Core Controls

• Multifactor authentication (MFA) for all external access

• Patching cycle of <30 days

• Antivirus on all computers and servers

• Encryption of data on devices and in email (for select industries such as healthcare)

• Financial controls policy (don’t have one? Get a free template here)

• No high risk applications exposed to the internet such as Remote Desktop Protocol/Connection (RDP/RDC)

• Security awareness training on a monthly basis - test phishes usually count

• Robust backups - at least weekly, encrypted, off-site/cloud

• Incident Response plan

And that is it. Seriously. For most SMBs (insurance defined as <$100mm/yr revenue) this will get several policy options. If you want a better rate and more options…

Advanced Controls

Once you have ALL the core controls in place, focus on these.

• 24x7 managed detection and response (MDR) with EDR on all computers and servers

• Email filtering service (Microsoft Defender counts for most carriers, just be explicit on the application), including attachment detonation and link screening

• Annual test restores of backups

How Policies Are Priced And How Your Answers Are Used

Every policy asks a slightly different set of questions, and no one can tell you which ones actually matter or how much. With our years of experience both selling and designing policies, this guide from the Beltex team helps clarify what really impacts your application.

The first set of questions are the demographics. Revenue, number of employees, address, associated entities, etc. Then we move on to the part most applicants are concerned about - the control questions. Unfortunately, your policy is already mostly priced before you answer a single control question. The vast majority of a policy’s pricing comes from three factors: annual revenue, industry, and state. The cybersecurity control questions generally do not move a rate by more than +/- 20%. There are likely only a few questions making an significant impact to your rate in the controls section.

Please note that these controls apply to “Small and Medium Enterprises” or SMEs, as defined in the insurance industry. That means businesses with under $100mm/year revenue, but especially under $20mm. If your business is under $10mm, your application will likely get minimal review by an underwriter, and so checking the right boxes is very important. This guide does NOT apply to Technology Errors & Omissions (Tech E&O) which the type of cyber policy needed for MSPs, SaaS companies, and other tech businesses.

The Three Types Of Controls

There are three types of control related questions that appear on a cyber insurance application. The bad news is that agents are almost universally unaware of which is which, and carriers do not commonly disclose this information. For many SME policies, qualifying and informational questions make up the majority of the application.

• Qualifying/eligibility: do not pass go, do not collect $200 - these are the questions that must have the right answer to qualify for a policy. They often include foundational security such as multifactor authentication (MFA), financial control policies, and encryption for certain industries. You may encounter combinations for eligibility, one common example is if you are a healthcare business, encryption becomes mandatory to acquire a policy, while other industries can get a policy without it.

• Rate adjustments: these questions impact your rate. There are both major and minor adjustments, some questions can change the rate by almost 10%, but the majority will be a few percentage points at most.

• Information gathering: some questions do not effect the rate or eligibility at all, and are there for the insurance carrier to build better data sets. These are NOT intended as entrapment for a claim, but are usually used to gather data for better underwriting in the future.

A Note About PII/PCI/PHI Records

Almost every business has records relating to individuals, even if it is your own HR records. PII (personally identifiable information), PCI (Payment Card Industry, technically PCI DSS, referring to credit card data) or PHI (personal health information) is one of the worst data types to have exposed in a breach, so carriers pay careful attention. The amount your business holds can heavily effect your rate, especially when it is PHI in a regulated industry such as healthcare. Reducing the amount of records you hold is critical, not only does it reduce your policy cost, but also reduces damages when a breach occurs. Higher numbers of records may result in additional controls being required, or increased rates.