Cyber Liability Insurance: 5 Best Practices to Ensure You’re Approved

The ongoing escalation in ransomware attacks and other cyber incidents is pushing more businesses to seek cyber liability insurance (CLI) to help mitigate risk. But this same trend has caused insurers to incur losses and insurance requirements to become more stringent.

U.S. cyber insurers increased their premiums by an average of 96% year-over-year in Q3 2021 alone, and many clients have increased retentions in an effort to keep CLI costs in check. Insurers have also instituted rigorous new requirements to evaluate companies’ security controls before extending coverage.

Here are five of the most important security controls you should have in place to reduce the risk of a cyber incident and, ultimately, lower the risk for your insurer. Putting these practices in place will greatly increase the odds that you’ll be approved for cyber insurance.

1. Multifactor authentication

Passwords are susceptible to being stolen, guessed, improperly shared, socially engineered and hacked by brute force. Many ransomware and other cyberattacks rely on compromised passwords to penetrate systems.

By requiring one or more additional authentication factors — such as a biometric identifier, mobile app, phone number or security token — multifactor authentication (MFA) makes it tougher for hackers to gain entry and greatly reduces authentication-related risk.

In today’s market, it’s highly unlikely you’ll be approved for cyber insurance if you don’t have MFA in place on your most critical systems. These include email, VPNs, cloud services, core business systems (such as accounting/ERP and CRM) and industry-specific systems (asset management, medical records, R&D applications holding intellectual property, and so on).

2. Endpoint detection and response

Endpoints like laptops, tablets and smartphones are popular targets for cyberattacks because they frequently offer a pathway to an organization’s networks. Endpoint detection and response (EDR) continuously monitors these devices to detect, alert and respond automatically to incidents.

EDR’s focus is on the continuous monitoring of real-time endpoint activity, in-depth analysis of suspicious processes and response to incidents and breaches. For example, EDR helps security teams spot anomalies that might otherwise go unnoticed and blocks threats before they can spread.

3. Secure backup procedures (including offline)

Many ransomware attacks target backup data, and a top reason for paying a ransom is a lack of recoverable backups. No wonder many underwriters are demanding that businesses implement immutable backups that cannot be encrypted, modified or deleted. Even better is an immutable backup scheme that is also isolated (air-gapped/offline) from the local network.

4. Identity and access management

Credentials are among the top data types stolen by hackers, and hacked credentials lead to more data breaches than any other source. This makes identity and access management (IAM) a focus on many insurers’ due diligence questionnaires.

IAM is a set of policies, processes and technologies that help businesses manage digital identities and control user access to sensitive data. By assigning specific roles to users and making sure they can access only the data and networks they need for their jobs, IAM reduces cyberrisk associated with key initiatives like mobile/remote working and moving applications to the cloud.

5. Patch management

Cybercriminals love to target known vulnerabilities in outdated software, especially as a ransomware attack vector. This makes a patch management program imperative to keep devices on the latest version of software and firmware to prevent a breach.

Besides eliminating security vulnerabilities and reducing risk, a solid patch management program also helps improve system uptime and maintain compliance with regulations like HIPAA and PCI DSS, as well as gives users timely access to new features. Patch management is supported by endpoint management and other IT asset inventory tools because you can’t patch what you don’t know exists.

Adopting a Zero Trust Model

Zero trust dictates that organizations should not automatically trust any entity inside or outside their network — “Never trust, always verify,” as opposed to “Trust but verify.”

In the new reality of hybrid working arrangements, it’s time to re-evaluate information security based on zero trust. ESET solutions give organizations of all sizes a more secure IT setup embodying a zero trust approach, including measures to efficiently verify every single access, person and device — internal and external — to comprehensively protect your data and networks.

To find out more about zero trust and how ESET offers a practical path to align with it, please visit our website.

Tony Anscombe is Chief Security Evangelist for ESET. With over 20 years of security industry experience, Tony is an established author, blogger and speaker on the current threat landscape, security technologies and products, data protection, privacy and trust, and Internet safety. His speaking portfolio includes industry conferences RSA, Black Hat, VB, CTIA, MEF, Gartner Risk and Security Summit, and the Child Internet Safety Summit. He is regularly quoted in security, technology and business media, including BBC, the Guardian, the New York Times and USA Today, with broadcast appearances on Bloomberg, BBC, CTV, KRON and CBS.

This guest blog is part of a Channel Futures sponsorship.