Just to frame up the discussion that we’re going to have today, every single, every 39 seconds, there’s a cyber attack. And so to put that in context, while we’re on this webinar, there’ll be about 70 people cyber attacks. And there’s a number of compelling events that will cause people to either take a stronger look or have a sense of urgency about their cybersecurity posture.
One of those would certainly be the requirement for cyber insurance. And if you haven’t gone through that journey, or if you have gone through it, what we’re going to try to do is frame that up of what to expect and the things that you’re going to have to do. But we’re also going to relate that to your overall cybersecurity posture, because the good news is if you’re going through that process, most of the things that you’re doing to obtain cyber insurance or to maintain your cyber insurance are going to be an integral part of your overall business continuity and cyber resiliency strategy.
So we have three segments that we’re going to cover.
• We’re going to talk about the criteria that the insurance companies use to evaluate your insurability, basically.
• And then we’re going to talk about the questions related to those criteria that they’re going to give you. And it’s extensive, how you can group those together so that you can assign work streams and be a little bit more effective in that. And that will help you also maintain that going forward from a sustainment perspective.
• And then finally, we’re going to talk about a couple of key documents. That are not just related to cyber insurance, but related to your overall cybersecurity posture, as well as business continuity. We’re going to discuss some elements that have to be in those documents, and then how locked down they need to be.
So let me go ahead and jump into that. Quick note, if you have questions, post them in the chat. And at the end, we’ll address them. And we’ll open it up. We’ll unmute people if we want to have a Q&A at the end.
Okay, so insurance companies, just like they do for other types of insurance, they’re going to have some key criteria that they use to evaluate your insurability. And the insurance industry, specifically for cyber insurance, is expected to grow around 25% per annum over the next five to seven years, which you would expect because of the increased threats.
And there’s other reasons for that.
• One of the things that’s also happening, though, that’s actually restricting the growth a little bit is the premiums are going up and the requirements are getting stiffer.
• So in other words, as the threat matrix, so to speak, is increasing, the requirements that cyber insurance companies have in order to evaluate you are increasing and the premiums are going up because there’s a lot more attacks. There’s a lot more claims.
So one thing they’re going to look at is the industry you’re in, and obviously financial services or retail, healthcare. Those industries have a lot more sensitive information that they’re managing from a volume perspective. So that’s going to be a factor, and they’re going to look at that carefully. As I mentioned, the data sensitivity and the volume of information that you have, they’re going to look at that. Obviously, retail is obviously going to be important. Again, healthcare from a personal information, same thing with financial services. But even on the supply chain side, since that seems to be the fastest growing segment of attacks, they’re going to look at the data sensitivity and the volume.
What’s your posture? And I mentioned that at the outset. And really, what does that mean? So to put it into context, I mentioned the compelling event. Most people… When you talk to them about that, they think of it in terms of what it costs to have cybersecurity.
How much are they spending?
We like to flip that around and say, if you lost access to your critical systems for 26 days, what would be the impact on your business?
And we’re not just talking about the daily loss of revenue for those 26 days.
What would then be the impact after that in terms of losing customers and potential legal fees, regulatory fines, whatever the case may be and the reality is about half, about 50% of the attacks are on SMBs, on small, medium-sized businesses. And 60% of those that get attacked don’t survive the year.
And if that doesn’t terrify you, which it does for most of us, but at the end of the day, the security posture of an organization typically takes a kind of a background. It doesn’t get the attention until there’s that compelling event, as we mentioned. And so we’re going to delve into the security posture a little bit more later, but that’s something that they’re going to look strongly at is what is your posture relative to cybersecurity? They’re going to look at your incident response and business continuity, which I’m going to talk about in more detail in just a few minutes. They’re going to look at your history of cyber incidents.
Have you had incidents before?
What is the history of that?
One of the important things, because such a large percentage, some people say as much as 90% of the attacks are coming from what we call human error, whether those are phishing or ransomware attacks, it’s a result of human error.
So they’re going to look at your security awareness policies and practices relative to educating your employees and how you sustain that on an ongoing basis. A lot of industries are now regulated or there’s compliance standards, health care, it’s HIPAA, financial services, it’s GDPR or PCI DSS. There’s a number, any number of standards, FTC safeguards. They’re going to look at how you’re maintaining your compliance relative to your security posture.
