
Understanding and meeting cyber insurance requirements: Startup and SMB Edition
No one likes paying for insurance, but it can help if you ever need to lean on it. Furthermore, at least with cyber insurance, it is now becoming an increasing requirement for various companies that are either asked to obtain it to work with risk-averse enterprise customers or for customers trying to meet regulatory compliance frameworks like SOC 2. For instance, a company may be required to have a certain level of data encryption or a robust incident response plan in place. One problem is that it is becoming increasingly more challenging to qualify for cyber insurance as cyber insurance companies continue to pay out record payouts and must protect themselves. Many companies may have caught themselves in such a predicament if they had gone to apply and have been left asking, what is the easiest way to qualify for cyber insurance? This blog aims to distill cyber insurance requirements.
Understanding Cyber Insurance Requirements
Two popular brokers that many companies in Canada turn to are Ridge Cyber and CFC. While many cyber insurance companies have overlapping requirements, it’s crucial to analyze the requirements of your specific insurance provider and stay up to date with these requirements. This blog will cover general best practices, but it’s important to note that it should not be used as an absolute truth or substitution for your due diligence. If you’re looking for a free consultation for your specific cyber insurance requirements and want to see how WatchDog can help you meet these needs quickly and automatically while providing enterprise-grade security at an affordable price, you can book a complimentary consultation call hereto discuss your cyber insurance requirements.
Understanding Your History
First and foremost, cyber insurance companies will want to know if you have had any previous claims, incidents or other circumstances in a fixed period (anywhere from 3 -10 years), such as network outages, breaches, ransomware, insider attacks or others. While this is a red flag for insurance companies, they understand mistakes happen. They will most likely want you to briefly describe what happened, including its impact, steps taken to respond, what was put in place to ensure it’s less likely to happen again and the total cost of responding to the incident, including lost income. It’s important to understand that you can still get insured with a good enough answer. However, it’s also important to note that your premiums will most likely reflect this. This is because the insurance companies need to assess your risk and adjust the premiums accordingly.
Business Continuity and Disaster Recovery (BCDR) Strategy
Not all incidents can be contained, and sometimes threats will slip through (especially if they are advanced threat actors, e.g., state-sponsored). By recognizing that no solution is perfect, you can build an in-depth defence with a solid BCDR strategy. Simply put, this is how you approach backups of your critical infrastructure (e.g. any data you cannot live without or would be disastrous to get out to the general public) and how you protect access to them. Insurance providers will want to understand what mechanisms they have in place to recover in the event of a cyber security incident. For Startups and SMBs relying on Cloud assets, this can be as simple as leveraging cloud-native backup capabilities, securing access to them, and setting them up in such a way they cannot be modified or deleted (e.g. a bucket lock for backups stored in cloud storage buckets). For on-prem assets, this can get a bit trickier. But in essence, it’s crucial to follow the 3-2-1 backup strategy, a highly effective method ensuring you have 3 copies of your data in 2 different geographical locations with 1 being off-site. Managing backups can be tricky, but it’s crucial to configure them and attempt to restore them at least annually (including once immediately after configuring backups to verify they work as expected).
General Approach To Protecting Sensitive and Confidential Information
Next up, cyber brokers or underwriters will want to know how you approach protecting sensitive and confidential information. Whether you are a SaaS company hosting PII on a Cloud platform or a service company that holds sensitive records on behalf of other companies (e.g. law offices and healthcare facilities), this requirement can be a concern. Insurance providers will typically be looking for how you delegate access to individuals who access data that is either sensitive or confidential data, how data is transmitted (e.g. encryption in transit or at rest), network segmentation (if applicable) and your general information security practices.
Incident Response Capabilities
No one can guarantee they can never get hacked, and cyber brokers understand that. While you can’t 100% protect yourself, with the correct capabilities in place (e.g. Security Operations Center (SOC) monitoring) and the correct individuals in place (e.g. analysts, threat hunters, incident responders), you can detect incidents early and quarantine them to stop them in their place before they have a chance of spreading across your network or affecting other assets. While it may seem expensive, this level of security can be averted by working with a trusted third party.
Vulnerability Management
For tech-based Startups and SMBs that develop their applications (e.g. SaaS apps, middleware), insurance providers will be curious about how you handle vulnerability management. These providers will evaluate how often you conduct penetration testing and vulnerability scanning of your assets, your SLAs for fixing critical or high issues detected or reported, and where you centralize your vulnerabilities as of today.
