I was talking to a customer today about their cyber insurance, specifically how they could meet the requirements necessary to get their desired coverage.   In short, it’s getting a lot harder to meet the qualifications and it seems like it could get even harder in years to come.  Companies are spending a good bit more to meet the the basic obligations.   Of course, they should have been practicing the basic cyber hygiene all along, but thats rarely the case.  In any event, lets break this down …

Over the last few months, my team and I have talked to lots of folks in the insurance industry, from insurance agents and brokers, to incident responders, to organizations who have gone through the process recently.  We confirmed some suspicions, put some rumors to bed, and found ourselves actually surprised a few times.  We are going to deep dive these findings during our Security User Group on August 23rd, but I’ll cover some of the basics here.

1 – Multi-factor Authentication (MFA) is table stakes to cyber insurance requirements.  

2 – Money can buy happiness, if by happiness we mean being fully covered.   Apparently, if an organization is willing to pay enough, then the requirements can be overlooked, at least in concept.  While this is possible, no one that we talked to could think of (or admit to knowing of) any organization that had done this.   Theoretically, it is possible.  

3 – The cyber security basics really matter.  It’s time to focus on basics, vulnerability management, security awareness training, security policies, and focus on risk.   Not all of these basics are required, but they really should be.   Following these basics are what will keep the malware and ransomware away, and hopefully your company out of the newspapers. 

Thats enough for now, let’s catch up next week.