Then a very important one is your third party compliance vendor risk management. So if you’re in a supply chain, almost all of us, even if we’re not in a supply chain ecosystem, we all use third parties, third party vendors. What is your risk there? I’m sure you’ve all seen the news where it’s really the attack actually came in through one of the vendors and then it permeated out into the supply chain and that’s how the compromise was done.
So they’re going to look at that. They’re going to look at your overall IT governance and management practices and this is going to be more than just the documents. So you can have an IT governance document and all your management practices documented, but they’re going to look a little bit closer at that from an evidentiary perspective. They want to see that you’re actually practicing what you preach, so to speak. As with all insurance companies, they’re going to look at your claim history, it’s kind of like your car. If you’ve been in five accidents in the past two years, that’s probably going to be a heavily weighted factor in terms of your risk from an insurance perspective. And then lastly, and it’s overlooked sometimes, but the physical security measures, especially if you’re dealing with sensitive information, and that includes everything from how you access a facility. Are you badging in and badging out? Are you keeping visitor logs? So on and so forth. But they’re going to look at that as one of their criterias.
So that’s kind of segment one in terms of defining what criteria an insurance company is going to look at when they’re evaluating you to see your insurability. And that will determine what your premiums are going to look like, or even if you can get insurance.
And again, if you aren’t successful or if you’ve been through that process, these are all things that you can obviously work on and then go back later. And once you’ve cleaned that up and gotten those into place, but at least you have an understanding of what they’re going to look at based on that, we go into segment two.
And in segment two, we take what those criteria’s are and we break them down into a questionnaire.
The questionnaire that you’re gonna receive from the insurance company, it’s going to vary depending on the company and the size of your business and the industry you’re in, as we mentioned but it’s going to be extensive. It can be as many as 170 to 200 questions. And what you want to do is group those so that you can answer them in a logical fashion. You can assign them to teams for the response because you’re going to see, as you saw in the criteria, you’re going to see that a lot of these things are not technical. In fact, you’re going to find that more than half of them are more organizational related, operational related. So grouping them together so that they can be farmed out into teams or into work streams.
And it’ll also help you build a model, which we’ll talk about in a little bit, helps you build a model for how you sustain that going forward. Because I’ll make the point at the end, but this is not a one and done situation. They’re going to evaluate you on a regular basis. Sometimes that’s twice a year. Sometimes it’s once a year. And they’re not just going to look to see if you still have your documents. They’re going to look to see if you’ve sustained that, including the evidence that supports that.
OK, so let’s talk about the questionnaire. As I mentioned, it’s going to be extensive. Sometimes they will logically group that for you. Sometimes they don’t. They just kind of, here’s the set of questions, and you’re supposed to then fill that in.
One important note when you’re answering the questions, be precise and be accurate. If you don’t know, then either go find out what the reality is or say you don’t know or mark it as that you don’t do that. Because when it comes time, if there is an incident, they’re going to go back to that questionnaire and say, you mark this that you were doing this, but the reality shows that you weren’t. So anything you put in your questionnaire, they’re going to hold your feet to the fire on that.
A couple of key areas, the general business information, everybody’s familiar with that, whether you’re applying for a loan or whether you’re just filling out general information for vendors and things like that, it’s going to include your side, your revenue. Some insurance companies are going to go into more details. They’re actually going to want to look at your financials, but its general business information.
I want to focus on the few that are going to be key. I’ll touch on all of them, but I want to zero in on a couple that are going to be key for you.
Data management and protection.
In here, you’re going to see several questions, not just one big question. Like I said, sometimes it’s spread out in the questionnaire. You can pull those out and group those, and those relate to everything from how you collect information, where you store it, who manages that both physically and from a cyber-perspective, where all of the information, who has access to it, whether it’s encrypted, your entire strategy for data management and protection, there’s going to be questions. And so group those all together because you’re going to have to organize your team from a technical and an operational perspective to get that section done.
The network security piece, this is your endpoint.
In other words, kind of what your antivirus is. Do you have a firewall?
