one will target them. Or so they thought. Then Covid hit.
During the lockdowns, where employees were all working from home, businesses didn’t properly secure their environments in a rush to stay productive. Bad actors saw ample opportunity to profit as well, and they pounced.
So more policies were being written up, and the loss ratio exploded alongside it. This is a worst-case scenario for insurance companies as they are now forced to payout on more policies than expected.
A good example of what insurance companies like is the auto industry. In the auto industry, only about 10% of policies are claimed. Ten per cent is a good loss ratio. Well, what about cyber insurance? The last time it was measured, it was a staggering 62%.
So the insurance companies have evaluated the cybersecurity risk properly now and are likely to claw back some of their losses. So premiums have gone up, and they are much pickier about who they will sell to now. And for a second there, I thought we would miss out.
This information was gathered from the brilliant podcast Workflow. See the transcript for the Podcast here.
Our Cybersecurity Renewal
This time of year is when we renew all our insurance. Public and Professional Indemnity, Content insurance, Cyberinsurance etc. On receiving our paperwork, I noticed the Cybersecurity insurance form had a lot more questions on it than last year. So I reached back out to our insurance man Paul, and asked the following:
Hi Paul
Will do.
I’ve been advising clients that getting Cyber insurance will be more difficult. Apparently, they are getting very strict in the USA on who they insure.
I think this is the first time we’ve been asked to fill in a form like this since we initially got the insurance.
Is that right? Is it all becoming harder here too?
Thanks
Paul replied back
Hi Yener,
Thanks for the email, yes it is getting harder to obtain the cover right across the board, especially if the clients haven’t implemented the majority of the computer system security requirements as listed.
I checked the file and you completed a declaration form about two years ago, however that form was only about half of the questions that this one is asking.
Kind Regards
So, the requirements are becoming more stringent here in Australia too. So what were some of the questions asked on this form?
Well, alongside the standard questions, I noticed these:
Question 1. Please specify the number of personal information data records you have that are subject to the following legal jurisdictions:
Australia | USA | Europe | Rest of the World | |
Number of Records | ? | ? | ? | ? |
This question here is to determine your exposure level if you were breached. This no doubt affects your premium, if you can get insurance. The lower the number here, the better on all fronts.
Clean up your personal information records
Tip: You will want to review all your Personal Identifiable Information (PII) data and remove old, stale or unnecessary data. Hanging on to this information doesn’t help your business; it just increases your exposure levels and premiums.
Question 2. Are you and / or your employees working from home during the Covid-19 pandemic?
This question helps the insurance company understand if you are at risk of insecure practices that you have because you are still working from home or have left access open from when you were.
Secure your remote access systems.
Tip: Ensure you only allow staff to access your systems from a work device. And make sure all your work devices are locked down, monitored and patched automatically to ensure the highest level of security.
Question 3. Have you (or will you prior to inception of this insurance) make your employees aware of the risk of phishing emails, particularly phishing using emails using Covid-19 themes?
This question helps the insurance company understand if you are taking steps to educate your staff on the dangers of phishing and how to spot them. As you know, your staff are the last line of defence when stopping hackers. They need to be trained.
Train your staff on how to spot phishing emails.
Engage with a service that can send simulation emails to test your staff, and if they fail to spot the phishing attempt, immediately enrol them in training.
Question 4. Do you currently (or will you prior to the inception of this insurance) access your company networking using complex passwords AND some form of multi-factor authentication?
Use Complex Passwords and MFA
This question is self-explanatory. Don’t use bad passwords; use a password manager and ensure you have MFA everywhere! MFA will reduce your chances of being compromised by 90%.
Question 5. Do you practice the following mitigation strategies to prevent malware delivery and execution:
- Security patching of applications and operating systems
- Email content filtering
- Web content filtering
- Deny corporate computers direct Internet connectivity. (i.e. Use a gateway firewall)
- Antivirus software with up-to-date signatures
Secure your environment
Ensure all devices are patched and monitored and you have multiple layers of security across all entry points into your business (email, the web, etc.).
Question 6. Do you practice the following mitigation strategies to limit the extent of cyber security incidents?
- Restrict administrative privileges
- Multi-factor authentication for all users when they access your computer system remotely
- Encryption of data in transit
- Encryption of data at rest
- Encryption of data stored on laptop hard drives or portable media
Aligning your IT environment to Essential Eight
Although it doesn’t technically mention Essential Eight, there is a crossover here with the Australian Securities Signals Directorate Essential Eight. Eight Key policies to increase your business’s level of protection.
There were some more questions on the survey, but they were some I’d like to point out.
