Author: Alliant
MFA 100% implemented for remote access and privileged user accounts.
Minimum: MFA implemented for access to email (e.g. enforced via Office 365. Note, if using O365, enabling Advanced Threat Protection is also a recommended standard).
Minimum: MFA enforced for access to “privileged user accounts” (i.e., the information technology department).
Endpoint Detection & Response (“EDR”) product implemented across enterprise.
Minimum: an End-Point Detection & Response (EDR) solution in place
If Remote Desktop Protocol connection enabled, the following are implemented:
Minimum: MFA-enabled VPN is used for access to any Remote Access software.
Backups
Minimum: regular backups are (i) in place, (ii) successful recovery is tested, (iii) backups are stored separately (i.e. ‘segregated’) from the primary network, (iv) encrypted, and (v) protected with anti-virus or monitored on a continuous basis.
Planning & Policies
Minimum: Tested (rehearsed) Incident Response, Disaster Recovery & Business Continuity plans are in place.
Training
Minimum: training and regular simulated phishing exercises for all users.
Patching
Minimum: Critical & high severity patches installed within 1-7 days for vulnerabilities with active exploits.
Miscellaneous
Please note this list is context-dependent.
If an underwriter views a client as potentially higher risk (e.g. due to previous incidents/losses) then they may look for more beyond the ‘minimums’.
If the market continues to harden, underwriters ‘minimum’ expectations may increase in the future.
Different insurance carriers may have different expectations of ‘minimums’. This is our current best understanding. Many carriers are no longer writing new Public Entity business, regardless of controls.