Why MSPs are The Secret Weapon in Cyber Insurance Policy Compliance for SMBs
As a Managed Service Provider (MSP), we understand the complex requirements that businesses face to remain in compliance with their Cyber Insurance Policy. Insurance companies require their customers to comply with an ever-growing list of requirements and failure to do so can result in serious consequences. Most commonly being dropped by the insurance company or having claims rejected.
The requirements can be a daunting task for many businesses, especially those without dedicated IT staff or those who lack the expertise required to navigate the complex world of cybersecurity compliance. That’s where we come in. At Network Security Associates, we can help businesses fast track and stay compliant with their Cyber Insurance Policy in several ways:
Conducting a Thorough Review of Requirements
The first step in staying compliant is understanding where your business stands in terms of your issuer’s requirements. We can conduct a comprehensive cybersecurity assessment that identifies gaps between what the insurance company wants and what has already been implemented. We will also make recommendations on any potentials gaps we see above and the requirements of the policy document. After this review you will have a list of items that need to be created or sourced.
What Are The Requirements for Cyber Insurance?
Each carrier is going to have different requirements based on their own experiences. Below are the common things we see asked.
Sensitivity of Information Stored: There will usually be several questions digging into the types of information stored. Is there medical patient information that is going to fall under HIPAA requirements? Is there credit card information or other personally identifiable information such as socials and drivers license #’s? Or is there less sensitive information such as order history?
Written Policies and Procedures: This one is a big one. When formal policy exist, AND ARE WRITTEN down, it is usually a sign that the company is more mature in their cyber security practices. Some common areas for policies include outlining who is getting access to information and when, what is acceptable on behavior’s on company systems, and etc. Procedures offer a consistent way to execute policies. A huge one here are employees’ onboard and offboarding procedures. Usually, the carrier will not get into too much details on which policies exist, but rather ask that they do. There can be an expectation that they align with a common cybersecurity framework, such as NIST CSF.
Network Firewalls: A business grade firewall such as Fortinet or Arista firewalls. These firewalls are going to include advanced antimalware technology and features not found on consumer grade equipment.
Anti-Virus (AV): Each device on the network is going to need anti-virus. Nothing new here.
Endpoint Detection and Response (EDR): Sometimes labeled as next gen antivirus, EDR looks deeper than antiviruses do at behaviors and uses machine learning to check these behaviors against a baseline of normal activities. There can be a large overlap between AV and EDR. We still see carriers ask about them individually and look at them as a layered approach.
Managed Detection and Response (MDR): This solution adds people into the mix. Highly specialized security analysts that get human eyes on alerts raised from AV, EDR, logs and sometimes their own proprietary software.
Multi-Factor Authentication: MFA adds a third step to your logins in order to prevent the use of stolen or easily guessed passwords. This is especially critical on cloud services. Most carriers also require that it be enabled for administrative level accounts on servers and other critical systems even if not exposed to the the outside.
Backups: Who would have guessed back ups would be on this list? Backups are king. You will be asked to have onsite and offsite backups. Immutable (undeletable) storage is strongly encouraged. At minimum, there needs to be layers of separation between the two backups so that if one is compromised, the other has to be separately compromised as well.
Security Awareness Training: Both Employees and Executives need to be trained on how to identify red flags and potential threats. In addition to this training, you are usually required to test the effectiveness of it by sending simulated attacks and shoring up any weaknesses found in staff’s understanding.
Application Whitelisting: This means only applications explicitly allowed to run are able to run. The idea is that if things are blocked from running in the first place, malicious running apps wont have to be found and stopped after they’ve had a chance to get momentum. It’s a very effective layer in any cybersecurity strategy, so it is not a surprise that carriers inquire about its use.
Email Security: With most attacks originating by email, a lot of emphasis is put here. Some common items will of course be anti-spam and anti-phishing. But also, things like link scanning, banners on emails sent from outside, and anti-spoofing.
Remote Access: Insurance companies hate remote access. By its nature it can be easily insecure. They are going to want VPNs used or some form of IP whitelisting. MFA is going to be needed for the VPN logins and the VPNs will need to be locked to specific services internally. Restricting what countries can access the network is also becoming more common. For example most business don’t have employees needing to access the network from Russia so it makes sense to not allow connections from there to even be attempted.
Again these are some of the more common requirements we’ve seen. There are others such as web filtering, DNS filtering, accounting controls and password polices.
Staying compliant with a Cyber Insurance Policy is going to be an ongoing process. The solutions deployed are going to need to be monitored, and the policies and procedures updated to stay aligned with the company. Also, as new threats emerge, regulations will change and new best practices will be discovered. This will cause carriers to update their requirements. The good news is that staying compliant will truly do a lot to effectively protect the business from needing to use the insurance. This is win-win for everybody.
Comply or Goodbye: Navigating the Cyber Policy Minefield
As you can see, complying with a Cyber Insurance Policy can be challenging, but it’s absolutely crucial for businesses to avoid costly penalties or rejected claims. As an MSP, we can help businesses navigate the complex world of cybersecurity compliance by conducting a thorough assessment, implementing necessary changes, and providing ongoing support. With our expertise, businesses can have peace of mind knowing that they are always in compliance with their Cyber Insurance Policy and are protected against cyber threats. Don’t hesitate to contact us to learn more about how we can help your business stay compliant with its Cyber Insurance Policy.
We are not attorneys and we strongly recommend you have any contract or policies reviewed by a qualified attorney.