Getting cyber liability insurance in 2022 is becoming more difficult and expensive. Not only are insurance companies asking applicants to implement a litany of security controls, but they are dramatically raising the cost of insurance premiums anywhere from 75% to 1000%. Last year, there was a 500% percent increase in cyber liability insurance claims. In fact, cyber claims loss ratios hit a whopping 73% in 2021. Insurance companies are getting tired of paying for ransomware claims. They are now evaluating applications very carefully. They are looking at loss history in your industry, the number of employees you have, your cybersecurity team, your annual revenue, your security controls, the amount of confidential information you have, and your loss history. Underwriting decisions are made on a case-by-case basis. Some insurance companies are declining to cover companies that are not serious about improving their cybersecurity posture. Will your business survive the financial impact of a cyber attack if you don’t have cyber liability insurance?
Here are four categories of cybersecurity controls that you will see in a typical cyber liability insurance application. By implementing most of them, you will improve your chances of getting coverage at a reasonable cost. In addition, your business will not be a sitting duck and you will be able to find out quickly when someone breaks into your systems. The sooner you find out when someone penetrates your cyber defenses, the less damage they will be able to do to your company.
1. Email security controls. There are four email security controls that you should implement.
The first one is a banner tagging all inbound emails coming from external sources. This reduces the likelihood of your team getting phished when an external email comes in pretending to be an internal email.
The second control you should have is a system to screen all email attachments and links before delivering your inbox. This system will detonate email attachments and links in a sandbox in the cloud. If an attachment or link is found to have malware, it will not be delivered to your inbox.
The third control you should implement is a combination of three anti-phishing systems: the Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting & Conformance (DMARC). SPF is used to publish the list of mail servers used by your organization. Suppose a spammer spoofs your domain and starts sending emails pretending to come from your company. In that case, the recipient’s mail servers will recognize those emails as spam because they did not originate from your company’s authorized mail servers. DKIM is a system for adding a digital signature to outbound emails to validate the sender’s authenticity and that the contents of the email have not been modified. The DMARC is a policy to decide what to do with inbound emails based on SPF and DKIM. For example, DMARC can be configured to do nothing, quarantine emails, or reject them based on SPF and DKIM.
The fourth email control is multi-factor authentication (MFA) for webmail. MFA will prevent 99.9% of the email compromise attacks.
2. Internal security controls. There are 19 internal security controls that you should have in place.
The first one is multi-factor authentication (MFA) for cloud applications, your VPN, your remote desktop connections, and your system administrator accounts.
The 2nd control you should have is data encryption. For example, your laptops, desktops, servers, and mobile devices' storage devices should be encrypted. Suppose any of these storage devices get lost or stolen. In that case, the data on them cannot be read by a cybercriminal, and you will avoid a data breach and a multimillion-dollar fine if you are in a regulated industry. It is important to note that when your computer or mobile device is turned on, the storage device gets unencrypted so that you can read your files. If your computer, mobile device, or file server gets hijacked by cybercriminals, they will transfer the files to their system to attempt to extort money from you.
This leads me to the 3rd security control that you should have. It is what we call a data loss prevention (DLP) system. With DLP, you can further encrypt your files so that if they get exfiltrated by cybercriminals, they will not be able to read them on their computer systems.
The 4th control you should implement is next-generation antivirus (NGAV). NGAV is better than the previous generation antivirus (legacy) programs because it can recognize viruses it has never seen before. NGAV recognizes the ill-intent behavior of computer viruses. When it sees a virus attacking your computer, NGAV will block it. Legacy antivirus is like the flu vaccine. Every year, there is a new vaccine because the flu virus mutates. Even if you get a flu shot every year, you may not be protected against the latest flu strain because the vaccine may not recognize a newer virus strain. Similarly, legacy antivirus cannot stop viruses it has never seen before.
The 5th control we recommend is endpoint detection and response (EDR). EDR is a tool designed to detect and investigate suspicious activities on your computers and mobile devices. It is super important to have EDR in place to find out as soon as possible when someone breaks into your systems. Organizations without EDR are finding out that they have been breached nine months later on average.
The 6th internal control you need is application whitelisting. This system is designed to keep a list of software authorized to run on your computer systems. Anything that is not on that list will not be allowed to run. Suppose that a ransomware gang compromises one of your software vendor’s applications. Next time you update that application, the ransomware gang will be in your system. When they try to run the software to encrypt your files, it will not be on the list of authorized applications, and it will not run. We saw the effectiveness of Application Whitelisting back in July 2021 during the Kaseya supply chain ransomware attack. Companies that used Kaseya VSA software and had application whitelisting deployed did not get their files encrypted.