What type of detection systems are you using?
We’ll have a future webinar on MDR, which is monitor, detect, and respond. And that’s kind of your front end defense beyond just endpoint and firewall. But they’re going to want… some specific information up to and including the type of software you’re using, the versions, that type of thing, and the process that you use to manage that.
Access control relates to everything from strong passwords, multi-factor authentication. It’s also procedurally, from an operational perspective, the onboarding process for employees and the off boarding. So when someone leaves, what is the checklist that you use, so to speak, to off-board them, make sure that they don’t have access anymore. But it’s kind of the all-encompassing grouping of who has access to what and how that’s being managed.
Two key things here, employee training and awareness.
And I want to mention that one first because I already said that 90%, at least that’s the statistics that is typically thrown out, 90% of the intrusions are coming through human error. And there’s a lot of different types of human error. But they’re going to look closely at, there’s going to be a lot of questions about your awareness programs. Do you do what they call OPSEC, Operation Security Briefings, regularly? Do you have awareness programs, especially for email and things like that? Do you do simulations to test and see how well people’s awareness, are you hitting the mark in terms of their awareness. Where are your vulnerabilities? So there’s going to be a lot of questions about that. You should be prepared with your plan on how to answer that.
The other one we’re going to talk about in more detail in the next segment is
Incident response and business continuity.
So those two key documents, they’re mandatory for cyber insurance. And there’s several key elements in there. But they’re interested in what they’re looking for here is really,
what’s your posture?
Do you take this seriously?
Do you have a sense of urgency?
In other words, they’re going to ensure you. They want to know that you’re actually taking the measures and you have a proactive approach to cyber security so that they know in the event if there is an incident, there’s a plan to recover, all the different elements. And as I mentioned, we’re going to talk about that more in the next segment. But these are critical documents and they are mandatory for cyber insurance.
Compliance and regulatory standards
So depending on which industry you’re in, you’re probably already forced to have some compliance. Even if you’re not, if you’re a supplier to part of a supply chain ecosystem, you’re getting the annual questionnaire from your vendors and And they’re saying, do you have a business continuity plan? Do you have these pieces? Show us the evidence that you’re in compliance with CMMC or FTC safeguards or whatever that is. You have to sign off on that. And historically, that’s been kind of a checkbox, right? You check the boxes, you sign off on it, and you’re good to go for the next year. That’s changing rapidly. And the burden and the liability is changing rapidly. So they’re going to look closely because, again, it’s an indication of your commitment to your cyber security posture.
The last one, your previous cyber incidents, if you’ve had an incident, you have to, you know, how well did you document it? What was the incident? What was the actions that were taken? So again, they’re going to relate that back to your current cyber security posture.
I already mentioned the third party vendor risk management. We already know that a lot of the breaches that are coming through are coming in through third parties. And what they want to see here is, do you have a risk management strategy that as much as possible protects you? And is that included in your incident response? Is it included in your business continuity plan? And they want to see that there’s some structure to that and that you’re holding those third parties accountable.
And then finally, there will be a group of questions about your insurance history. And again, this relates to did you have an incident, but also in general, what the history looks like. So there’ll be a series of questions about that that they’ll use in the questionnaire. When you finish that questionnaire and you want to be as complete as possible and make sure, again, it’s not just the document. They’re going to be looking in many cases for your evidentiary artifacts that show that but what you say is actually what you do. But this gives you, based on their criteria, it lets you break that questionnaire into these categories so that you can more effectively respond. It also sets a stage for you. If you’ve never developed a security roadmap or a security plan, this gives you a framework. That’s why I said at the outset, cyber insurances can be a compelling event, but it’s also an opportunity to build out your security framework, break it down into simple pieces, and make it sustainable. We all know everybody has a day job, so when you get 150 or 170 questionnaire from your insurance company, the typical reaction is that this is going to take us forever to get this done and there’s so much of this information we may or may not have. This helps you group it logically take a systemic or a kind of a project approach to it, get it done, and then set yourself on the path to sustain that going forward.
Okay, so we mentioned the incident response plan, IRP, and the business continuity.
