The past three years have seen an explosion in the uptake of our end user customers taking out Cyber Insurance cover. I’m having a lot of conversations with partners seeking advice on filling out insurance proposals on a customer’s behalf, some off which include outdated controls such as password expiry.
As part of the Value add that the Microsoft team here at Dicker Data NZ was to open dialog with the insurance industry so to better understand what is required and then assist you, our partners to meet these requirements.
From our discussions so far, there is a willingness from the insurance industry to listen and adapt to the new security paradigm. So let me summarize what we are hearing and how this will affect you as a partner.
Overall Insurers are understandably looking to reduce risk, part of this is explicit verification of the customers security posture. Also, critically for you, is the ability to attach some responsibility to the customers MSP to enforce that you are delivering a comparative or better risk for them.
What should this responsibility look like?
Clearly document an incident response plan. What happens if? Who does what? Make sure to include recovery but also gather evidence for post incident analysis.
Plan to Preserve logs as the insurer will want to forensically examine what and how.
Let’s drill down on the Microsoft solutions that are applicable and the ways we can, using Microsoft solutions within Microsoft 365 Business Premium to satisfy these requirements and provide verification to the insurers
Secure score allows the insurer to assess risk in comparison to similar customers over the last three months
Insurers focus on email, identity, and ability to restore. We can supplement this with detail in each of these areas
Document what controls you have place.
For example: DKIM and mail filtering then extend to Defender for office. Show screen shots for verification.
Back up data not systems: As part of your incident response assume that the malicious actor has already established persistence in the environment including backups. Show that you regularly successfully complete file level restores. While the insurers will be looking for offline backups you can also do backups to WORM devices or implement soft delete and vigorously control access to the backup service. Ensure at least two people have the backup encryption key and that this can not be changed without both authorizing.
Another requirement for insurers that goes back to fundamental security is to understand what you have and what you are looking to protect.
Attach inventories of both software and hardware. Use the Vulnerability management blade in Microsoft security center.
If you have vulnerable software state, why and how you are going to protect it. How often do you review this. For the below I would say that I review monthly and that my Adobe reader will be unsanctioned and removed from my environment.
Look at what reports are available and use this to verify mail flow rules device health etc. All things you do not currently see on a proposal form but give the insurer confidence and visibility.
All this information may not be needed to fill out a simply tick box questionnaire but by attaching all this information shows that you as a MSP are a low risk choice because you are going above and beyond the requirements. Remember the insurer is looking to profile risk not just the customer but you as a service provider.
Consider making this a chargeable service that you provide, maybe including this in your service offering. If you can lower the premium your customer has to pay that makes these reports valuable.
If having, you as a service provider means I pay less in premiums why wouldn’t I choose you?
Dicker Data will continue our dialog with the insurance providers and keep you updated on our progress.
Till next month Stay secure, insured, and safe.
