Cyber Insurance Changes

Cyber Insurance Changing Underwriting Requirements

By Matt Komac, MSGIA Assistant Director for Property & Liability Pool Operations  and Dave Ulrich, Rocky Mountain Computer Supply

Because schools have been targets of ransomware attacks throughout Montana and the United States, we have focused our risk-management efforts intensely on cyber the last couple of years.  Cyber insurers have taken notice, as they have seen claim numbers and costs drastically climb.  This has resulted in an extremely challenging cyber market, especially for the public entity sector, which has been hit hard by ransomware attacks.  This means that, when renewing policies, insurers are cutting back on their exposure and increasing their underwriting requirements in order to help control losses. 

MSGIA understands the importance of cyber coverage for our members, and we are doing everything we can to help you minimize your risk of a cyber loss and ensure you have the necessary tools.  These tools, that underwriters once recommended have now become essential requirements to maintain a standard level of coverage you.  As a case in point, last renewal cycle we successfully provided the same level of coverage and an identical deductible structure for our members.  By comparison, many Montana schools not in our Property & Liability program saw their cyber deductibles increase to six-figure numbers.  Still, the days of easily acquiring guaranteed cyber coverage are unfortunately gone. Cyber carriers are now stating that they are no longer going to cover customers unwilling to help themselves by putting certain network security requirements in place. 

Below is a list of cyber-security requirements that have become industry standards for maintaining cyber coverage.  I strongly encourage you to work with your IT department to make sure your district meets these requirements no later than January 1, 2023, prior to the start of our FY24 renewal cycle.       

Multi-factor authentication should be in place for both email and remote desktop connections.  This can come from one-time passwords, key cards, mobile applications, or biometrics; and if you are using Office 365 or Google for email, you can enable the MFA requirement to protect the accounts in the email organization from that Admin Portal. Also, for administrative accounts to computers, laptops, servers, firewalls/switches, and routers, you may need to add a third-party service to handle the MFA requirements on those devices.  Finally, for any business applications used in the cloud, check with the vendor to see if you can enable MFA on the accounts used to access those logins.

Endpoint detection and protection response tools (EDR) have a software solution that provides continuous monitoring of data from desktops, laptops, and other devices (endpoints).  Automating this detection protects your information.  In addition to Endpoint Virus Protection, your solution should include Endpoint detection and response tools for when it identifies a threat/compromise of the system.

When it comes to encrypted data backups, the best practice is to have offsite backups, either in the cloud or at a separate physical location, and make sure the data is encrypted and updated daily if possible.  Additionally, please know that it is imperative to consider these kinds of questions when determining your level of cyber security: If your backup solution is in the cloud, does your solution encrypt the traffic while in transit and offer encryption where it’s stored?  If your backup solution is to an external drive/tape, is the media encrypted or are the files encrypted on the media?  How often are backups done, and are there multiple revisions kept in case of a ransomware attack? 

Antivirus and Malware Software: All systems connected to the business network, or that have access to network files, should be protected with an Antivirus/Malware solution.  Endpoints should be managed from a central location for updates, management, and monitoring of infections.

Robust Patch Management System: When managing operating system and software application updates/patches, have a thorough plan in place and related processes in place.  Along similar lines, whenever possible, maintain accurate system inventory, consolidate software, stay on top of vendor patch announcements, and automate patch management.  Return to newsletter