Endpoint Protection Mechanisms
Diving back into preventative measures, insurance providers will likely be interested in learning about the types of endpoint protection you have in place today across your workstations and servers (cloud or on-prem). Endpoint Protection includes several components, one being Endpoint Detection & Response (EDR) software, managed internally or by a third party, and someone is on call to investigate alerts. It also includes how you handle patch management and how it’s performed. Automatic updates can be configured at an endpoint level. While automatic updates can be risky given they can break the environment (due to incompatibility), it is recommended as the benefit outweighs the risk significantly, as out-of-date software is one of the other standard items hackers look for – especially since they usually contain well-known vulnerabilities. To mitigate risks, creating an automatic weekly backup of servers when you update them is a great way to have a copy. In addition to EDR monitoring, insurance providers will try to determine if you are logging relevant security events (e.g. using a Security Incident Event Management (SIEM) solution) and if it is actively being watched by a Security Operations Center (SOC) team. They will want to know if devices are encrypted and how you monitor for this. While not an exhaustive list of endpoint security protections, these are some of the more common ones we observe insurance providers asking for.
Human Security
Human security is an overarching field that covers various security controls related to reducing the risk humans impose on your organization. One of these controls is the Multi-Factor Authentication (MFA) requirement across everything, which is of extra importance to your critical infrastructure or applications. Another thing insurance providers may look for is if you have a system to analyze inbound (and outbound) emails and scan them for security threats before they are sent to your users – this is also referred to as an email firewall. Another significant aspect is password management and if your employees and contractors manage passwords securely (e.g. through a password manager). Finally, insurance providers will be curious about how you handle Identity & Access Management (IAM) and if you follow the concept of least privilege (e.g. only giving employees access to what they require, with the appropriate permissions). Finally, they will want to know how you train your users to identify these threats and respond to them accordingly through awareness training and phishing simulations.
The expertise of our veteran consultants backs WatchDog Security’s Workspace Defender package. Our dashboard can automate 95% of all cyber insurance requirements, including human security (password management, email firewall, human risk scoring) and endpoint protection (24x7x365 logging and monitoring, MDR, hardening, automatic updates). Your accompanying human-backed team acts as an extension of your organization, proactively responding to threats and reaching out to your employees and contractors when action is needed. Our consultants, who have consulted for some of the largest enterprises in the world, provide integrated penetration testing and vulnerability assessment services. With WatchDog Security, you can meet general security guidelines with a tailored security program that gamifies your security, providing insight into your employee’s password adoption habits and other critical data while automating remediation actions (e.g. creating an individualized training program based on deficient data we collect) and much more.
1. What are the limitations of cyber insurance, and what does it not cover?
Cyber insurance has several limitations and exclusions, such as not covering incidents deemed related to acts of war, terrorism, or other nation-state attacks. It also typically does not cover internal threats, prior incidents to when the coverage began, failures in contractual obligations, and other indirect losses, such as market share or reputational damage. As stated earlier in this blog post, each underwriter or broker differs in their limitations, and reviewing your agreement with your provider is essential.
2. Should a small business have cyber insurance?
Yes, every business should have cyber insurance. The average cyber attack costs at least $100,000 to recover from (or from other losses, e.g., lost revenue or customers); having cyber insurance in place can provide you with a haven to help pay for any associated costs. For SMBs or Startups handling sensitive data or with a heavy reliance on technology (e.g. SaaS apps), it is recommended to have credit insurance to help offset any costs related to identity monitoring (e.g. typically after a breach of customer data each of them needs to get data breach monitoring for at least one year) and fraud protection. For businesses that operate in the e-commerce space or low-risk spaces where they do not come in contact with sensitive or disastrous data and are not required to maintain it at the request of a relevant third party, it may provide less value, given that these businesses are likely to face fewer incidents.
3. Will cyber insurance companies pay ransoms? How about data loss?
It all comes down to the specific policy you sign; however, in most cases, cyber insurance providers can cover ransom payments in the event of an attack while requiring certain pre-conditions (e.g., reporting the incident to law enforcement). They also can cover data loss, but here’s the catch: the extent of coverage will vary based on your policy. The costs are typically related to data restoration, business interruption, and legal liabilities. It is essential to review your policy (or hire a third-party legal expert) to understand the extent of coverage they will provide, as it could be the difference between a minor inconvenience and a major setback for your business.

