Want cyber insurance? 5 security safeguards one insurer looks for

As security questionnaires get longer, CISO Jason Rebholz reveals some must-haves.
article cover

Getty Images

· 3 min read

Cybersecurity insurance questionnaires—a way for the insurer to understand a prospect’s defenses—used to be brief.

Do you have AV? Do you have a firewall?

Just a few years ago, answering “yes” to those two questions put you pretty firmly on a path to getting cyber-covered, said Jason Rebholz, CISO at Corvus Insurance.

Now, with the costly stakes of ransomware and business email compromise (BEC), insurers need extra pages to confirm security controls. The longer questionnaires suggest that insurers want a deeper understanding of an organization’s defenses against attacks that could literally cost millions.

“If you’re in the higher end of the SMB market, certainly in the midmarket and in the larger organizations, you’re looking at a minimum of 25 to 50 detailed questions,” Rebholz told IT Brew.

Questions like, “How are your data backups protected and configured?” might be on the list, for example, along with “What vendor are you using for endpoint detection and response (EDR)?”

BEC and ransomware. A July 2022 report from IBM revealed two tough price tags. The average cost of a data breach, via business email compromise: $4.89 million. For ransomware (minus the ransom): $4.54 million.

“When you look at the largest costs for cyber insurance carriers in terms of security incidents: It’s ransomware and it’s business email compromise,” said Rebholz.

Let’s play Risk. Risk level, given the array of cyberthreats, is not agreed upon.

“Every insurance agency, every brokerage, they’re all asking different questions,” said Shawn Wiora, CEO of the risk-quantification provider Maxxsure.

To demonstrate varying priorities, a 2022 Panaseer survey of 400 global insurers revealed a range of “most important factors when assessing a security posture.” These were cloud security, security awareness, and application security, to name a few.

Top insights for IT pros

From cybersecurity and big data to software development and gaming, IT Brew delivers the latest news and analysis of trends shaping the IT industry, like only The Brew can.


A top 5. While insurers may differ on the important factors, here are 5 recommendations from Rebholz:

Data backup: The question isn’t do you have backups, but how are you securing them? “Are you using immutable backups where they can’t be modified?...When you can protect those backups, you’re much less likely to have to pay a ransom,” Rebholz told IT Brew.

MFA: To defend against attackers still targeting weakly guarded email accounts, insurers want to see multifactor authentication, including for remote-access scenarios.

EDR: Insurers also look for the “latest and the greatest” endpoint technology to detect, prevent, contain, and analyze malware, said Rebholz.

Email security: Secure email gateways and email-security products help to flag phishing attacks that steal credentials. “From our analysis alone, if you are not using a secure email gateway or some sort of email security solution, you’re twice as likely to have a BEC incident,” said Rebholz.

Out-of-band authentication for wire transfers: Two-factor verification that occurs through a separate communication channel along with the typical ID and password is recommended.

While best practices outlined by insurers may vary, the guidance offers potential leverage to the IT pro looking for upgrades.

“We’ll give you the justification so that you as an IT leader or security leader can go to your CFO and say, ‘This is what our insurance carrier is seeing…Now it’s time to approve that budget for that email security tool going into next year,’” said Rebholz.—BH

Do you work in IT or have information about your IT department you want to share? Email [email protected] or DM @BillyHurls on Twitter.

Top insights for IT pros

From cybersecurity and big data to software development and gaming, IT Brew delivers the latest news and analysis of trends shaping the IT industry, like only The Brew can.