I filled in the questionnaire and thought “the job is done”. I’ll simply await my policy documents, and we’ll be protected for another year. I was very wrong…
Online Security Scorecard
The very next day, I received an email from Paul.
“This will be my renewal notice”, I thought to myself. Here’s the email.
Hi Yener,
Following on from the submission of the renewal declaration form please see email below from [redacted] Underwriting requesting some further information.
Hi Paul,
Thank you for providing the proposal form for the above renewal.
Prior to processing the renewal terms, if I could please follow on with a few additional questions for the Insured.
I refer to the attached report, which has highlighted several potential areas of concern in the Insured’s network.
- How does the Insured authenticate Certificate signing? Are all certificates no longer in use decommissioned?
- Confirmation that all TLS versions are upgraded to 1.2 or higher
- How does the Insured validate and secure email transmission? Are SPF’s in place?
- How does the Insured secure Web Application Headers? Are HTTPs protocols in place?
- Can the client confirm that 100% of the High Severity CVE’s in the attached report have been patched for?
- How frequently does the client perform vulnerability scanning? What is their patch management frequency?
Feel free to share the report with the Insured, happy for them to add any context or commentary.
Scorecard is a resource that [redacted] and [redacted] (along with other Insurers) utilise to scan the IP addresses. It highlights any potential vulnerabilities that we may want to ask questions around for our ITL and Cyber risks.
Let me know if you have any questions or wish to discuss.
Should you have any queries then please don’t hesitate to contact me.
Kind Regards
The thing that blew me away was the attached PDF. It was a 92-page document highlighting several high-risk issues with “our” environment. Here’s the snapshot from the report.
So many questions:
- A D!??!? How did we get a D?!?
- How did they turn this report around so quickly?
- Where did they get this information from?
- How did we get a D?
I was back in high school and just got a mark that would make my dad furious. I was starting to sweat.
Who is SecurityScorecard?
SecurityScorecard provides a security ratings service that evaluates companies’ overall security and ten key risk factors using a straightforward A-F grading system. Companies with C, D, or F ratings are 5.4 times more likely to experience a significant breach than those with A or B ratings.
Notably, specific risk factors, such as application security and patching cadence, highly indicate the likelihood of a breach. For instance, receiving an F rating in these factors may result in a tenfold increase in the risk of a successful attack or data breach compared to receiving an A rating.
SecurityScorecard reviews, stores, and provides access to publically available data on IT environments via automated bots. It’s along the lines of Google crawling the web. They do the same thing, but instead of storing webpage links, they store your vulnerabilities and score them.
What does this mean for cybersecurity insurance customers?
This means you can no longer simply fill out a form and get your insurance. Services like SecurityScorecard are being heavily used by insurers to ensure they will not sell insurance to a company that doesn’t properly secure their environment.
How did Intuitive IT get a D?
Ah yes. That company keeps telling you to secure your environment are they not following their own advice? We are! I’m sure we are! Aren’t we?
Once I delved into the details, we found that our Digital Footprint (the information SecurityScorecard gathered about us) was incorrect.
Another IT Services Provider, located here in Melbourne had some of their data attributed to us. It was their Digital Footprint that had dragged us into D-Grade territory.
Once I discovered that, I was relieved, as we weren’t D-Grade after all. But what happens if we can’t convince the Underwriter that this is the case?
So we got right to cleaning up our Digital Footprint. This was taxing as you need to find evidence to support your claim. How do you find evidence to support the argument you don’t own something!? You need to wait 24 hours after each attempt to clean up, and with each passing day I thought we wouldn’t be able to get this done in time and we would be turned down for getting our insurance.
It was a hectic week, but we got there.
We got our Cybersecurity insurance policy!
So after a few days of cleanup and a nicely worded email to our broker, we finally got our policy approved on the 4th of April. Phew!
We are still cleaning up our SecurityScorecard score, but as you can see, we’ve made some progress and are moving to A ranking very soon. My dad will be happy with me too.
Once the clean-up is complete, we’ll be even higher, as there were some great recommendations that we followed to improve our score and our security.
Moral of the story – Take care of your security now
The last week has been an excellent lesson for us. It has highlighted a few things when it comes to security
- Insurance companies will look at your Digital Footprint to see if you are well protected
- You do want Cybersecurity insurance, but more importantly, you want to secure your environment
- Keep an eye on your Digital Footprint to ensure you are well protected and it’s correct! Companies are using this information and assuming it’s correct. Get your Scorecard today
- We can help you protect your environment and help you increase your SecurityScorecard score.
About the author
Yener is the founder and Managing Director of Intuitive IT. Prior to running his own business Yener worked for a number of corporate organisations where he gained invaluable experience and skills, as well as an understanding of how IT can complement and improve business outcomes.