Business continuity, there’s a lot of standards, and some of you would probably recognize that more as disaster recovery standards. And underneath the umbrella of business continuity is cyber resiliency. Those two documents, incident response and business continuity, are required. Your cyber insurance company, if they’re evaluating you, these are going to be required documents. So we wanted to, and they can be voluminous. They’re extensive documents. But we wanted to cover a few of the key areas that the cyber insurance companies are going to zero in on and then how locked down those sections need to be. So at the top, and it seems obvious, but it kind of sometimes doesn’t get done the way it should be, is identifying what the key roles and responsibilities are. That’s not just internal. That includes all of your external stakeholders, which could be the legal, the PR, which is a critical element in the event of an incident.
But clearly documenting that including the contact information. And you need to have a process for constantly updating that. So whether it’s quarterly or every six months, you need to make sure that you keep that up to date.
Some companies, it’s kind of a mirror of their org structure, and then they just assign the specific responsibilities. In other cases, companies will mirror that with their business continuity plan, which has kind of under disaster recovery requirements, there’s a crisis management team, which kind of takes over, so to speak, to manage through a crisis.
Incident classification. So there’s different levels of incidents and the severity of those incidents. They want to see that you’ve classified what would be considered low severity, medium severity, high severity. Obviously, losing access to critical systems would be considered high severity. A data breach would be considered high severity. But you need to classify.
Because each of those will have a different response procedure. You’re not going to respond to a low severity incident the same way that you respond to a high severity incident. And you need to document that.
It relates to your response procedures. So the best laid plans, so to speak, whether they say in boxing, everything, all plans are great until you get hit in the face, right? So develop your response procedures, exactly what’s going to happen. And that includes everything on the technical side from how your backups are maintained to how you’re going to validate those in the event of an incident to the front end of that, which is the messaging that you’re going to use. I don’t know if all of you have been following, but there used to be a time span where you could report your incident, which gave you a little bit of a window on crafting the message for how you were going to take that outbound and notify people. If you’re publicly traded, that response time is now four days. So you basically have four days to at least notify the government and then get the message out there. So that window is closer. You have to be coordinated, which means you need to have those plans written, including your recovery steps.
Probably the most important part is going to be that communication plan that I just referred to, and that’s internal communication and external. And you’re going to see in the business continuity plan that there are elements of this that when you’re communicating both internally and externally, how you want to manage that. Because internally, you don’t want to create panic, but you want to make sure that the execution of those roles and responsibilities is done the way that it’s supposed to be done. And you’ll see that we mentioned in cyber insurance companies will ask you and some of them will actually audit you and see that you’re simulating and testing these response plans. So the communication plan becomes critical, both from a coordination perspective, as well as a post-incident kind of management to hopefully recover as quickly as possible and then mitigate the impact in the market for you.
Legal and regulatory requirements, those are important. They’re in your incident response plan because you do have obligations, both from a reporting perspective as well as a legal perspective. Your first calls are typically going to be beyond the government, the FBI. It’s going to be to your own cyber insurance company and then your attorneys. So you want to make sure that you immediately start that process of kind of diagnosing or investigating what happened, exactly how, how that relates back to you, your compliance because in the event that there could potentially be a fine, if you can show that it wasn’t related to a legal or compliance issue, you can probably avoid those fines.
Documentation and reporting, this is ongoing. So your documentation has to be maintained, including the evidence that’s risk logs, incidence logs. It’s your quarterly reviews. It’s your tabletop exercises that you do that you will do and it’s ongoing and has to be sustained. Usually there will be a quarterly report back to the board on what’s happened in the past quarter, where you are relative to implementing your roadmap because there’s an associated plan and these things are ongoing. You have to keep your documentation updated.
And then the training and testing. For the testing, I already mentioned that we have what we call tabletops. So this is where you’re going to simulate. You’re going to simulate incidents, and sometimes it’s difficult to get stakeholder buy-in to participate in these. They’re usually about a half a day. It’s not like your phishing simulations that you’re doing with the employees. These are actual exercises to test the effectiveness of your incident response plan so that you can debrief, adjust, make ongoing changes as you move forward.
