Unlocking the Cybersecurity Insurance Questionnaire
OR Insurance. Why does it always have to be insurance?
Congratulations! our company survived whatever the heck you call the last two years. So, the storm isn’t over, but you made it this far, and you are well on your way to finding that treasure of financial success. Then, your insurance agent sends a questionnaire to renew your cybersecurity policy. It looks like hieroglyphics or a code created by a famous Renaissance painter, but you don’t need the sun and a gold medallion to unlock this mystery.
Why Me? – It’s not just you. It’s the industry. Chew on this – Cybercrime is the world’s third-largest economy. Now inside that, every ransomware attack costs businesses (or the insurance company) an average of $150,000. Do the math on your premium and realize the insurance industry is hemorrhaging cash.
Why Now? – This is a tourniquet to force companies to legally confirm they are doing all they can to prevent cybercrime. When you fill out the questionnaire, it is a legally binding document. If you’ve been hit with ransomware or hacked and the insurance company determines in their investigation you weren’t completely honest, your coverage will be dropped, and you will be left holding the bag and the ransom note.
Grab your whip and fedora as we bolt down the deep volcanic mine of the typical questionnaire.
Personally Identifiable Information (PII) – This qualifies as anything that can be used in part or alone to identify an individual or a company. This could be a name, social security number, tax ID, email, phone number, or DNA. All of the information MUST be kept in a secure location and preferably encrypted.
Multi-Factor Authentication – Or MFA prompts to confirm your identity when you log in. This is typically done through a text, email, or application on your phone. All logins could have MFA enabled.
Block Unnecessary Outbound Connections – Did I say “outbound?” Yes, just because you have a firewall that blocks all incoming traffic, doesn’t mean you’re safe. By blocking business outbound traffic, you limit the exposure to shady web pages, drive-by-downloads, and malware/ransomware calling home. The most secure companies keep a whitelist of sites and IP addresses permitted for outbound traffic, and all else is blocked.
Written physical and network security policy – This is a big one and the most commonly overlooked. The physical and network security policy for a small company may only be a page, but it must be in writing, and all employees and vendors must agree to comply with the policy in writing.
Disaster Recovery and Business Continuity Plan – Most companies don’t want to think about this, but insurance companies live for it. You must have a written, itemized plan of how your organization will continue running in the event of a disaster. It could be relocating your building to another state or the intern accidentally deleting the accounting database. Either way, you must have a written plan.
Data Retention and Destruction Plan (electronic and physical) – This requirement ensures that your organization has a written plan for securely deleting and destroying both electronic and physical data once it is no longer needed. This includes sharing physical documents but also securely deleting files and physically destroying media, such as hard drives, tapes, and USB keys.
Written Data Breach Response Plan – What happens if the unthinkable happens? You need to explain, in painful detail, how you will mitigate the breach and limit exposure. You may not be able to do anything except alert your clients, employees, and vendors of the breach, but you must have a plan.
Employee Controls – Criminal and credit checks, restricted access to PII (there is that term again), termination policies, and training ensure your employees aren’t inside agents and don’t unwittingly become one. Social engineering seeks to pull information and access from the inside. Kevin Mitnick, a world-famous hacker from the 80s and 90s, said it best, “it’s easier to manipulate people rather than technology.” Right on, Kevin. Make sure your employee knows what social engineering looks like and avoid it.
Third-party Vendors – Strangely, some organizations trust vendors wholeheartedly. Vendors may provide services that employees can’t, but they should have fewer permissions and stronger connection requirements. Far too many data breaches have occurred due to weak vendor controls. Do you remember that, Home Depot?
Cyber Security Awareness and Privacy Training – Remember how I keep saying that training is one of the big keys to cybersecurity? It’s true. Insurance requires that you ain’t yourself, your staff, and even your vendors on security and privacy awareness.
Vulnerability Assessment, Penetration Test, and/or Network Security Assessments – Everyone, whether for insurance or regulatory compliance, requires companies to have an external penetration test and internal network security, or vulnerability assessment, completed each often. This test allows a qualified agent to look at your systems through the eyes of a potential threat actor to find vulnerabilities. Once found, holes are patched for an actual threat to exploit them.
Designated Security and Compliance Manager – Who is the person responsible for cybersecurity in your organization? It can be an outsourced company or your most senior technical person, but you must have someone that can answer the tough questions.
Backup valuable/sensitive data daily – Sure, IT says they do, and the little notification says your systems are backed up but are you sure? Don’t just close your eyes and guess. The only way to know is to restore and confirm. That is the next question. When they ask specifically how long it takes to fully restore the system, you won’t have to lie!
Data encryption as rest, in transit, and on mobile, detachable devices – Data should always be encrypted. I recommend encrypting every media, either a USB drive or the hard drives in laptops and servers. All communications between devices must be encrypted as well. That means any device that has an open port to allow connections that are NOT encrypted must be closed. Printers are the biggest culprit as they come out of the box built for convenience. Nearly all have default FTP with no pass rd!
Physical Security – Door locks, surveillance, access control cards, and a security guard are great. But signs are one of the most overlooked torrents. Legally, unless you have posted that your building door is for “Employees Only,” anyone can walk in. There have been so many ridiculous criminal cases thrown out because the organization didn’t have physical signs or electronic banners identifying entry points or computers as private property.
Wire Transfers and other electronic/bank fraud – Municipalities and businesses have lost BILLIONS to bank account change scams, fake invoices, disconnect threats, and, in the most amusing cases, pretending to be the CEO. Even a one-person company needs to have a checklist of safeguards to prevent unauthorized money transfers. Lesson 1 – no legitimate organization accepts gift cards as payment. Always contact the company through a publicly owned phone number to confirm the request. Never, EVER, give out your credit card or bank information on a phone call. A legitimate creditor will wait for you to confirm. Don’t be afraid to hang up!
The insurance questionnaire can feel like a boulder hurtling toward you, and if you do nothing, it will leave you flat Don’t Panic! If ever in doubt, reach out to a true cybersecurity specialist for help. It may be the wake-up call you need to fully secure your organization.