<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1703665079923990&amp;ev=PageView&amp;noscript=1">
Skip to main content

Clients have been engaging our team for assistance with cybersecurity insurance renewals with increased frequency, which has raised the question: Why? Is it that...

  1. Insurance providers’ claims / costs are going up, therefore they are more diligent and selective in client risk levels?

  2. Are the technologies and processes needed to combat cyber threats causing increased concern or confusion for businesses?

Turns out BOTH of the above are rapidly surfacing. After reviewing a dozen cybersecurity insurance questionnaires from both well-known (AIG, Chubb, Travelers) and lesser-known carriers (Axis, BCS, XL), I decided to give you my “Top 5” analysis areas.

 

Top 5 Surprising Things Carriers Ask About
  1. Risk-Specific Responses (Ransomware, Zero-Day)
  2. Staffing Information
  3. Vendor Management
  4. Inventory
  5. Encryption

To clarify, I’m NOT surprised these topics were present, as they are good questions. My shock can be better categorized into two buckets:

  1. The specificity of the asked questions. While I’m accustomed to seeing these in compliance-regulated organizations, they feel new and granular for cyber renewals. For example:
    1. “What specifically did your organization do to counter the Exchange Hafnium breach in March 2021?”

    2. “Who is the named person in the organization responsible for information security?”

  2. The focus is equal parts protection, detection, and response. We have been stressing for years that it’s not IF, but WHEN, an incident occurs. This emphasis on post-breach efforts with examples below is refreshing, but likely daunting to clients:
    1. “Do you have an Incident Response Plan and is it written, rehearsed, and tested by the responsible team?”

    2. “What tools and processes are in place to detect a Business Email Compromise?”

Other Notable Observations

Some cyber policy renewal questionnaires are lengthy (30+ questions) while others are pretty succinct (10 or fewer questions). Which one will your insurance provider give you? Additionally, it seems all providers are interested in limiting their risk relative to your cyber security investment, such as quarterly scans or periodic reviews

Insurance providers mean business.  Not completing the questionnaire or providing unsatisfactory answers means your policy is not renewed or rates jump through the roof. There is little to no chance you’ll escape tough questioning as this appears to be an industry trend, not a provider one. How will you backstop company livelihood in the event of a breach?

 
Top 5 Things They Asked About That Did NOT Surprise Me
  1. Security Awareness
  2. MFA
  3. Antivirus
  4. Data Backups
  5. Patching

Many businesses have solutions in place for these items, and/or combine solutions with a provider who executes for their team. In my analysis, these 5 protection-focused areas are all about execution.

Let’s give a couple of detailed examples relative to execution:

  • Example 1
    If the question is, “Do you back up your systems?” you (hopefully) can answer “Yes”.  But if the question asked instead, “Are your backups tiered to inaccessible areas of your network?", "Do backups require MFA to access?", and "Are full restorations of key systems tested every 6 months?” providing an answer requires a lot more evidence and execution of solid processes.

  • Example 2
    If the question is, “Do you leverage multi-factor authentication (MFA) for all administrator and remote access” you would like to answer “Yes”, but may not be able to. For administrators, perhaps you have MFA on for cloud apps (Office 365), but not for on-premises (Entra ID, formerly known as Active Directory). Perhaps some remote access has MFA (VPN), but other methods don’t have it (Citrix, Direct Access) or may require justification for why a non-traditional 2nd factor is in place.
 
Ascend Can Help

Ascend Technologies provides industry-leading, turnkey solutions for many of the controls required by cybersecurity insurance renewals. We are happy to chat with you about your cybersecurity insurance renewal or how these solutions can complement your security posture. These solutions reduce your IT burden, strengthen your security posture, and let you keep insurance carrier renewal rates low. Contact us today to learn more.

New call-to-action

 

Written by Bruce Ward, Director of Channels & Alliances