Most Common Cyber Insurance Application Questions

Confused by the cyber insurance form your agent sent you to fill out? When filling out a cyber-security form, how do you know what's important and what's more of a box checking exercise? Which ones should you care about. Based on hundreds of cyber insurance applications here is a list of the most common questions which appear on every and why you should care about them.

Insurance - Business Background. Golden Compass Needle on a Black Field Pointing to the Insurance Word.-1-1

Who is responsible for IT security?

Why do they ask?

If no one is responsible for IT Security it's not going to be done well. That which is measured and managed is improved.

What you should do?

Make it someone's responsibility. Even a non-technical owner or manager can ask questions.

What security framework is in use?
What have we done this quarter to improve our security?
What percentage of our IT budget is spent on security?

Do you have a plan for...

Disaster Recovery?
Business Continuity?
Incident Response?

Why do they ask?

To quote Dwight Eisenhower "plans are useless. Planning is invaluable. " The insurance company wants to know that meaningful thought and preparatory work has been completed.

What you should do?

Make sure you have a simple, clear and concise set of plans and that everyone know where the plans are kept. In an emergency, the last thing someone wants to do it look for the 300 page disaster recovery plan. The second to last thing they want to do is leaf through a beautifully formatted 300 page document past 500 imaginary problems that don't relate to their current situation so they can find the one phone number they need to call.

Do you encrypt sensitive or confidential information?

Why do they ask?

Many ransomware attacks begin with the attackers copying data off-site so they can blackmail a business after a ransom is paid. This double-dipping costs the insurance company (and yours) more.

What you should do?

Consider encrypting any data you wouldn't want to have published. This includes patient information, price lists, drawings, financial statements, etc.

Do you maintain an inventory of assets and applications?

Why do they ask?

One of the worst cyber attacks in history was due to Equifax not patching a server they forgot they had. https://www.forbes.com/sites/thomasbrewster/2017/09/14/equifax-hack-the-result-of-patched-vulnerability/?sh=65d978415cda

Admittedly, most companies don't have this level of exposure.  However many do have generic accounts, old computers, open wifi and week passwords that leave them exposed.

What you should do?

Keep an inventory of systems and applications in addition to physical computers.   The applications and configurations will have a greater impact on most companies than the hardware inventory the accounting department works so hard to maintain.

Microsoft 365 Advanced Threat Protection (ATP)

What is it?

Microsoft ATP now called Microsoft Defender for Business is an advanced malware and spam filter. It does things like creating a virtual machine to open email attachments to check for suspicious behavior before delivering. Should that Excel file really upload data to a server in Russia after it's opened?

Why do they ask?

94% of malware is delivered via email

65% of attacks use spear phishing as their primary attack vector

What you should do?

You should immediately confirm your Office 365 plan includes ATP (aka Defender for Business). Sometimes this is an explicit add-on and sometimes you have the feature included in another license like Business Premium. This is an inexpensive item which provides real benefit to your business

MFA is required for?

Why do they ask?

Google and Microsoft reported that MFA stopped 99% (or 99.9% or even 100%) of attacks. This statistic is debatable but MFA is free (most of the time) and stops many common forms of attack.

What you should do?

Turn on MFA on every service and site where it's possible to do so. Require MFA in your employee handbook. Consider the availably and cost of MFA on all new systems or services your implement.

DKIM, DMARC and SPF?

What is this? 

DKIM, or DomainKeys Identified Mail, is a  digital signature to let the receiver of an email know that the message was sent and authorized by the owner of a domain.  
 
SPF or Sender Policy Framework is an email authentication method that helps to identify the mail servers that are allowed to send email for a given domain.
 
DMARC tells the receiving email server what to do if an email doesn't pass the other two checks.
 

Why do they ask?

1.  Enforcing these settings on your system helps ensure the email that reaches your mailbox is legitimate.

2.  Helping the people you send email to identify legitimate messages limits the damage that can be done by someone trying to impersonate you.

What you should do?

It's easy and non-technical to see if you have these records setup for your domain.  Enter the last part of your email address into these pages to see if these records are setup for your domain.

https://mxtoolbox.com/spf.aspx

https://mxtoolbox.com/DMARC.aspx

https://mxtoolbox.com/dkim.aspx

Does your antivirus include an EDR?

What EDR?

Traditional anti-virus matches software against a library of known malicious software and looks for a match.

EDR or Event Detection and Response relies on applications behavior to determine if it's suspicious or not. Should this software attempt to logon to every other computer on the network fifteen times a second? Should it upload data to an over-seas server? Should it be recording keystrokes? In addition to doing a better job detecting malware, EDR software records what happens. It's a lot easier to fix a problem if you know what happened.

Why do they ask?

Modern EDR software is an order of magnitude better at preventing attacks than older traditional anti-virus software.

What you should do?

Contact your IT department or IT provider and ask if you have EDR and what it would cost to implement.

Social engineering or phishing training?

Why do they ask?

The weakest link is often human. The most sophisticated system in place is definitely human. Training represents both the biggest risk and the biggest opportunity.

What you should do?

Train regularly and train often. Train using multiple channels. Address security in staff meetings. Send automated trainings out. Track who completes the training.

Backups, backups, backups...

Why do they ask about?

Separate credentials.

Access to the original data shouldn't automatically grant access to the backups. If someone has the password to delete the data, they should not automatically be able to delete the backups.

If backups are isolated from the rest of the network.

See above. And, if backups are kept isolated, this doubles the amount of work an attacker has to complete a successfully ransomware attack. It politely encourages them to spend their time somewhere else.

When backups were last tested.

As anyone who owned a VCR can attest, there's a big difference between pressing record and coming back later and pressing play. In addition to simply knowing backups are working, a test is how you confirm how long you'll be down if you did need to restore.

Are your backups immutable?

Immutable meaning incapable of being changed or deleted for a specified period of time. Many on-line storage providers offer storage that can't be touched for days or weeks. This prevents attackers from encrypting or deleting a backup.

What you should do?

When your IT provider fills out these questions don't accept no for an answer. Make sure you understand how long it takes to restore your data AND what it would cost you to reduce that time.