As cyber-crime becomes further imbedded in everyday life, and businesses attempt to arm themselves against online attacks, the sad fact is that without expert advice and guidance, many SMEs are falling foul of even more sophisticated attacks.

Many of the attack vectors or ways of getting into a business are relatively easy to prevent and are not expensive, but the resistance to adopt these proactive measures, because of the fear of the complexity and cost, leaves many businesses vulnerable and insecure.

When cyber-crime strikes, the consequences to any size business can be catastrophic, and for many smaller companies, result in the business failing. At the very least, the disruption to business, the costs of restoring operational IT systems, the loss of reputation, and in extreme cases the defence of data loss that needs to be reported to the ICO (information Commissioners Office), will significantly dent any company’s cashflow.

More and more companies that are affected by cyber-crime turn to their corporate insurance policy to claim on their cyber or business interruption protection. As the claims and the cost of payouts by insurers rise, the insurance community have reassessed their policy wording and requirements in an attempt to mitigate their increasing payouts, and to push the responsibility for proactive protection back onto the company requiring cover.

Today, the clauses in corporate insurance policies are getting increasingly tighter, and the questions being asked on policy applications are increasingly more technical in gauging the risk of insuring a business.

The weight of responsibility of providing adequate protect has move squarely back onto the company and businesses can no longer rely on being covered by their corporate insurance if they have not taken comprehensive steps to mitigate all risks.

The types of specific questions are, in many cases, going to be difficult for many owners of small and medium sized businesses to understand or answer correctly. For example, how many business owners or directors of SME’s know what an “immutable backup” is, let alone if they are taking them in the right frequency to allow the protection their insurance company are asking for?

This is a question posed by insurance companies on proposal forms in 2024, which is designed to assess a company’s ability to recover from a ransomware attack, where all files and computers have been locked by the attackers. Immutable backups are backups that cannot be tampered with once taken, so ransomware attacks cannot corrupt these files and provide the route to restoring systems to a point before the attack.

Another question that even we found to be surprising asks for confirmation of specific network configuration information, which, as before, would not normally be something that owners and directors would know or possibly understand the relevance of.

The question is specifically: “Is one backed up instance of the data held on a separate network?”

As with the previous backup question, the insurance company are looking for an answer that shows that the company understands the risk of having all systems and data that operate the business in one place, and in an additional question ask whether “…backed-up data instances are stored at two data centres with one data centre being at least 10 kilometres / 6 miles away from the other data centre?”.

For those companies operating their own infrastructure in server rooms, this is what the insurance means by “data centre,” so backing up data to another server or storage unit in the same room or building won’t cut it in the future.

At a more basic level, but still a level that many companies are still not compliant with, is the protection of users and devices that a company uses. The questions around this base level of security have also been tightened with questions that include:

Please state whether multifactor authentication is enabled for:

Multi-Factor Authentication should be seen as a non-negotiable step for all users who want access to a corporate network and the data contained therein, and in many cases is free to enable. Insurers are sending a signal to companies that don’t have MFA turned on will not be covered for losses and should be a KPI that managers, directors, and business owners measure against their security posture.

Vissensa provides free guides, advice, and practical steps that business can adopt to increase their protection against cyber threats. We also provide cyber security audits, certifications and ongoing monitoring, management and security patching of user devices and IT systems, so get in touch and have a chat about what we can do for you and your business.

Example Corporate Insurance Document with Cyber Security Questions

Most Insurances start with the following statement:

“You must provide us with all information which may be material to the cover you wish to purchase and which may influence our decision whether to insure you, what cover we offer you or the premium we charge you.”

It will also have a bearing on if you are covered in the event of a claim that you have got the following in place:

Multifactor access information:

Is multifactor authentication is enabled for the following :

– company email accounts Yes / No
– credentials that have access to cloud resources systems Yes / No
– remote access user credentials to your network or systems (Virtual Private networks VPN / Remote Desktop Solutions RDS etc) Yes / No
– software or operating system component that allows commands or software to be executed remotely Yes /No

Backup and recovery planning information:

Do you have a backup policy in place for:

– critical systems used to provide your technology services to the business Yes / No
– all personal / client/supplier data that is held on your computer systems; Yes / No
– data held on your clients or 3rd party computer systems for which you are responsible. Yes / No

If “yes” for any of the above state whether:

– one back up is held on a separately accessible network Yes / No
– you have prevented the duplicated modification or deletion of any backup from any one user account. Yes / No
– one backed up instance of the data cannot be modified (is immutable) Yes / No
– three instances of the backup are available (production and two backup instances) Yes / No
– backups are held in two secure locations with at least 6 miles of separation Yes / No
– each account to access backup data has its own unique credentials. Yes / No