This last set here, I already mentioned disaster recovery. So on the IT side, it can be complex. And what you’re going to find when you start testing is that what you thought was the case is not the case. So you need to develop that disaster recovery plan. And that means if this system goes down,
What’s it going to take to get it back up?
And what if I can’t get it back up?
What’s my recovery plan from that?
So there’s a lot of elements in that, but it needs to be there.
The business impact analysis is probably the other most important one here, which is when you’re developing your incident response and your continuity plan, you need to understand what the impact is going to be.
So if I lose access to a critical system,
What is the functional impact?
What processes are going to be affected?
In other words, value streaming, your organization and saying, these are the strategic processes and this is the impact analysis in the event of a major incident and where I need to implement my business continuity plan.
We did that very fast, I understand, and we’re going to make sure the link is all available to you. The criteria that an insurance company uses, as you can see, is going to be very much linked to your overall cyber security posture. And as I said at the outset, that security posture is ongoing because the attacks are ongoing. So whether you have gone through this cyber insurance journey, or whether you’re thinking about it, or whether you’re just trying to understand that landscape a little bit better, this gives you kind of a clarity because if you want to take it step by step, If you focus in these areas, you’re taking a big jump forward in terms of developing a holistic approach and a strategic approach to cyber security, because it’s really not if, it’s when and what you’ve done on the front end to prepare is probably going to make all the difference on the back end in terms of your ability to either avoid an incident or to recover from an incident.
Actually weekly we publish a lot of information related to cyber security and leadership. So you can, and we’ll, again, this will all be in the link for you when you finish. But you can, there’s a lot of information out there. You can follow it. It’s accessible anytime you want. We have a video blog.
If you have more questions, because I know that was a lot of information to absorb in a short period of time. If you have questions, If you want to set up a more one-on-one type of thing, just book an appointment with me, and I’ll be happy to answer any questions that you might have or walk through where you might want to start or where you want to go forward in the journey that you’re already on.
So I’m going to pause for a second. Let me see if I can able I don’t see any questions in the chat. Let me open up. So I’m allowing everybody to speak and see if there’s any… Let me open it up for questions. So if you have any…
Anybody have any questions?
Scott, I do. Yeah,
Sure.
Scott, you mentioned the tabletop exercises take about a half a day or so. To go through the incident response planning, that doesn’t happen in half a day. That happens over a more extended period of time. Could you describe who’s needed in that incident response planning process? What occurs? What are the mile markers along the way to do an effective incident response planning, et cetera?
Yeah, so functionally, it’s basically cross-function. So you have at the management level, they’re really the owners of this, right? They have to drive this because if they’re not committed to it, then it all kind of falls apart. So you have that management level from a governance perspective and the roles and responsibilities there. And if you’ve been paying attention to the news lately, you know that even the liability is now being shifted where they’re trying to, instead of focusing on the company itself and the security officer, they’re actually trying to shift some of that liability to the chief executive or the chief operating officer. So the management, certainly, Ross, would have some of that responsibility. You’ve got HR is going to be involved, especially in the security awareness, onboarding, off boarding, and the management of that facility from an administrative perspective of that checklist. So they’re going to have to be involved your finance team is definitely going to have to be involved because cross-functionally, again, a lot of the information that’s being managed is being managed by finance. And in a lot of organization, compliance or risk is also underneath finance. So those kind of that triangle is going to need to be involved. And then from an IT perspective, many organizations still today don’t separate security from IT. So in a lot of cases, your IT director is also your security officer. That’s changing a little bit, but because of the demand for those resources and the lack of those resources, it’s usually functionally within IT. So IT, of course, plays an enormous role in this. So Ross, it’s really cross-functional. That’s why when you approach the questionnaire and you look at the incident response plan, all of those policies and procedures drip over, right? They drip between technical operations, HR, finance, and then ultimately at the top is the executive team.
The elements within that, it’s almost every single process and procedure that you have. And then in your incident response, the activation of that, remember at the outset, I said you’re going to define key roles and responsibilities and the stakeholders, including your legal team, which may be a third party or external team, and then PR, if you’ve included that. So the development of the plan, you’re correct, Ross, it can take a long time to actually develop it. You can break it into manageable chunks. That’s why we tried to give you the key sections that you’re going to have to have. And, and some of the key elements that are going to be there, but yeah, it could take you six to 12 months to develop the plan and then start the process of testing it and everything.
