Cybersecurity Insurance Policies Require Security Audits and Pen Testing
Cybersecurity Insurance Policies Require Security Audits and Pen Testing
by Jane-Michèle Clark
Aug 18, 2021

Costs related to cyber security breaches rose 10 – 15% in 2020, depending on whose research you read (more on this in our next blog post).  As a result, insurance companies in Canada, the US and further afield are re-thinking their cyber security insurance polices – and the requirements to qualify for coverage. Not to mention how they’re paying out claims – or not.

We contacted a few of the major carriers in Canada and what we learned follows.  As you read this, please remember that the nature and size of your operation, and your own carrier’s policies, will affect what holds true for you, so please contact your agent.  But please DO contact your agent, because you don’t want to find yourself not-insurable, or a claim not covered.

Insurance Rules Are Changing

Or have already, in some instances, with some carriers.

  • Over 45% of active Canadian cyber insurance plans will not be renewed in 2022 because firms do not have proper security software, plans and processes in place.
  • Companies using approved (and each insurance firm has its own list) third-party managed cyber/ network security services often receive policy rate reductions. Sometimes substantial reductions.
  • Knowing the increasing level of ignored or improperly investigated alarms by internal teams, some carriers are starting to mandate professionally-managed cyber security services for companies that do not have a dedicated team of highly-qualified experts on staff. This is particularly true for companies with larger risk exposure – and this includes companies that process credit card information or need to retain information such as health card, driver’s licence, or anything else that could be used to gain unauthorised access to key corporate information, or can be used for identity theft.
  • In addition to being compliant from a network perspective, carriers are also checking that companies are fully-compliant according to the requirements of the industry in which they do business on a day-to-day basis.

    For instance, if a companies processes cards, or stores credit card data, there is a need to show PCIA compliance, which requires a  vulnerability assessment every quarter – and not by the company that manages your security.

    To work with federal government agencies, companies must comply with NIST Publishes SP 800-177 (trust worthy email – protocols of mail transfer agents, deploying SMTP + and Domain Name Systems [DNS] authentication mechanisms).

    Many industries have similar sets of regulations. Good managed services providers can stay on top of the changing cybersecurity requirements and help clients ensure they are fully compliant

  • Many insurers now require proof that a data breach response plan has been developed (click here for tips on preparing your breach response guide).
  • Many insurers now also require that you have conducted a security assessment within the past 12 months, and have a plan for filling in the gaps. What if your security posture is not perfect when you are hacked? Provided you can show that you took key steps, and were actively implementing the remaining ones according to schedule with budget attached, fines will likely be lower, and insurance payouts higher (or existent) if you are breached.
  • Some insurance firms require the companies they insure to have regular penetration testing and security audits – and that these be performed by companies different from the ones providing Cyber/ Network Security as a Managed Service.

    In other words, the people protecting the castle can not be ones that try to break in to see if it is truly impenetrable or not.

    Naturally, this means having an outside firm do your security audits and penetration testing if you are running things in house.

Unfortunately, most companies only start thinking about how they’ll respond once they have been attacked – and by then it’s too late.  As you can surmise from the above, this may also impact insurance payouts and fines.

If I were to call and say: “You’re under attack right now, what should you do right away? And then immediately next?”  would you know what to say right away?  Or be sure you had the right answer?

If not, please give us a call.  Even a small attack can set a business back and cost precious time, money and resources… and as you start to adapt your distributed network policies to accommodate your new hybrid work model, it’s possible that new gaps will appear.

We have experts on staff that can help. We can conduct a security/system vulnerability assessment and penetration testing.

We also work with some of the top cybersecurity/ network security managed services providers according to Gartner – and all our cybersecurity and intrusion detection partners have been approved by all or most of the major carriers and can ensure that clients are fully-compliant for the industry in which they do business, as well as for the type of business they operate, or the kind of organisation they run.
In the meantime, ensure you back up everything (we have great options for this) and ensure your Breach Detection Preparedness Plan and other protocols are in place.

You may also wish to view:  What to do when the yoghurt hits the fan – 8 Steps for Handling Corporate Crises

BACK TO TOP ^