COVID-19 Resources

Cybersecurity Insurance Coverage [10 Areas to Consider Before You Have to Make a Claim]

Written by Justin Headley CISSP, CISA on January 21, 2021

Warren Averett Cyber Due Diligence Image

In an increasingly technology-driven world, organizations—now more than ever—have sensitive company or customer information that’s accessible to the outside world on the internet or via the cloud.

An effective age-old method to mitigate or combat increasing risk is through the use of insurance.

Lately, many industry-leading insurance companies offer cybersecurity insurance riders to a business’s umbrella or general liability policy.

What Businesses Should Know About Cybersecurity Insurance Coverage Before You Need to Make a Claim

Cybersecurity insurance coverage can be invaluable to companies and can help provide indemnification for many cyber events, such as data breaches, ransomware, data recovery and liability issues that may arise from these attacks.

However, purchasing cybersecurity insurance coverage alone with no additional internal control evaluation can provide companies with a false sense of security.

Oftentimes, to be eligible for the full benefits of a cybersecurity insurance claim, insurers require that their customers have implemented sound information technology controls to support proper cyber due diligence.

If your company hasn’t done its proper cyber due diligence, your cybersecurity insurance coverage may not protect you as much as you might think.

Below are 10 of the most common areas that cybersecurity insurance coverage providers may consider when you apply for insurance or make a claim, in order to assess your company’s ability to respond to these due diligence concerns for a cybersecurity insurance claim:

Warren Averett cybersecurity insurance coverage image

1: Security Awareness Training

Employees are often an organization’s greatest asset, but they can also be the weakest link during an attempted cyber attack.

An organization’s efforts to build a strong security architecture can easily be thwarted by an employee failing to recognize a social engineering email. During a social engineering attack, employees may fall prey to phishing emails that lure them into clicking on links with malicious intent or providing network credentials to outsiders.

Therefore, it’s critical that a company’s end users be trained often on security awareness and cybersecurity topics, including social engineering testing.

With or without cybersecurity insurance coverage, regular security awareness training for your end users is often one of the best ways to spend resources to help improve an organization’s ability to prevent a cyber attack.

Warren Averett cybersecurity insurance coverage image

2: Remote Access

Does your organization allow employees to work remotely or perhaps have third-party vendors who provide support functions remotely? Your cybersecurity insurance coverage may state that proper controls should be established to define how those individuals can remotely access your network.

Virtual Private Network (VPN) tools are the most common method of allowing someone outside your organization to connect to internal resources in near real-time. Remote users should be forced to log in using their network credentials with complex passwords that expire periodically.

In addition, multi-factor authentication (MFA) is essential for all remote users. After submitting a valid username and password, MFA challenges a user to input information from a key or token (either physical or digital) as an additional measure of verifying the user’s identity.

Warren Averett cybersecurity insurance coverage image

3: Anti-Virus/Anti-Malware

The most basic of technology protections, anti-virus and anti-malware software, is still a key defense mechanism in an organization’s security plan. Assessing your company’s antivirus software is an essential part of your due diligence for your cybersecurity insurance coverage.

In news headlines, we often become overwhelmed with zero-day attacks, in which no known protections exist. While these kinds of attacks are always a concern, the majority of virus and malware attacks come in the form of known signatures that already exist in protection software.

The best anti-virus and anti-malware companies automatically update their products daily with the latest definitions to help protect their customers.

When evaluating and implementing these products, companies should ensure that the software in place allows central management of all of the company’s computers and servers and can allow scans to be scheduled and updates to run at designated times.

Warren Averett cybersecurity insurance coverage image

4: Patching

In a perfect world, a company’s installed software and applications would never need any updating. However, hackers are constantly on the prowl searching for new vulnerabilities within software.

As a result, we must prioritize the vulnerability scanning and patching process.

Many vulnerability scanning tools are available, which comb through a network searching for potential vulnerabilities and exploits within software.

Unpatched, outdated or unsupported software is the equivalent of leaving the front door of your home open, and it provides an easy entry point into an organization for malicious users.

Warren Averett cybersecurity insurance coverage image

5: Monitoring

Monitoring is also likely a key due diligence item when it comes to your cybersecurity insurance coverage.

While network security tools can be extremely effective, without proper configuration and monitoring of their output their effectiveness is greatly minimalized. Using the set of network tools already in place, IT personnel should ensure their output logs are reviewed periodically for suspicious activity or anomalies.

These logs can help to constantly improve a tool’s effectiveness by fine-tuning the thresholds of what is considered to be acceptable within your environment.

In addition, alerts from network security tools should be configured to notify IT personnel of potential security events.

Warren Averett cybersecurity insurance coverage image

6: Acceptable Use of Company Resources

In addition to strong information technology controls, organizations should ensure employees and vendors are required to periodically acknowledge an understanding of acceptable use of company resources.

This most often takes place during the new-hire process, but it can also be acknowledged annually.

A typical acceptable use agreement contains guidelines around password management, computer and internet usage, the proper use of email, encryption of sensitive information and social media usage, etc.

7: Access Control

When granting access to your network and critical applications, organizations should always employ the least privilege principle. This is the idea that users should only be given the bare minimum rights to a network or application in order to perform their job functions.

To enforce proper access control and the principle of least privilege, logical access reviews of the network and applications should be performed at least quarterly to ensure the access granted is appropriate.

Logical access reviews also assist with identifying and cleaning up accounts belonging to terminated users that are no longer needed.

Warren Averett cybersecurity insurance coverage image


8: Change Management

Your cybersecurity insurance coverage may state that all of the changes made to your most critical applications have been reviewed, vetted and approved.

While it can vary depending on the levels of software development taking place, changes to an application should be formally requested in a change request form, approved by an appropriate level of management, tested and pushed into production by independent personnel.

Warren Averett cybersecurity insurance coverage image

9: Network Topology and Segmentation

There’s a saying in the Information Technology industry: “You can’t protect what you don’t know about.”

Network topology and the inventorying of IT assets play a critical role in how an organization identifies key systems and the plan to protect them. Network topology and asset inventory can be a daunting task when performed manually.

However, there are multiple industry-leading tools available, which combine this functionality for a more automated solution.

Segmentation, while somewhat technical, also is essential to a strong security posture. Proper segmentation of a network allows specific areas to be restricted to a subset of employees.

For example, segmenting the Human Resources information from the rest of the company provides an easier way to restrict access to appropriate employees. This also helps to protect your business from inside and outside attempts to gain access to sensitive information.

Warren Averett cybersecurity insurance coverage image

10: Periodic Security Assessments

Periodic assessment of an organization’s security posture is one of the most effective methods to determine the readiness to effectively detect and respond to a cyber attack.

Partnering with an independent third-party organization to periodically assess and test your controls helps to identify control gaps and inefficiencies in your IT practices as well.

Security assessments should be performed at least annually and will typically include an IT controls assessment against an industry best-practice methodology (NIST, COBIT, etc.), vulnerability scanning of your internal assets and penetration testing to simulate an actual attack.

Warren Averett cybersecurity insurance coverage image

Learn More About Due Diligence Concerning Cybersecurity Insurance Coverage

While the due diligence information required will vary depending on your specific cybersecurity insurance coverage, these items provide a base for a company to evaluate your own security posture.

Have open conversations with your insurance representative periodically to ensure you are covering all necessary areas. Implementation of those controls and a periodic assessment of their effectiveness will help to make sure your organization is covered and able to appropriately respond to cyber attacks.


The Wrap Podcast - Listen Now

Back to Resources