Yeah. That would be my sense as well, Scott, that you’ve got multiple teams that are meeting maybe once every two weeks, once every month, And that you’ve got a central coordinator that’s receiving notes from each of these teams that is distributing these notes. So each of the teams is keeping up with the other teams. But there’s an orchestrated specific time frame that is being adhered to. So at the end of that six months, end of the 12 months, whatever the time frame is, you’ve got some deliverables that are ready to be disseminated throughout the organization.
Yeah. And I think that’s a critical point because that’s usually where this falls short, right? Because the sustained commitment to getting it done, it’s perceived or in many cases is outside of the scope of people’s day-to-day work, right? So there has to be the management commitment. Look, we’re going to allocate the resources and the time to get this done. And then we’re going to break it into manageable chunks. And the heavy lifting regardless of whether you use a third party to help you or not, the heavy lifting is still going to be with the organization. So breaking it into manageable kind of 90 day roadmaps where you can sequence specific tasks and responsibilities and measure that will help make that a little bit more manageable. Once you’ve done that initial heavy lifting and you’ve spent the time to get from here to there, then sustaining it becomes easier. It’s just like everything else. It’s going to take you time to get it together. If you haven’t been working on it, it will take time and it will take a little bit longer because it’s not people’s dedicated focus. So even if you bring in a third party that will help expedite the process, the people that need to deliver key artifacts or document key things, they still have to do that heavy lifting. So break it into manageable pieces, focus on what’s most important and what’s really most important is protecting yourself right the end game is to not have an incident. So again we mentioned cyber insurance because it’s one of those compelling events, but, but the message is you’ll start somewhere, break it into manageable pieces and the end game or the outcome of this is to protect yourself against it’s kind of like car insurance, right? I, I pay my car insurance. But my hope is that I don’t ever get in a wreck, right? So I try to be safe in how I’m operating the vehicle.
Scott, what are your thoughts about leveraging outside resources like a board of directors, like outside counsel, maybe even your vendors in this incident response planning process?
Yeah, they’re third-party stakeholders. And certainly your approach to your vendors and third parties matters, as I mentioned, are a critical part of what has to be referenced. You need to understand, especially in those areas where they can have an impact. There’s a couple specific examples, even in the last year, where the breach came through a third party and worked its way up laterally and then vertically within the main organization. So you have to include from a legal perspective, of course, you need that counsel, whether it’s in-house or it’s external.
If you use a third party service, like I said, it can help expedite that process. But any third party that’s involved with your organization needs to be included in the development of that plan. And wherever possible, yeah, of course, you want to leverage those third party resources to kind of expedite this help you navigate through sometimes the legal side and sometimes the legal entity is capable. They have compliance experts or they even have insurance experts that can help you navigate and make sure that you’re doing the things that you need to do.
Scott, what about the strategy of working with your vendors on a basis that, look, we’re all in this thing together. If you help us with our incident response planning process,
We’ll turn around and help you with your incident response planning. So one hand, you know, scratches the other’s back and everyone wins.
Yeah, I think there’s mutual interest in any time you can kind of collaborate in that. From that perspective, it’s valuable. I mean, the outcome is we all have that same interest of avoidance versus failure versus actually responding. And from a leverage perspective, say, look, at the end of the day, it’s strategic, but it is a cost of operation. So you want to balance. And anytime you can leverage resources collectively, it reduces the load that you have. It doesn’t shift the liability, but at least it reduces the load. And anytime there’s cooperation, it actually strengthens the defenses that you have.
Any other questions? So as I mentioned, this was all recorded, so we’ll make sure everybody gets a link to the recording. You can go back, review the material on your own time. There’s a lot of other information that we’ve posted about security roadmaps and information security policies, things like that that you can go check out on your own time. If you want to have a more personal discussion or a one-on-one discussion, just to book a session with me and I’ll be happy to do that with you. We appreciate everybody taking the time today. So if there’s no more questions, I’ll say thank you and stay tuned for our next session.
