You ready for this? What hoops are you going to have to jump through to acquire cyber liability insurance? We have been receiving numerous requests from clients asking us to help populate their cyber liability insurance questionnaires. I have listed a few of the more important questions being asked below.

  1. Does your organization screen email attachments?
  2. Does your organization quarantine malicious and spam emails?
  3. Does your organization sandbox/execute email attachments prior to delivery?
  4. Does your organization utilize email advanced threat protection?
  5. Does your organization use an endpoint protection product (Anti-Virus)?
  6. Does your organization use an Endpoint Detection & Response (EDR) product?
  7. Does your organization use multi-factor authentication (MFA) also called Two-Factor Authentication (2FA) to protect user accounts?
  8. Does your organization perform periodic vulnerability scans?
  9. Does your organization block inbound connections via hardware and software firewalls?
  10. Do users have local admin rights on their systems?
  11. Is content filtering enabled?
  12. Does your organization scan all traffic into and out of your network system for viruses and malware at the gateway?
  13. Are users provided a password manager?
  14. Are privileged accounts managed and administered to limit and log access?
  15. Is all mission critical data, applications, and configurations backed up?
  16. Are backups encrypted at rest and in transit?
  17. Are backups stored on-site and off-site?
  18. Are off-site backups air-gapped and utilize separate authentication mechanism from the production environment?
  19. Does your organization test backups via full restore into a sandbox environment to confirm functionality at least quarterly?
  20. Does your organization use a cloud syncing service like OneDrive, DropBox, SharePoint, Google Drive, etc?
  21. Does your organization backup your cloud solutions to a separate environment?
  22. Do employees have access to email on their personal devices?
  23. Do employees send or receive PII, ePHI, or PCI information via email?
  24. Does your organization utilize an email encryption system and are employees trained on its use?
  25. Does your organization perform periodic phishing, testing, and training as well as sending phishing emails to employees to gauge adoption and application of provided training?
  26. Does your organization utilize a log aggregation system such as a Security Incident and Event Management (SIEM) system?
  27. Does your organization perform timely and regular installation of all critical security updates at least monthly?
  28. Does your organization monitor your network for malicious activity?
  29. Does your organization utilize a third party for support and service?
  30. Does your organization utilize an in-house or third-party Security Operations Center (SOC)?
  31. Does your organization encrypt all sensitive data at rest and in transit?
  32. Does your organization have a well-documented, enforceable, and enforced disciplinary plan for employees that fail to adhere to cyber security training and testing?
  33. Does your organization meet all industry specific regulatory guidelines and best practices for policies, procedures, enforcement, monitoring, and reporting?

Do not assume that you are meeting these guidelines.  As an IT professional services provider we speak to countless well-meaning organizations that assume they are secure based on very flimsy evidence.  For example, turning on Windows Update on all computers does NOT guarantee that updates are being applied.  Installing an anti-virus agent does not ensure that the agent continues to receive updates and function as designed.

Do NOT pencil whip your answers to these questions, or you may find that you have NO INSURANCE at all when you need to file a claim…

Questions? We can help!

Contact Us

  • This field is for validation purposes and should be left unchanged.