Insurance Underwriters are Protecting Their Flanks

by Jane-Michèle Clark

Oct 16, 2023

In the first half of 2023, nearly 25% of cyberinsurance policies were not renewed – or not automatically. In many cases, policyholders had to make significant changes to their software, policies and procedures before the company could be covered.

Today, it is common for insurance companies to require that their clients be able to prove they are doing everything they can to ensure their networks are secure, and that employees have been trained in terms of processes to follow.

To protect themselves – and you, too, of course – the questions shown below are typically asked when you set up or change your cyber insurance policy.

When was your last security audit and what did it reveal?
What MFA solution do you use?
What are your response plans for both cyber attacks and recovery from those cyber attacks – and can we get a copy?
Do you store customer data such as names, addresses, credit card information – and how are you protecting that data?
As employees bring their devices to work (BYOD), how do you protect those devices, and how do you ensure the devices accessing your network are being done so by the proper person?

Although requirements vary slightly from carrier to carrier, most insurers now require the following before issuing or renewing a policy:

A recent security assessment, including a penetration testing report.
Some form of multifactor authentication, such as Cisco’s Duo.
Data backup and recovery software solutions. Many insurance companies also require that firms show they have solid disaster recovery plans and processes in place.
Having an Uninterruptible Power Supply (UPS) that will keep networks, equipment, point-of-sale terminals, laptops and other critical tools running in a power failure, helping to prevent data loss and apparatus damage, until your generator kicks in… or at least until you are able to shut down everything safely, if you don’t have a backup generator. Sometimes that buffer can be the difference between being able to get up and running again quickly, or not, and your insurance carrier knows this, too.
Ensuring that your Remote Desktop Protocol (RDP) is not exposed. Although the remote display and input capabilities are great for windows-based applications running on a server; it’s important that vulnerabilities are locked down.
Secure email – insurers want proof that you are using email filtering, validation and pre-screening for potentially malicious attachments and links.
Endpoint security. Again, Cisco has an excellent product for protecting endpoints.
Firewalls that block unsolicited and unwanted incoming network traffic and/or some form of SASE to protect your perimeter or cloud edge.
Internal security controls, including policies tools, process and procedures that have been implemented to safeguard your environment.
A vendor management plan that shows access rights, processes and protocols for revoking privileges when access is no longer needed, ways of logging and monitoring remote access by third-party companies and business continuity plans for change of vendors and other solution providers.
Some insurers also require that your data be resident on servers in your home country and/or on servers in approved countries – and that your providers can show redundancies as needed.

With the way things have been changing over the past 12 months, it is advisable to carefully review your insurance policies to ensure you are fully compliant as nearly 20% of claims were rejected in 2022.

If you would like help with your internal assessment, or seek more information, please contact us: [email protected] or call us at 416.429.0796 or 1.877.238.9944 (toll free).

Full Stack

Managed Services

Industries We Serve

When was your last security audit and what did it reveal?

What MFA solution do you use?

What are your response plans for both cyber attacks and recovery from those cyber attacks – and can we get a copy?

Do you store customer data such as names, addresses, credit card information – and how are you protecting that data?

As employees bring their devices to work (BYOD), how do you protect those devices, and how do you ensure the devices accessing your network are being done so by the proper person?

A recent security assessment, including a penetration testing report.

Some form of multifactor authentication, such as Cisco’s Duo.

Data backup and recovery software solutions. Many insurance companies also require that firms show they have solid disaster recovery plans and processes in place.

Ensuring that your Remote Desktop Protocol (RDP) is not exposed. Although the remote display and input capabilities are great for windows-based applications running on a server; it’s important that vulnerabilities are locked down.

Secure email – insurers want proof that you are using email filtering, validation and pre-screening for potentially malicious attachments and links.

Endpoint security. Again, Cisco has an excellent product for protecting endpoints.

Firewalls that block unsolicited and unwanted incoming network traffic and/or some form of SASE to protect your perimeter or cloud edge.

Internal security controls, including policies tools, process and procedures that have been implemented to safeguard your environment.

A vendor management plan that shows access rights, processes and protocols for revoking privileges when access is no longer needed, ways of logging and monitoring remote access by third-party companies and business continuity plans for change of vendors and other solution providers.

Some insurers also require that your data be resident on servers in your home country and/or on servers in approved countries – and that your providers can show redundancies as needed.