Cyber Insurance Applications: New Stringent Requirements Are NOT Designed to Protect YOU

Mar 07, 2022 at 10:21 am by pj


By JAMES GENTRY

(First of a Multi-Part Series)

Managed Service Providers (MSPs) are frequently asked for input on IT-related things.  Some make sense, like phone service, printer companies, etc.  But we don’t think many MSPs anticipated being involved in insurance matters.

With the advent of ransomware, insurance carriers started selling Cyber Insurance, and many of the questions on applications were too technical for clients to answer.  Our clients naturally came to us for help filling out the forms.

At first that was a ten-minute job, but as ransomware became more successful and prevalent, and as ransom amounts exploded, insurance underwriters started to impose stricter requirements before binding policies.  The questions began to get much more specific. Underwriters started to learn what tools were most effective against cyber-attacks and began to demand those tools be in place to get insured. 

Frankly, some of the questions stump some IT providers – it’s not easy to keep up with all the latest threats and protections.  It stands to reason, then, that underwriters have an even tougher time staying informed.

This often results in underwriters demanding unnecessary protections, which cost YOU money that could be more wisely spent. 

Here is something you should consider: If you were running a Cyber Insurance business, do you think it would be better for your bottom line if you paid every single claim, or would it be better if you could figure out a way to deny some of them?  Insurance carriers do NOT want to pay claims if they can help it, and if you even just fudge something on your cyber insurance application, it could allow your claim to be legitimately denied.  This happens all the time.

What’s the takeaway on this?  Cyber Insurance underwriters are putting these requirements in place NOT to protect YOU, but to protect themselves, and/or increase the chances that claims could be denied. 

It also means that most businesses will have to rely on their IT staff or MSP to answer these questions – but how do you know if your IT folks understand them?  What if your MSP “fudges” answers because they don’t want to look bad?  What if the IT guy you’ve had for years simply doesn’t know any better? IT and cybersecurity are certainly related, but they are NOT the same thing, and there are legions of “Computer Guys” that have no idea how to handle cyberthreats. 

Your best defense is to become educated, even if you only learn just enough to be able to ask the right questions, and to get a sense of whether you are getting the right answers. 

With this in mind, we have begun a series of articles that will deal with the most common questions we see on cyberinsurance applications.  Each article will describe the particular requirement, why it’s important, and how to tell if you have it in place. 

Before we go there, however, we think it’s important for everyone to be on the same page.  This is the world we live in:

  • Protecting against cyberthreats is now a team effort. We can put all sorts of controls in place, but we can’t protect against an unsuspecting employee making a mistake.  Over 90 percent of ransomware incidents happened because an employee clicked on the wrong thing.  Education is key.
  • You may think you are too small or too obscure to be attacked. This could not be more wrong-headed.  Thousands upon thousands of small businesses have been attacked, but they don’t make the news because it’s now so common. 
  • The cybercriminals are very smart. We are continually amazed (and disgusted) by the clever ways they manage to circumvent protection.  MSPs may be smart too, but the bad guys only have to get it right once – the good guys have to get it right every time.  Not exactly an even playing field!

Here we go, then, with our first article in our series:

Does Your Business Use Email Scanning and Filtering for Malicious Attachments and Links?

What does email scanning and filtering do?

Email scanning and filtering software is designed to analyze incoming emails before they are sent to your inbox.  It can be provided by a third party, or by your email provider.  When a threat is detected, the suspicious email will be quarantined.  All incoming email is scanned for threats such as:

Phishing attempts: these emails are designed to look like they come from a legitimate source, such as Microsoft or Google, and attempt to get you to log into your account.  However, the links in the email take you to a fake site that looks like Microsoft or Google, and if you log in, the cybercriminals will have your credentials, and can then monitor your email without you knowing. 

Malicious software code such as ransomware: these emails will have some sort of attachment that looks important.  These emails frequently are worded in a way to evoke panic in the recipients so that they open the attachment without thinking.  We sometimes see emails alleging that “your payment has been processed” for some service that you didn’t order, and usually for a large amount of money.  Unfortunately, some people rush to open such attachments, and unwittingly (and unknowingly) infect their computers and their entire network.   

Spam: spam is more of an annoyance than a threat, but it still should be aggressively filtered.  Why?  Because if your inbox is flooded with junk mail, you will have less time to scrutinize potentially dangerous emails, and you may make a devastating mistake.  

Why is email scanning and filtering important?

According to a recent report by ID Agent, over 90 percent of successful Ransomware attacks begin with an email with a fraudulent link or with a malicious attachment.  Unfortunately, modern threats have proven quite successful at circumventing basic protection such as antivirus software. 

It is critical therefore, that employees are educated about email-based Ransomware attacks.  There are numerous vendors that offer security awareness training, such as sending fake phishing emails to show employees what to look for.  While this does reduce successful attacks, it depends on humans to stay sharp at all times and recognize threats.  As the success of ransomware illustrates, humans are not very good at consistently identifying dangerous links or attachments.

However, when an email filtering system quarantines suspicious messages automatically, it very much reduces the human element of the equation.  Users can’t click or open something dangerous if it never makes it to their inboxes.

Does your business already use email filtering and scanning?

Mainstream email providers generally offer basic email filtering.  Both Microsoft 365 and Google Workspace, for example, include basic scanning and filtering.  However, these included services are not nearly as effective as paid services, and they may not offer much help when things go awry, such as certain legitimate emails being flagged as spam (false positive). 

Many paid filtering services offer a quarantine report each day so that you can find false positives and have them released. 

Smaller email providers may not offer any sort of filtering, and it then falls to the end users (or business owners) to find proper protection from incoming email threats.  Do not take this responsibility lightly – every email user is a potential threat to the existence of your entire business; even yourself!  Proper email filtering and scanning significantly reduces the number of threats that are delivered to you and your employees. 

Do you need help understanding or implementing email filtering and scanning?

If you have a dedicated IT service or outsource your IT services, your IT provider can tell you if your firm is using email scanning and filtering.

Many outsourced providers have comprehensive experience responding to questions on cyber risk applications and can easily determine if the email bundle used by your firm includes basic email filtering and scanning.

In our article next month, we will discuss DKIM, SPF, and DMARC, which are tools to ensure that emails sent from you are legitimate and safe.  Stay vigilant!

James Gentry is the president of Atlantic Data Team, a central-Florida-based business IT company. If you cannot get a straight answer on whether you use filtering or not, we will be happy to help you, at no charge to determine if you are protected.  We are committed to making the web a safter place. For more information go to www.atlanticdatateam.com   or email office@atlanticdatateam.com