Cyber Insurance Coverage Checklist: The Essentials

What happens if your organization falls prey to a cyber attack—is your firm protected from risk? Even though cybercrime is skyrocketing, it’s estimated that only 55 percent of organizations have cyber insurance to cover the fallout. What’s more, of these organizations, 37 percent don’t have coverage for things like ransomware payments. That’s why we’ve compiled a cyber insurance coverage checklist—to give you one more tool in the fight against cybercrime.

As a professional working in the Greater Philadelphia region, you likely already have coverage for many of the things you need to protect your business: Malpractice insurance for attorneys or physicians, financial industry coverage, or insurance for accounting firms, as well as things like small business insurance. But what about the technology infrastructure you rely on for daily operation, or the sensitive patient or client data stored within your network?

This is where cyber insurance comes into play. Here’s a comprehensive cyber insurance coverage checklist to help you understand what it is, why it might be necessary, and how this protection can help your organization when you most need it.

What You Need to Know About Cyber Insurance

It seems that each year brings record-breaking figures for cyber attacks, malicious data breaches, and other similar criminal activity. In fact, in 2022, the Federal Bureau of Investigation’s (FBI) Internet Crime Complaint Center (IC3) registered 800,944 total complaints for the year, amounting to more than $10.3 billion in losses, a 49 percent increase in total losses from cyber incidents.

While these threats continue to rise in frequency and cost, organizations are seeking out ways to protect themselves from cyber risk. What is cyber risk? It’s the likelihood that malicious actors will exploit your dependency on your organization’s cyber resources. One way to insulate against these attacks is via cyber insurance, which can protect against anything from incident recovery costs after an attack to indemnification for legal fees.

However, cyber insurance providers want to ensure that the organizations they protect are doing their due diligence and meeting certain security requirements. These required security controls help organizations adhere to best practices for cyber security, reduce the chance that an attack will happen, and also limit the total impact of a cyber incident.

What is cyber insurance? Cyber insurance is designed to protect against the losses that result from an attack. They can include coverage for things like:

• Data breaches, cyber extortion, fraud, or cyber attacks against your organization’s data, your vendors, or other third parties
  
  
• Cyber attacks within your network or anywhere across the globe that impact your operations
  
  
• State-sponsored attacks or terrorist-type attacks
  
  
• Legal counsel, guidance, and defense in a lawsuit or regulatory investigation
  
  
• Recovery or replacement of stolen data
  
  
• Customer and client notification
  
  
• Lost income from interruptions to your operations
  
  
• Crisis management and other public relations-related services
  
  
• Fees, fines, and penalties
  
  
• Investigatory and forensic services to understand the origin of a breach or attack

Any business, large or small, can benefit from incorporating cyber insurance into its cybersecurity plan. In fact, small- and medium-sized businesses are more at risk now than ever before—many bad actors are targeting these smaller entities because they know they may not have access to the same level of protection as larger organizations. Regardless of the size of your business, cyber insurance can help you stay ready for cyber attacks; you’ll know better where potential vulnerabilities are and can rest easy knowing you have support in moments of crisis.

A Cyber Insurance Coverage Checklist: Meeting Requirements

Cyber insurance providers typically want to see that their clients meet five main requirements before they can offer coverage—and while some organizations may already have some of these protocols in place, they will want to ensure they have these comprehensive security controls across their network, computer systems, and entire IT infrastructure:

1. Multi-Factor Authentication: Multi-factor authentication, or MFA for short, is one of the most effective ways to secure user accounts and keep unauthorized users out of an organization’s systems and networks. Users must validate their identity not just with a username and password, which may be compromised, but also with at least one other factor like a one-time code sent via text or email, or with a biometric key like a fingerprint. MFA is a helpful safeguard against unauthorized access, especially for remote work and internet- or cloud-facing accounts and applications, and can be an important protection against social engineering attacks like phishing.
   
   
2. Cybersecurity Training: One of the most impactful ways an organization can protect its networks and data is through routine training of its team members to share the latest threats. This training can also serve as an important reminder to stay vigilant. Since 82 percent of breaches are caused by human error, it’s critical to give employees the proper knowledge and techniques to avoid these mistakes.
   
