With ransomware attacks grabbing front-page headlines seemingly on a daily basis, today's highly-valued agents need to advise their insureds on a variety of technological exposures, including some that may not even have existed 10 years ago.
If your client looks over the 2021 cyber insurance application (much more detailed than the one from 2019, which only had three questions on it) and asks you to explain Multi-Factor Authentication (MFA), Remote Desktop Protocol (RDP) or Endpoint Detection & Response (EDR), will you have an answer? When they ask how your agency is protecting their data, what will you say?
If you are not prepared to answer these questions, you are faced with one of two choices: either learn the ropes through hours of research or partner with a specialty broker who can help you come through for your clients.
The following are some of the most important factors that insurers consider when determining a "good" application for cyber insurance. As it turns out, these factors also form the building blocks for ensuring your own agency's resilience to today's cyber threats.
In the world of cyber insurance, we hear the acronym MFA multiple times a day. Multi-Factor Authentication is among the single most effective deterrents to stopping ransomware attacks. Think of it as an extra step in the log-in process that provides additional proof that you are, well, you.
MFA requires the user to provide at least two verification methods to gain access to an online account or a network. For example, if a hacker gains unauthorized access to your agency's user names and passwords from the dark web, but you have MFA enabled, they won't have that secondary device required for confirmation (i.e., a verification text to your smart phone). The stolen credentials will therefore be useless to the hackers, because they can't get into your network without it.
Implementing MFA can inject a small amount of inconvenience into your day, but it isn't nearly as inconvenient as seeing a lock screen with a timer and a ransom demand show up on your monitor as you sip your morning coffee.
Ransomware incidents go sideways for many different reasons, but one of the more consistent reasons involves the lack of a strong data backup strategy. These days, it isn't enough to simply back up your data; there's a lot more to consider. For example:
- How frequently do you backup data? Ongoing is preferable, but data should at a minimum be backed up daily.
- To what mediums do you backup data (to the cloud, tape, )?
- Do you have a procedure in place to test these backups regularly?
These are important things to keep in mind in protecting your agency, and your clients, against loss and exposure of data due to a ransomware attack. The likelihood of having to pay a ransom demand to regain access to your critical data is far less if you have a dependable, tested backup copy on hand from which to restore operations quickly.
Incident Response Plans
You likely take great care in preparing your agency and your clients to withstand fires and critical weather events. But what about your business continuity plans in the event of an information security incident - which could very well be a more likely scenario? Do you have a playbook? Which employees are responsible for which roles? Have you conducted practice drills to test the effectiveness of those plans against various scenarios?
Along with cyber insurance, it is essential to consider ransomware recovery as an essential part of your business continuity plan. Oftentimes your insurer will have valuable resources to help you plan this out.
Even if your agency is the only agency in the world with a network that is 100% impenetrable, you still have employees, and employees make mistakes. They sometimes click on things they shouldn't. Even the most well-intentioned customer service representative can bring your agency to its knees with a single click of a mouse.
Instilling a culture of data hygiene can only be achieved through constant training, testing and re-training. Your employees represent your first line of defense. Don't skimp on investing in quality training that includes simulated phishing campaigns.
Going Above and Beyond
Even if you or your clients only take actions on the four key points above, you will have made great strides toward ensuring that your data is protected. That said, there are many additional steps that can be taken to implement an effective information security plan.
Among these are a deliberate software patch management cadence, ensuring secure remote desktop protocols, installing advanced endpoint protection, filtering your incoming web traffic, implementing email filtering/sandboxing, identifying emails from outside your organization in the email header, and performing external penetration testing and account configuration assessments to ensure that only those who need advanced access receive it.
I get it, the jargon is highly technical and most agents aren't necessarily wired that way. As agents and brokers, we preach the value of paying for expertise. It's time to heed our own advice and avoid cutting corners in these critical areas. The future of your business could depend on it.