Cyber Insurance Terms Debunked

When working with clients to submit applications for Cyber Insurance, we often hear that they don’t understand the terminology on the application form. For anyone who has found themselves in this situation, hopefully these simplified explanations will help:

IT Security Audit 

Definition: Otherwise known as a cyber security assessment, this is a comprehensive review of the cyber security measures in place for your business.

Explanation: Basically, the underwriter needs to know some kind of cyber security assessment has been conducted. This could be an assessment by internal staff or by an external 3rd-party.

Every business should conduct regular internal security assessments, either by staff or their outsourced security provider. Either way, this may or may not be the same department that provides IT services.

Keep in mind that IT and cyber security are NOT the same thing. That would be like saying a window & door company is the same company that installs and monitors the alarm on those windows and doors.

Nobody should check their own work; so we highly recommend that you have a qualified 3rd-party conduct the assessment. Birmingham Consulting provides one for free – www.birmingham.ca/consult

Penetration Test 

Definition: Sometimes referred to as an “external penetration test”, this is an experiment to determine if an unauthorized person can access your network, computers, servers, cloud services, email, etc. “Unauthorized” means someone who does not have permission to access your files, email, etc.

Vulnerability Assessment 

Definition: Vulnerability assessments are a systematic review of security weaknesses.

Explanation: Vulnerability assessments and penetration tests often get confused. The key difference is that you can pass a penetration test but still have vulnerabilities. Vulnerabilities include anything from out-of-date software and hardware to lack of antivirus protection to inability of your staff to identify fraudulent emails.

Encryption 

Definition: The storage of information in a coded format; only people who know the code can read it.

Explanation: I am surprised how many times people say they don’t know what encryption is. In its simplest form, encryption refers to storing information in a coded format so that only people who know the code can read it.

The code is kept secret and only known to people who have permission to read the information. This secret code is referred to as an “encryption key”.

When transforming regular information into the coded format the information is being “encrypted”. Transforming the coded information back into something people can understand is called “decryption”.

Regulatory and Industry Frameworks 

Explanation: For some industries like healthcare and financial services, strict legislation exists to dictate how information can be handled, stored, and transferred.

However, what is often overlooked are the regulations and frameworks that apply to all businesses, regardless of industry. For example:

• PCI: https://www.pcisecuritystandards.org/
• PIPEDA & DPA: https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/
• CASL: https://fightspam-combattrelepourriel.ised-isde.canada.ca/site/canada-anti-spam-legislation/en

There seems to be an ever-changing amount of federal and provincial legislation that related to technology and privacy (e.g. the pending Digital Platform Workers’ Rights Act and pending Digital Charter Implementation Act).

We recommend that you obtain counsel from a law firm familiar with legislation that applies to your business.

Personally Identifiable Records/Information (PII) 

Definition: According to the Canadian federal government, “personal information includes any factual or subjective information, recorded or not, about an identifiable individual. This includes information in any form, such as:

• age, name, ID numbers, income, ethnic origin, or blood type;
• opinions, evaluations, comments, social status, or disciplinary actions; and
• employee files, credit records, loan records, medical records, existence of a dispute between a consumer and a merchant, intentions (for example, to acquire goods or services, or change jobs).”

Ref: https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/pipeda_brief/#_h2

Explanation:  A common question on insurance applications is some form of “How many PII records does your company store?” Higher numbers of PII records generally translates to higher risk for the underwriter.

The intent of this question is generally not to determine how many individual pieces of information you have, like birthday, home address, etc.; but for how many people you store such information.

For example, if you are a non-residential construction company with 250 current employees, the total number of PII records would be 250 + any information you still have for past employees.

On the other hand, if you are a medical clinic with 8,000 patients, the total number of records is 8,000 + current employees + past patients and past employees.

Antivirus vs. Advanced Endpoint Detection 

Definition of Antivirus: Program or software designed to detect and destroy computer viruses. Antivirus traditionally relies on a massive list of known threats that it uses as a basis of comparison when monitoring devices – making it no longer effective against modern cyber threats.

Definition of Advanced Endpoint Detection (AEP): AEP expands on the approach of Antivirus as a new technique to identify threats, by monitoring devices for any possible suspicious activity, even if it doesn’t find a match for a known threat.

