IN THE PUBLIC EYE

System Security Standards Guidelines for Cyber Quotes

Author: Alliant 

 

 
Due to the difficult cyber market conditions of the past several years, Alliant’s public entity cyber team periodically releases a bulletin detailing recommended cyber security controls guidelines for public entities seeking cyber insurance. We issue this bulletin to keep clients and interested parties adequately informed as to which controls we are seeing scrutinized by underwriters so that they may implement the recommendations to become more attractive risks.

 

As the cyber insurance market continues to change, we have updated this summary of commonly requested system security standards needed to obtain a quote. Please note that each carrier has its own requirements, and this document is not a “one size fits all.” Organizations will have different exposures and will fall into or out of the appetite of different underwriters but this is generally what we are seeing in the marketplace. Of course, more scrutiny may fall on larger organizations.

 

MFA 100% implemented for remote access and privileged user accounts.
Minimum: MFA implemented for access to email (e.g. enforced via Office 365. Note, if using O365, enabling Advanced Threat Protection is also a recommended standard).

 

Minimum: MFA enforced for access to “privileged user accounts” (i.e., the information technology department).

 

Endpoint Detection & Response (“EDR”) product implemented across enterprise.
Minimum: an End-Point Detection & Response (EDR) solution in place


If Remote Desktop Protocol connection enabled, the following are implemented:
Minimum: MFA-enabled VPN is used for access to any Remote Access software.

  • Network level authentication enabled

 

Backups

Minimum: regular backups are (i) in place, (ii) successful recovery is tested, (iii) backups are stored separately (i.e. ‘segregated’) from the primary network, (iv) encrypted, and (v) protected with anti-virus or monitored on a continuous basis.

  • Tested at least twice per year
  • Ability to bring up within 24-72 hours – less time for critical operations (4-8 hours)


Planning & Policies

Minimum: Tested (rehearsed) Incident Response, Disaster Recovery & Business Continuity plans are in place.

  • Incident Response Plan
  • Disaster Recovery Plan
  • Business Continuity Plan

Training

Minimum: training and regular simulated phishing exercises for all users.

  • Social Engineering Training
  • Phishing Training
  • General Cyber security training
  • Training of account team staff on fraudulent transactions

 
Patching

Minimum: Critical & high severity patches installed within 1-7 days for vulnerabilities with active exploits.

 


Miscellaneous

  • Privileged Access Management. A PAM solution is now considered a minimum 
  • Plan or have adequate measures in place to protect end of life software
  • Sufficient IT Security budgets and dedicated security personnel, carriers generally like to see 10% of total IT spend go to security but this will differ based on organization size.
  • Email Security controls in place
  • Service Account Management. What controls are in place to protect against loss from a compromised service account?

 

Please note this list is context-dependent.

 

If an underwriter views a client as potentially higher risk (e.g. due to previous incidents/losses) then they may look for more beyond the ‘minimums’.
If the market continues to harden, underwriters ‘minimum’ expectations may increase in the future.


Different insurance carriers may have different expectations of ‘minimums’. This is our current best understanding. Many carriers are no longer writing new Public Entity business, regardless of controls.