When you renew or try to obtain cyber insurance, the questions have historically been pretty lame. But, in the face of large losses, insurance companies are STARTING to get serious. Here is a report from one company on what their insurance company asked at renewal time. This is from an actual application.
How would you answer these questions?
Do you perform regular backups and store them in a secure off-site location? Note the second part. Ransomers are targeting backups, if they can get to them.
Do you limit remote access to all computer systems by using two-factor authentication? Ignore, for the moment, that these folks can’t construct a well formed English sentence, they want to know whether you REQUIRE two-factor authentication for ALL remote access.
How many PII records are held on your network? Note they are are not asking how many are created each year, but how many are stored. Getting rid of old data reduces this number.
Do you provide periodic anti-fraud training to all employees? Everyone should be doing this, but are you? Lying on an application is likely grounds for not paying when there is a claim.
Are processes in place to request changes to bank account details including account numbers, telephone numbers or contact details? Unfortunately, this may be up to your bank, but you should find out what is available. Or, if this really awkward question means how do you authenticate your customers when they want to change their bank account, the task is up to you to deal with.
Are you using Office 365? Huge attack surface – enough said.
Can users access email through a web application on a non-corporate device? Start with your phone.
Do you STRICTLY enforce SPF on incoming email? Maybe 1% of companies do this because, they say, they might miss an email from a customer, so it is better to let all those phishing emails in.
Are your backups encrypted AND kept separate from your network, whether offline or with a specialist cloud service? Again, they are asking whether a hacker can wipe your backups before encrypting your systems.
Do you use endpoint protection in the network? What brand? What steps are you taking to protect your systems.
How long does it take to install critical high severity patches? Remember, it only takes hackers hours to weaponize them.
Do you have a SOC (Security Operations Center)? Most do not.
What steps are you taking to detect and prevent ransomware? It is costing the insurance company billions, so it is a reasonable question.
Some of the other questions include:
- Have you implemented a hardened baseline configuration across servers, laptops, desktops, and managed mobile devices?
- How do you implement local administrator rights?
- Do you provide users with a password manager software?
- Are end-of-life or out-of-support hardware and systems segregated from the rest of the network?
You probably have a good idea what the right answer is. If you need help getting there, contact us.
Credit: CSO Online