Adopting Cyber Insurance Internal Controls

The cyber insurance market has completely shifted over the last year. An increase in the number of claims and larger monetary damages associated with those claims has caused insurance carriers to adopt stricter underwriting guidelines, decrease coverage limits, and increase rates. A company’s internal controls are more important than ever to not only protect you from a cyber-attack but to also allow you to qualify to purchase coverage that will help in the event a breach does occur. We often get questions as to what type of controls need to be in place. While companies used to only need basic levels of cyber hygiene to qualify for coverage, this is no longer the case. We are now commonly seeing the following controls needed to be in place to qualify for coverage.

1. Multi-Factor Authentication on all external access to your network or web-based applications.
2. Encryption on all sensitive data at rest and in transit.
3. Annual security awareness training of all employees.
4. Advanced/next generation end-point protection on your network

Another change we have seen recently is that there is little grace time (if any) to implement these controls when it comes to renewing or purchasing new policies. We strongly recommend looking into this proactively to ensure a policy will be available when you need it. Natalie Sherod is a Risk Advisor at Cavignac, an insurance brokerage working with medium-size businesses to help them better analyze their risk and protect themselves from loss. Natalie can be reached at Nsherod@Cavignac.com or (619)885-5737