| by Shawn D. Stewart | No comments

Unlocking the Cybersecurity Insurance Questionnaire

OR Insurance.  Why does it always have to be insurance?

Congratulations!  Your company survived whatever the heck you call the last two years.  Yes, the storm isn’t over but you made it this far and you are well on your way to finding that treasure of financial success.  Then, your insurance agent sends a questionnaire to renew your cybersecurity policy.  It looks like hieroglyphics, or a code created by a famous Renaissance painter, but you don’t need the sun and a gold medallion to unlock this mystery.

Why Me? – It’s not just you, it’s the industry.  Chew on this – Cybercrime is the world’s third largest economy.  Now consider that every ransomware attack costs businesses (or the insurance company) an average of $150,000.  Do the math on your premium and realize the insurance industry is hemorrhaging cash.

Why Now? – This is a tourniquet to force companies to legally confirm they are doing all they can to prevent cybercrime.  When you fill out the questionnaire, it is a legally binding document.  If you are hit with ransomware or hacked and the insurance company determines in their investigation you weren’t completely honest, your coverage will be dropped, and you will be left holding the bag and the ransom note.

Grab your whip and fedora as we bolt down the deep volcanic mine of the typical questionnaire.

Personally Identifiable Information (PII) – This qualifies as anything that can be used in part or alone to identify an individual or a company.  This could be name, social security number, tax ID, email, phone number or DNA.  All of this information MUST be kept in a secure location and preferably encrypted.

Multi-Factor Authentication – Or MFA prompts to confirm your identity when you log in.  This is typically done through a text, email, or application on your phone.  All logins should have MFA enabled.

Block Unnecessary Outbound Connections – Did I say “outbound”?  Yes, just because you have a firewall that blocks all incoming traffic, doesn’t mean you’re safe.  By blocking non-business outbound traffic you limit the exposure to shady web pages, drive-by-downloads, and malware/ransomware calling home.  The most secure companies keep a whitelist of sites and IP addresses permitted for outbound traffic and all else is blocked.

Written physical and network security policy – This is a big one and the most common overlooked. The physical and network security policy for a small company may only be a page, but it must be in writing and all employees and vendors must agree to comply to the policy in writing.

Disaster Recovery and Business Continuity Plan – Most companies don’t want to think about this, but insurance companies live for it.  You must have a written, itemized plan of how your organization will continue running in the event of a disaster.  It could be a tornado relocating your building to another state or the intern accidentally deleting the accounting database.  Either way, you must have a written plan.

Data Retention and Destruction Plan (electronic and physical) – This requirement ensures that your organization has a written plan for securely deleting and destroying both electronic and physical data once it is no longer needed.  This includes shredding physical document but also securely deleting files and physically destroying media, such as hard drives, tapes, and USB keys.

Written Data Breach Response Plan – What happens if the unthinkable happens?  You need to have a plan to explain, in painful detail, how you will mitigate the breach and limit exposure.  You may not be able to do any except alert your clients, employees, and vendors of the breach, but you must have a plan.

Employee Controls – Criminal and credit checks, restricted access to PII (there is that term again), termination policies, and training ensure your employees aren’t inside agents and don’t unwittingly become one.  Social engineering attacks seek to pull information and access from the inside.  Kevin Mitnick, world famous hacker from the 80s and 90s, said it best, “it’s easier to manipulate people rather than technology.”  Right on, Kevin!  Make sure your employees know what social engineering looks like and avoid it.

Third-party Vendors – Strangely, some organizations trust vendors wholeheartedly.  Vendors may provide services that employees can’t, but they should have less permissions and stronger connection requirements.  Far too many data breaches have occurred due to weak vendor controls.  Do you remember that, Home Depot?

Cyber Security Awareness and Privacy Training – Remember how I keep saying that training is one of the big keys of cybersecurity?  It’s true!  Insurance requires that you train yourself, your staff, and even your vendors on security and privacy awareness.

Vulnerability Assessment, Penetration Test and/or Network Security Assessments – Everyone, whether for insurance or regulatory compliance, requires companies to have an external penetration test and internal network security, or vulnerability assessment, completed each often.  This test allows a qualified agent to look at your systems through the eyes of a potential threat actor to find vulnerabilities.  Once found, holes are patched before an actual threat actor exploits them.

Designated Security and Compliance Manager – Who is the person responsible for cybersecurity in your organization?  It can be an outsourced company or your most senior technical person, but you must have someone that can answer the tough questions.

Backup valuable/sensitive data daily – Sure, IT says they do, and the little notification says your systems are backed up, but are you sure?  Don’t just close your eyes and guess.  The only way to know is to restore and confirm.  That is the next question.  When they ask specifically how long it takes to fully restore the system, you won’t have to lie!

Data encryption as rest, in transit, and on mobile, detachable devices – Data should always be encrypted.  I recommend encrypting every media, whether a USB drive or the hard drives in laptops and servers.  All communications between devices must be encrypted as well.  That means any device that has an open port to allow connections that are NOT encrypted must be closed.  Printers are the biggest culprit as they come out of the box built for convenience.  Nearly all have default FTP with no password!

Physical Security – Door locks, surveillance, access control cards, and a security guard are great.  But signs are one of the most overlooked deterrents.  Legally, unless you have posted that your building door is for “Employees Only”, anyone can walk in.  There have been so many ridiculous criminal cases thrown out because the organization didn’t have physical signs or electronic banners identifying entry points or computers as private property.

Wire Transfers and other electronic/bank fraud – Municipalities and businesses have lost BILLIONS to bank account change scams, fake invoices, disconnect threats, and, in the most amusing cases, pretending to be the CEO.  Even a one-person company needs to have a checklist of safeguards to prevent unauthorized money transfers.  Lesson 1 – no legitimate organization accepts gift cards as payment.  Always contact the company through a publicly known phone number to confirm the request.  Never, EVER, give out credit card or bank information on a phone call.  A legitimate creditor will wait for you to confirm.  Don’t be afraid to hang up!

The insurance questionnaire can feel like a boulder hurtling toward you and, if you do nothing, it will leave you flat.  Don’t Panic!  If ever in doubt, reach out to a trusted cybersecurity specialist for help.  It may be the wake call you need to fully secure your organization.

Want to see an article on a specific subject?  Need help?  Reach out.  We are all in this together

Helpful Links! – Ready.gov, Cybersecurity & Infrastructure Security Agency (US), National Institute of Standards and Technology (US)

Read other great posts – Practical Power Protection Guide

Shawn D. Stewart

Mr. Stewart has 25 years of experience with hundreds of international, commercial, military, and government IT projects. He holds or has held certifications with ISC2, Cisco, Microsoft, CompTIA, ITIL, Novell and others. He also holds a Masters in Cybersecurity, Bachelors in IT, a Minor in Professional Writing and is a published author.

Warning: Undefined array key -1 in /home/stewart/www/blog/wp-content/themes/wpxon-blog/template-parts/content-single.php on line 85

Leave a Reply