Businesses can qualify for Cyber Insurance by putting a few basic practices in place. Depending on the size of your business – and your industry’s likelihood for filing claims – the qualifications can be a little more stringent.
As specialists in Cyber Insurance, we help our clients identify the front end protections that are needed to qualify for coverage. Once we’ve identified your front end needs, we then act as an intermediary to negotiate eligibility and costs with insurance companies.
The Basic Front End Protections You Need
To qualify for Cyber Insurance, you’ll need a few basic protections in place. These include:
- Multi-Factor Authentication (MFA)
MFA must be in place on any critical systems, including email, remote network access, and for anyone with admin rights or access to critical systems. - Endpoint Detection and Response (EDR)
EDR is a type of cyber security that continuously monitors end-user devices to detect and respond to cyber threats, such as malware and ransomware. - Regular Backups of Critical Information
Back ups must be performed at least weekly (but ideally on a continuous basis) to the cloud or another remote access service that is not on your network. - Funds Transfer Verification
On monetary transactions in excess of a certain amount – usually somewhere between $5,000 and $25,000 – multiple verifications should be made to ensure the funds are going to right place. Verification could include an outbound call to your contact, two or more employees signing checks, or other transfer protections in place with your banking institution.
The reason all of these protections are needed is because any single one can more easily be bypassed than several. By having these protections in place, it makes it much more difficult for hackers to bypass your defenses. Often, they’ll go look for easier targets which would prevent attacks against you in the first place.
When the Basics Aren’t Enough to Quality for Cyber Insurance
While many small businesses can obtain Cyber Insurance with basic levels of protection as noted above; more complicated risks require a more proactive approach.
Some examples of when higher levels of protection are needed:
- Anyone dealing with significant amounts of Personally Identifiable Information (PII)
The typical dividing point is around 100,000 individual PII records. And it’s important to remember that PII records aren’t limited to Dates of Birth or Social Security Numbers. If you have that many records, even information limited to just names and email addresses could be very costly if you suffer a data breach. - Detailed PII Records
If you’re dealing with medical records (and/or are subject to HIPAA regulation), have dates of birth, social security numbers, addresses, etc., these are highly valuable pieces of information and you may have more significant risks to protect against. - Intellectual Property and Privileged Client Information
Think attorneys, engineers, and management consultants. Even if you don’t have a high quantity of these types of records, losing them in a data breach could put your entire business in jeopardy without the right coverage in place. A good example of this is Trade Secrets. Trade Secrets can have real significant value – the loss of these could put your client out of business and who are they going to blame? - Where Your Business Income is Reliant on Limited Down Time
Think of a manufacturing plant that gets attacked by Ransomware. Modern operations are reliant on automation which can be stopped with no warning following an attack. This can result in both damage to your equipment along with a loss of income – time is money after all.
More Complicated Risks Require a Significant Levels of Protection
In these instances, having MFA, EDR, and a good Backup plan won’t get you coverage. You’ll need to show the underwriters at insurance companies things like:
- Your Employee Training Program
- Penetration Testing Results
- SOC Audits
- The ability to restore operations in less than 8 hours following a cyber attack
Yes, these are costly measures, but in the world we live in they are the cost of doing business. Investing in these protections is often not just necessary, but provides a competitive advantage against those who aren’t doing them.
How Can We Help You Protect Your Business?
The first thing to recognize is that it doesn’t start with insurance – a good cyber insurance policy is the financial backstop to things that eventually get through. Which is why it’s important to start with a baseline risk assessment.
Let’s identify the exposures you have and how you’re protecting them now. Then let’s assess where the true risk lies. Implementing the right protections will help keep the vast majority of attacks from occurring.
By doing this work first, our clients benefit from the ease of getting the right insurance in place without the hassle that many businesses endure every year at renewal. Through our transparent and collaborative approach, we open the lines of communication to get underwriters investing in writing your business at a cost point that everyone can live with.
For more information, please reach out to us at contact@stillwellriskpartners.com, or schedule an initial call with us.