The 7th internal security control is privileged account management software (PAM). PAM helps you manage and audit your system administrator accounts. It protects the system administrator passwords by rotating them frequently and not displaying them to your system administrators. It will alert you if someone logs in to your systems as a system administrator when your system administrators are not working.
The 8th control is a hardened baseline for your servers, laptops, desktops, and mobile devices. Most hardware and software systems ship in an open and insecure configuration. You should change the default security settings according to your business needs before you put them into production to reduce the attack surface.
The 9th control is an automated hardware and software inventory tracking system. It will help you identify systems that are no longer supported and are not getting security updates.
The 10th control is standard user accounts for non-IT users. Only your IT department should be able to install applications or make changes to your computer systems. Otherwise, your non-IT users will be unwittingly introducing malware into your network. Many software downloads such as freeware, web browser extensions, cracked software, and printer and other device drivers have been tainted with viruses and trojans. Non-IT users are not trained to verify that the software they are downloading is free from malware.
The 11th control is security patch updates. Ideally, your systems should get security updates installed within one to three days after an update is released.
The 12th control is the segregation of end-of-life or end-of-support software. If a software vendor no longer maintains an application that you must keep in production, it should be segregated from your network.
The 13th control is protective DNS (PDNS). PDNS blocks access to malicious websites and unwanted web content.
The 14th control is endpoint application isolation and containment technology. This technology puts your applications in separate containers. If one application gets hijacked, the remaining applications will be safe. For example, your web browser can be isolated in its own container running in the cloud. From your point of view, the web browser looks like it is running on your computer, but it is not. It is being streamed down to your computer from the cloud. It is like watching movies on Netflix or Amazon Video. The video processing is happening in the cloud, and the movies are displayed on your computer, mobile device, or TV. When you visit a website that has been compromised or click on an ad that is configured to hijack your computer, the malware only affects the web browser in the cloud. The malware cannot make the jump to your computer.
The 15th control is disabling Microsoft Office macros by default. Otherwise, your company will be hacked when a user opens a Microsoft Office file that contains a macro configured to run automatically. Microsoft recently started disabling Microsoft Office macros that come from the internet. However, users can override that setting and still run macros. We recommend implementing a system security policy that prevents end-users from enabling these macros unless there is a business reason why you need to run them.
The 16th control is to follow the PowerShell best practices recommended by Microsoft in its Environment Recommendations. You want this security control PowerShell is one of the favorite tools that cybercriminals use to take over your entire computer network once they hijack one of your computers.
The 17th control is called Security Information and Event Management system (SIEM). This system collects the security events recorded by your desktops, laptops, servers, firewalls, network switches, network switches, wireless access points, etc. SIEM allows security to identify and investigate suspicious activities happening in your computer network. SIEM works in connection with EDR.
The 18th security control is called Security Operations Center (SOC). The SOC is staffed by security analysts using EDR and SIEM to find out if your computer network has been breached. Without someone auditing your network.
Finally, the 19th security control is called Third-Party Penetration Testing. You want an independent cybersecurity team testing your cybersecurity defenses every month to find out if they are working as expected or if you need to tweak them to detect the latest and greatest form of attack.
3. Backup and recovery policies. You should have three backups of your data. The first copy should be onsite on a system that is independent of your company’s domain with different login credentials. The second backup copy should be with a cloud provider. The third backup copy should be kept either offline or as in an immutable copy. For cloud applications, we recommend you have cloud-to-cloud backups. Your backups must be encrypted and protected by MFA. You should have a system for testing the restoration of your backups at least every month. In addition to backups, you should do server replication to another data center so that you can recover your servers quickly in the event of a disaster.
4. Phishing controls. You should provide security awareness training to your team at least once a year, and conduct simulated phishing attacks to find out who needs additional training. Your finance team should have a wire transfer or electronic payment protocol to validate the requests for payments. Keep in mind that cybercriminals can modify the ACH information on the invoices that you receive from your vendors, send spoofed emails requesting a wire transfer, and even call you over the phone using DeepFake technology pretending to be your CEO or CFO. For help in answering the security control questions in a cyber liability insurance application, send your application to [email protected]. We will help you review your cybersecurity posture and answer those questions for you. If you are missing any of these controls, we will help you choose and implement the right solution for your company.
Dedicated to your cybersecurity,