You already know all the reasons why your business needs cyber insurance, but you may be unsure what the insurance companies will require. Below are 5 technical requirements we see most insurance companies requiring, not merely suggesting, before they issue a cyber liability policy.
What do cyber insurance companies require in order to qualify for coverage?
Commercial anti-virus implemented on ALL endpoints.
Multi-Factor Authentication (MFA) for remote access, admin accounts, and email.
Ongoing security awareness training for ALL employees.
Backups for all critical systems and servers.
Virtual Private Network (VPN) connections for all remote access into your environment.
Without all five safeguards in place, your company may still be able to qualify for coverage, but it's likely the type of coverage or your premiums will be impacted by how many of these safeguards you have in place.
The requirements for obtaining cyber liability insurance are changing. A few years ago, the form to apply for insurance was maybe 1 sheet of paper with 5-10 questions. Now, it is more likely to be 5-15 pages and 40-60 questions!
For a deeper look at the requirements check out our article: What are the requirements for cyber insurance?
Don't just check the box
Make sure when you are filling out a cyber insurance application form that your technical team has ensured that your IT meets the requirements. I know that seems obvious, but after a few pages of answering IT questions you may be tempted to just check the box and move on.
Claims have been denied due to issues with implementation. If you say you have MFA throughout your organization, but it turns out one admin account is missing MFA, and that is where the breach occurred, then there is a good chance your claim will be denied.
Another example is, if you say you are providing ongoing security awareness for your staff but there are people who haven't logged into the training in a while or there are staff members who have not completed any training, there is a good chance your claim will be denied. Just because you provide access to training doesn't mean that meets the requirements of the insurance policy.
The main point is that if you say you are implementing certain IT safeguards, then you had better be consistently and thoroughly implementing them! On top of that, you had better be able to prove it.
Kosh has a Free Cybersecurity Checklist that you can use to get you on the right track. Security Assessment Sign Up | Kosh Solutions
Disclaimer
The information contained in this communication is intended for limited use for informational purposes only. It is not considered professional advice, and instead, is general information that may or may not apply to specific situations. Each case is unique and should be evaluated on its own by a professional qualified to provide advice specifically intended to protect your individual situation. Kosh is not liable for improper use of this information.