17 cyber insurance application questions you'll need to answer

Recent high-profile security incidents have tightened requirements to qualify for cyber insurance. These are the tougher questions insurance carriers are now asking.

CSO > Invalidated cyber insurance
jauhari1 / Getty Images

I recently had to renew the cyber insurance policy for the office and it was interesting to see the evolution of questions asked over the years. At first, most of the cyber insurance questions involved basic computer security and merely checked to see if we had firewalls and antivirus and not much else.  Now the questions suggest that insurance providers understand that network security includes much more than antivirus software. Answering the questions gave me an insight into the type of risks they were evaluating and the security processes that they expected us to perform.

Cyber insurance is a key need for many businesses. For many years. the insurance was easily available and review was negligible. The Colonial Pipeline ransomware attack and other recent ransomware incidents have made insurance underwriters ask hard questions about the security of our firms.

Following are some of the questions you'll need to answer when applying for cyber insurance. How would you answer them? Are you doing enough to ensure that you are insurable?

Do you perform regular backups and store them in a secure off-site location?

In this day and age of ransomware, ensuring that you have a method to restore data is a key way to ensure you can recover from an attack. Reportedly during the recent Colonial Pipeline ransomware attack, even after receiving the decryption key, they still needed to restore from backup because the decryption process was taking an excessive amount of time.

Do you limit remote access to all computer systems by using two-factor authentication?

I find this question interesting given the work-from-home functions that many of us have had to do during the pandemic. Clearly the insurance underwriters are aware of the risk of remote access and want to ensure that we have two-factor authentication (2FA) when using credentials outside of the office to remote into the firm.

How many PII records are held on your network?

This may be nearly impossible to calculate if you haven’t taken the time to identify and categorize the information on your network. Personally identifiable information (PII) can be sensitive or non-sensitive. Sensitive personal information includes legal statistics such as full name, Social Security number (SSN), driver’s license, mailing address, credit card information, passport information, financial information, and medical records. Often you may need to adjust this list depending on your organization and what records you store on your network.

Do you provide periodic anti-fraud training to employees?

This question is meant to ensure that we are teaching employees to recognize social engineering attempts to steal credentials or commit fraud.

Are processes in place to request changes to bank account details including account numbers, telephone numbers, or contact information?

Once again, the emphasis was on making 2FA part of the payment process. 2FA is recommended for any external financial or banking transaction.

Are you using Office 365?

For the first time, the cyber insurance application asked about our use of Office 365. If we answered yes, it asked if we subscribed to Office 365 Advanced Threat Protection. Next, it asked if 2FA was set up for all users.

Can users access email through a web application on a non-corporate device?

I was surprised to see this question. Often in large enterprises, firms mandate the use of separate devices for office access. Phones used to be a bastion of secure access but are now seen as a risk to the network. If you allow email access through a non-corporate device, insurance providers clearly want you to protect it with the use of 2FA.

Do you strictly enforce SPF on incoming emails?

Sender Policy Framework (SPF) is an email-authentication technique that is used to prevent spammers from sending messages on behalf of your domain. With SPF, an organization can publish authorized mail servers. It also asked if your desktop email platforms or firewalls provide sandbox capabilities to evaluate attachments.

Are your backups encrypted and kept separate from the network whether offline or with a specialist cloud service?

This question was followed by another asking if we had ever undertaken a restoration and recovery testing of key service configurations and data. Too many firms don’t truly test the entire recovery process until they are in a disaster process. Make sure that you have a fully tested disaster recovery plan.

Do you use endpoint protection in the network? What brand?

There were several questions about protections to privileged user accounts. Once again, they wanted to know if 2FA was used to protect privileged user accounts.

How long does it take to install critical, high severity patches?

In my organization, we do not install updates immediately. Rather, we test updates first and ensure there are no side effects before deployment.

Do you have a SOC?

A security operations center (SOC) is a centralized unit that deals with security issues on an organizational and technical level. Typically, a SOC includes people, processes, and technology for managing and enhancing an organization's security posture. Do you have a specialized department whose only task is to monitor, detect, investigate, and respond to cyber threats? If you don’t have the resources for a SOC, you may need to outsource to a third-party provider.

While many of us are familiar with network operations centers (NOCs), they are not the same as a SOC. The SOC’s goal is to protect enterprise networks, systems, and data from security threats. The NOC is responsible for overall network availability, maintenance, and performance of the network.

What steps are you taking to detect and prevent ransomware attacks?

The examples they gave were segmentation of the network, additional software tools, and external security services.

Other questions of note

  • Have you implemented a hardened baseline configuration across servers, laptops, desktops, and managed mobile devices?
  • How do you implement local administrator rights?
  • Do you provide users with a password manager software?
  • Are end-of-life or out-of-support hardware and systems segregated from the rest of the network?

Copyright © 2021 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline