When it comes to underwriting for a cyber insurance policy, there are a wide range of reasonable controls, across 18 categories, that can be implemented -- ranging from hardware/software inventory and security monitoring to managing back-ups and encryption.
Within each category, there are sample questions that are typical for a cybersecurity insurance application along with applicable resources that will help you.
- Hardware/Software Inventory
Does the Applicant track hardware assets deployed across your organization?
Does the Applicant track software assets deployed across your organization?
- Data Inventory
Does the Applicant have a listing of all personal, sensitive, and/or private information, and its location in your systems?
- https://www.ftc.gov/tips-advice/business-center/guidance/protecting-personal-information-guide-business
- https://iapp.org/store/webconferences/a0l1a000002ln8PAAQ/ (Data Mapping: How to Do It & Why It Matters.)
Does the Applicant document and understand the sensitivity of its data?
- Security Monitoring
Does the Applicant continuously monitor its network, all endpoint devices and assets within our network to detect and respond to attempted unauthorized access or unusual activity?
Does the Applicant retain records (or logs) of that monitoring and any response measures undertaken and review those records often?
- https://www.sans.org/information-security-policy/ (Information Logging Standard)
Does the Applicant use a SIEM monitored 24x7 by a SOC?
- Routine and Consistent Patching
Does the Applicant apply critical and high-level security patches within 30 days of release?
- Current Software
Does the Applicant use any software or hardware that has been officially retired (“end of life’) by the manufacturer? If end of life/support assets are in use, have they been segmented from the rest of the network and disconnected from the internet?
- Cloud Best Practices
Does the Applicant require Multi-Factor Authentication for cloud provider services (Office 365, AWS, Azure, Google Cloud?)
- https://docs.microsoft.com/en-us/microsoft-365/admin/security-and-compliance/set-up-multi-factor-authentication?view=o365-worldwide
- https://aws.amazon.com/iam/features/mfa/
- https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-howitworks
- https://cloud.google.com/identity-platform/docs/web/mfa
- Endpoint Configuration
Does the Applicant require use of firewalls on workstations?
Does the Applicant require use of AV on workstations?
https://www.sans.org/information-security-policy/ (Anti-Virus Guidelines)
Does the Applicant have third party software protecting its network (e.g., antivirus, encryption, firewalls, etc.)
- https://www.sans.org/information-security-policy/ (Server Malware Protection Policy)
- https://www.cisa.gov/sites/default/files/publications/Malware_1.pdf
Does the Applicant tag external emails to alert employees that the message originated outside the organization?
- https://workspaceupdates.googleblog.com/2021/04/external-label-gmail.html
- https://techcommunity.microsoft.com/t5/exchange-team-blog/native-external-sender-callouts-on-email-in-outlook/ba-p/2250098
Does the Applicant use web filtering to block access to malicious websites?
- https://www.infoworld.com/article/2625777/web-filtering-and-reporting-tools-for-the-small-business.html
- https://smallbusiness.chron.com/small-business-content-filtering-strategies-41690.html
Does the Applicant run a vulnerability management tool?
- Employee Agreements
Does the Applicant require and enforce written agreements with employees on protecting sensitive information?
- Multi-Factor Authentication (MFA)
Does the Applicant require Multi-Factor Authentication for administrative or privileged access?
- https://www.ftc.gov/tips-advice/business-center/small-businesses/cybersecurity/securing-remote-access-to-your-network
- https://www.ftc.gov/tips-advice/business-center/small-businesses/cybersecurity/physical-security
Does the Applicant require Multi-Factor Authentication for web-based email?
- Endpoint Detection and Response
Does the Applicant use advanced endpoint detection and response (EDR) tool on all endpoints?
Does the Applicant continuously monitor its network, all endpoint devices and assets within our network to detect and respond to
attempted unauthorized access or unusual activity? - Security Awareness and Training
Does the Applicant conduct regular cybersecurity awareness training?
- https://www.nist.gov/itl/applied-cybersecurity/nice/resources/online-learning-content
- https://www.in.gov/cybersecurity/trainingevents/
Does the Applicant train its employees on social engineering?
- https://www.sans.org/information-security-policy/ (Social Engineering Awareness Policy)
Does the Applicant conduct email phishing simulations?
- Policies and Procedures
Does the Applicant have an up-to-date written security policy?
- https://www.sans.org/information-security-policy/
- https://www.educause.edu/focus-areas-and-initiatives/policy-and-security/cybersecurity-program/resources/information-security-guide/security-policies
Does the Applicant have an up-to-date written privacy policy?
- https://www.termsfeed.com/blog/good-privacy-policy/
- https://security.berkeley.edu/how-write-effective-website-privacy-statement
Does the Applicant have an up-to-date retention policy (i.e., a listing of when to purge data?)
- Vendor Management
Does the Applicant verify all vendor and supplier bank accounts by a direct call to the receiving bank,
prior to accounts being established in the accounts payable system? - Regulatory Compliance
If the Applicant’s website, computer system, or telephone system requests or captures Payment Card information, has the Applicant self-attested to PCI-compliance in the last twelve months?
If the Applicant’s website, computer system, or telephone system requests or captures medical records or personal health insurance, is the Applicant compliance with HIPAA and HITECH Act?
- Response Planning
Does the Applicant have a written Incident Response Plan?
- https://www.sans.org/information-security-policy/ (Security Response Plan Policy)
Does the Applicant have a written Data Breach Response Plan?
- https://www.sans.org/information-security-policy/ (Data Breach Response Policy)
- https://www.ftc.gov/tips-advice/business-center/guidance/data-breach-response-guide-business
Does the Applicant have a written Disaster Recovery and Business Continuity Plan?
- https://www.sans.org/information-security-policy/ (Disaster Recovery Plan)
- https://www.ready.gov/business-continuity-plan
Does the Applicant test your Disaster Recovery and Business Continuity Plan annually?
- https://www.sans.org/information-security-policy/ (Disaster Recovery Plan)
- Access Management
Does the Applicant limit access to those required to perform a job?
- Back-Ups
Does the Applicant regularly perform full and incremental backups?
- https://www.securitymagazine.com/articles/92057-what-every-small-business-owner-should-know-about-data-backup-and-recovery
- https://www.inc.com/technology/best-cloud-storage-backup-service-for-small-business.html
Does the Applicant require Multi-Factor Authentication (MFA) for access to backup environment?
Does the Applicant test backups for restorability?
- Encryption
Does the Applicant encrypt personal data, sensitive and confidential information stored on your systems and networks?
- https://www.sans.org/information-security-policy/ (Acceptable Encryption Policy)
- https://informationsecurity.iu.edu/program/safeguards/information-systems.html
Does the Applicant encrypt personal data, sensitive and confidential information in transit?