Cyber Insurance Applications Are Intense – Ep 363 

When you’re shopping for cybersecurity insurance, the applications can be intense. You’ll need to provide a lot of details about your current security protections, and you may be asked to complete a security audit. This is because insurance companies want to be sure that they’re not insuring businesses that aren’t doing everything they can to protect themselves from cyber attacks.

In this episode:

Cyber Insurance Applications Are Intense – Ep 363

Today’s Episode is brought to you by:

Kardon

and

HIPAA for MSPs with Security First IT

 Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity. 

The Privacy and Security Boot Camp

3.5 day In Person Event

Sep 12, 13, 14 and 15

PriSecBootCamp.com

Great idea! Share Help Me With HIPAA with one person this week!

Learn about offerings from the Kardon Club

and HIPAA for MSPs!

Thanks to our donors. We appreciate your support!

If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com

Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA

If you see a couple of numbers on the left side you can click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!

Thanks to our donors.

HIPAA Say What!?!

It depends. But there is an element within HIPAA law that says that law enforcement can request certain things in your medical records, but it has to be using a court order that has been signed by a judge. It has to be like a subpoena or search warrant kind of thing. There’s a lot of legal mumbo jumbo, but it is possible. It also must be very specific if they do.

A further part of that is that I am allowed as an individual, if I am a victim of a crime and/or I see someone committing a crime, I can say I know the suspects name because of my job and report them to the police.But all I can tell the police is the name. I can’t tell you anything about their medical records. But if I am a witness and I’m asked, did you see the person? Yes, I did. I saw David Sims steal that grocery cart and get in it and ride it down the hill. That is it.

It’s a fact specific determination, but it requires very specific legal reasoning and legal documents. And I strongly encourage any healthcare provider to notify their patients should one of those come across their desk, because there’s been a case in Connecticut where they didn’t notify the patient, and the patient got a bunch of money out of the practice, went all the way to Connecticut supreme court. Unless the judge orders you not to inform that patient we recommend you notify the patient any time something like this is requested.

405(d) Tip of the Week

For Small Organizations:

• Establish Roles and Responsibilities. Describe cybersecurity roles and responsibilities throughout the organization, including who is responsible for implementing security practices and setting and establishing policy.
• Instill Education and Awareness. Describe the mechanisms by which the workforce will be trained on cybersecurity practices, threats, and mitigations.
• Provide Laptop, Portable Device, and Remote Use policies. Describe the policies that relate to mobile device security and how these devices may be used in a remote setting.

For Medium/Large Organizations Also Do These:

• Implement Acceptable Use / Email Use Policies. Describe actions that users are permitted and not permitted to take. Explicitly define how e-mail is to be used.
• Establish Incident Response and Disaster Recovery plans. Define the standard practices for recovering IT assets in the case of a disaster, including backup plans.
• Provide guidance on Personal Device use. Define the organization’s position on the use of personal devices (i.e., BYOD). If these are permitted, establish expectations for how the devices will be managed.

Cyber Insurance Applications Are Intense

We even had a group say they only had 5 locations and 7 physicians so they were “too small” to do things like policies and procedures for so many things. The minimum is fine for someone “small” like them. Plus, they have insurance so it will cover them.

Recently, we have been getting inquiries from folks having to complete their insurance renewal forms or applications for new coverage. As one admin told me, my IT guy does not feel comfortable filling out this application. He is an employee, it turns out. David mentioned that it takes a lot of time to fill out some of these applications now. In case you haven’t been the one to review these applications today we are covering a few of the things they ask.

In a future episode we plan to bring back our friend John Miller who has spoken with us several times about cyber insurance. Today, we just want to look at sample applications to get you thinking about what is important and help us plan for questions to ask when we finally get his schedule to work with ours.

Some policies specifically list different elements you want to cover asking just how much you are looking to insure for these things. Here are some examples of those options:

• Network Security & Privacy Liability
• Network and Information Security Liability
• Communications and Media Liability
• Regulatory Defense Expenses Including Fines
• Crisis Management Event Expenses
• Security Breach Remediation and Notification Expenses
• Victims of Breach ID Monitoring
• Security Event Costs
• Forensic Investigation
• Computer Program & Electronic Data Restoration Expenses
• Computer Fraud Expenses
• Funds Transfer Fraud
• E-Commerce/Cyber Extortion / Ransomware Payments
• Business Interruption and Additional Expenses
• Non-Physical Business Interruption & Extra Expense
• Loss of Digital Assets
• Property Damage Due to Cyber Event
• Employee Privacy Liability
• Cyber Terrorism Coverage
• Third-party claims arising out of, or alleging financial loss as a result of, a failure of the insured’s network security or a failure to protect confidential information
• Third-party claims alleging bodily injury or third party property damage caused by a security failure or privacy event
• Third-party claims alleging bodily injury and third party property damage caused by a breach of a computer system that is part of an insured’s product