   
3. Routine Data Backups: With the increase in ransomware and malware attacks, data backups can make all the difference when it comes to a cyber attack—even as much as the difference between a total loss of data and a complete recovery. This can include a combination of both on-premises and off-site backups of essential data, but regardless, one form of backup should be stored separately from the primary network, and backups should be tested regularly to ensure they are sufficient to restore operations after an attack. 
   
   
4. Identity Access Management: Not every user should be able to access data across the entire network. Identity access management (IAM) focuses on managing digital identities so that only certain users can access specific data, based on their role.
   
   
5. Data Classification Enforcement: Each user should only have access to the data and systems they need to do their job. Data classification helps segment this information to protected data across the network and all devices, applying a policy of least privilege so users only can access the resources that are relevant to their work.
   
   
6. Endpoint Detection and Response: As an increasing number of organizations embrace remote work as part of their ongoing company culture, endpoint detection and response (EDR) software empowers businesses to identify and mitigate potential threats across their network and take a proactive response. An uptick in workers connecting remotely creates additional endpoints—which in turn increases the risk of an attack. EDR software strengthens security at these endpoints, heightens end-to-end visibility, and helps organizations identify attacks quickly and minimize their overall impact—likely before they would ever reach business-critical systems.

You may also want to consider security protocols like strong password policies, antivirus software, firewalls, and creating and testing incident response plans and security risk assessments to help protect your network.  

You may also want to consider security protocols like strong password policies, antivirus and endpoint detection and response software, firewalls, and creating and testing incident response plans and security risk assessments to help protect your network. 

What Kind of Cyber Insurance Coverage Does Your Business Need?

As you evaluate your need for cyber insurance, you may want to consider the following cyber insurance coverage checklist:

• What is your level of risk? Both large and small entities are at risk of attack, but some industries and organizations may be more at risk—for instance, if you handle sensitive data like credit cards or patient health information, or anything that may be governed by regulations like HIPAA, PCI, or GDPR, if you partner with third-party vendors, or if don’t have strong cybersecurity professionals on your team.
  
  
• What kind of risks need coverage? Cybercriminals leverage new methods of attack every day, which means you need to stay abreast of the changing threat landscape. You should be prepared to have coverage against common kinds of attacks like phishing, ransomware, fraud, compromised accounts, breach response, business interruption, and data restoration. 
  
  
• Do you need first- or third-party coverage? First-party coverage manages out-of-pocket expenses after an attack, like replacing hardware or systems that no longer work after an attack, but also with the costs for things like crisis management, reputation repair, and digital asset restoration. Third-party coverage shields your organization from any liabilities that impact third parties and arise after an attack. This may include things like property damage, regulatory defense, and fines and assessments for regulated data. Not all cyber insurance policies automatically cover things like funds transfer fraud or public relations, so you will want to determine what kind of protection you need.
  
  
• What’s the impact if you don’t get cyber insurance? What would the fallout be if you did not get cyber insurance? When evaluating your need for cyber insurance and your level of coverage, consider the cost of recovering all of your systems while also doing damage control through a public relations campaign, the cost of paying a ransom to a cybercriminal, the cost of business interruption keeping your operations shuttered for an extended period, or the cost of legal fees and potential settlements. Likely, the cost of coverage is far less than the cost to balance these expenses. 
  
  
• What is your current cyber risk level? Anytime you make changes to your cyber security policies is a great opportunity to conduct a cyber risk assessment to know where there might be vulnerabilities in your existing tech stack, what systems may no longer be needed, and address any potential areas of concern.

Protect Your Business with Christo IT

No one wants to think about the moment when disaster strikes—but it’s a little easier knowing you’re protected when it happens. At Christo IT, we’re dedicated to supporting the professionals we serve through our comprehensive managed IT services, now including cyber insurance.

Our goal has always been to give you the strategies and support you need to manage and secure your business, and now that means an extra layer of protection in the form of cyber insurance. Ready to learn more? Contact our team of expert engineers today!