Have you had a data breach resulting in the misappropriation or public disclosure of personal Information, or has a claim, suit, inquiry, complaint, notice of charge, notice of hearing, regulatory action, governmental action or administrative action related to the coverage applied for, including but not limited to actions involving

(1) libel or slander,

(2) privacy rights,

(3) plagiarism,

(4) piracy,

(5) misappropriation of ideas, or

(6) infringement of copyright, domain name, trademark, logo

been made or brought against any person or entity proposed for this insurance?

Is the applicant, president, member of the board of directors, executive officer, general counsel, staff attorney, chief information officer, chief security officer, chief privacy officer, manager or any individual in a substantially similar position as those previously referenced or with substantially similar responsibilities as those referenced aware of any previous data breach or allegation, fact, circumstance, contention, incident, threat or situation which may result in a claim, suit, inquiry, complaint, notice of charge, notice of hearing, regulatory action, governmental action or administrative action related to the coverage applied for including but not limited to one or more of the actions described above.

Received any claims or complaints with respect to privacy, breach of information or network security unauthorized disclosure of information, or defamation or content infringement?

Been subject to any government action, investigation or subpoena regarding any alleged violation of a privacy law or regulation?

Notified consumers or any other third party of a data breach incident involving the Applicant?

Experienced an actual or attempted extortion demand with respect to its computer systems?

In the past 3 years, has any service provider with access to the Applicant’s network or computer system(s) sustained an unscheduled network outage or interruption lasting longer than 4 hours?

If “Yes”, did the Applicant experience an interruption in business as a result of such outage or interruption?

Do you collect, store, host, process, control, use or share any private or sensitive information in either paper or electronic form? How many records of each?

Does the company maintain a data classification and data governance policy?

Does the company maintain documentation that clearly identifies the storage and transmission of all Privacy

Information?

When was the company’s privacy policy last reviewed?

Does the company have a formal risk assessment process that identifies critical assets, threats and vulnerabilities?

Does the company have a disaster recovery and business continuity plan?

Does the company have an Incident Response Plan for determining the severity of a potential data security breaches and providing prompt notification to all individuals who may be adversely affected by such exposures?

Does the company perform reviews at least annually of the company’s third-party service providers to ensure they adhere to company requirements for data protection?

Does the company conduct security vulnerability assessments to identify and remediate critical security vulnerabilities on the internal network and company public websites on the Internet?

Does your company perform assessments or audits to ensure third party technology providers meet company security requirements? If Yes, when was the last audit completed?

Does your company have a formal process for reviewing and approving contracts with third party technology service providers?

Are business associate agreements in place for all third parties?

Is network security outsourced or managed internally? Provide name of outsourced company.

Does your company encrypt Privacy Information

• Transmitted over public networks?
• Stored on mobile assets (e.g., laptops, phones, tablets, flash drives)
• Stored on enterprise assets (e.g., databases, file shares, backups)
• Stored with 3rd party services (e.g., cloud)

If “No”, are the following compensating controls in place:

• Segregation of servers that store sensitive and confidential information?
• Access control with role-based assignments?

Do you use Multi-Factor Authentication (MFA) to secure all cloud provider services that you utilize?

Do you use MFA to protect all local and remote access to privileged user accounts?

Do you use a next-generation antivirus (NGAV) product to protect all endpoints across your enterprise?

Do you use an endpoint detection and response (EDR) tool that includes centralized monitoring and logging of all endpoint activity across your enterprise? Is EDR deployed on 100% of endpoints?

Can users access the network with their own device (“Bring Your Own Device”)?

How long does it take to restore? 0-12 Hours, 12-24 Hours, 24+ Hours

External scans must be run and approved before discussing potential coverage.

The undersigned authorized representative (president, ceo, or chief information/security officer acceptable to ABCIns) of the applicant declares that to the best of his/her knowledge and belief, after reasonable inquiry, the statements set forth in the attached ABCIns new business or renewal application for insurance are true and complete and may be relied upon by ABCIns. If the information in any application changes prior to the inception date of the policy, the applicant will notify the company of such changes, and the company may modify or withdraw any outstanding quotation. the company is authorized to make inquiries in connection with this application.

There you have it folks. Prepare yourself for your next application and make sure you are ready to answer tough questions about what you have in place now and in the future.

Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!

Special thanks to our sponsors Security First IT and Kardon.