Multi-Factor Authentication (MFA) and Two-Factor Authentication (2FA) 

Definition: Multiple steps or methods to confirm your identity when signing into an account, service or device.

Explanation: When you sign into a device or service and are prompted for a password, that is considered single factor authentication because the only protection against unauthorized access is knowing the password.

This extra step (factor) to identify (authenticate) yourself makes it harder for someone to impersonate you.

Randomly Generated Data Point 

Explanation: This term is usually used in conjunction with questions about the extra authentication step in MFA.

The most common forms of randomly generated data points are changing numbers that must be entered in addition to your password. These random numbers are only valid for a limited time and are usually provided in one of the following ways:

• Via email to the address the service has on file for you
• An authenticator “app” on your mobile phone that provides a new number every 30 or 60 seconds
• A small electronic device that displays a constantly-changing number
• A text message sent to the phone number the service has on file for you

Why do insurance companies ask about randomly generated data points? Because it’s possible to have multi-factor authentication without a random element. Random elements provide better protection than non-random elements.

Advanced Threat Protection (ATP) 

Definition: Advanced Threat Prevention (ATP) is a suite of analysis tools designed to defend against both known and unknown attack methods.

Explanation: Just as traditional antivirus is ineffective in today’s world, traditional spam filtering is also ineffective. For this reason, ATP is used to monitor email for threats.

One could argue that ATP has an element of AI to it because it examines the various parts of a message to determine the level of safety. For example, it will test links within email before it’s delivered to your inbox and if the link doesn’t go where it should, the message gets flagged as unsafe.

True ATP will go further and also check other services associated with your email account. For example, in the world of Microsoft 365, ATP will check that Teams messages are safe and that files in OneDrive & SharePoint are safe.

Phish Testing & Security Awareness Training 

Definition: Training in the form of tests to simulate phishing scams.

Explanation: We humans continue to be the weakest link in cyber security, with phishing (https://en.wikipedia.org/wiki/Phishing) as the most common way a business gets cyber-compromised.

For this reason, most cyber insurance policies require that businesses regularly train their staff on how to identify cyber threats then confirm that the training is effective by sending test phishing messages.

Ransomware 

Definition: Software installed by a hacker that encrypts your information so you can no longer read it.

Explanation: Most people have heard of ransomware; but we still occasionally get asked what it is.

As per the definition of its simplest form, ransomware is software installed by a hacker that encrypts your information so you can no longer read it. The hacker is willing to let you decrypt your information if you pay them (i.e. pay the ransom).

However, it doesn’t end there. Because so many ransomware victims refuse to pay the ransom, hackers have “upped the ante” using extortion. Before encrypting your information, they copy it offsite and threaten to sell or publish your information or harass all of your clients/patients if you don’t pay.

Breach 

Definition: An event in which an unauthorized person gains access to your network, servers, computers, devices, or cloud services.

Explanation:  A key point to understand a breach is that any type of compromise is a potential breach. For example:

• A USB stick or external drive containing company information goes missing
• A phone, laptop, or tablet is lost or stolen
• An email account gets hacked and starts sending out fake messages to contacts.
• Ransomware
• A bulk email is sent with all recipients in the “To” list instead of “BCC”
• Credit card information is sent by email

Incident Response Plan (IRP) 

Definition: An Incident Response Plan (IRP) is a written document outlining the steps to take when a cyber incident event occurs.

Explanation: “Incidents” range from a unexpected email behaviour to equipment being stolen to full blown ransomware to financial fraud. Insurance companies generally want to know if your business is prepared to deal with such events.

Therefore, as per the definition, an “incident response plan” (IRP) is a written document outlining the steps to take when one of these events occur.

It’s important to note that IRPs must be tested on a regular basis. Effective testing will reveal any gaps that need to be addressed to improve the organization’s ability to respond.

Disaster Recovery (DR) Plan 

Definition: A formal document that contains detailed instructions on how to respond to major unplanned, disruptive events.

Explanation: Similar to an IRP, the DR plan goes a step further. What is the company’s plan to continue to operate if a major disaster were to occur?

Many were caught off guard when the first COVID lockdown forced offices to close. Businesses were scrambling to figure out how to function when everyone was remote.

A good DR plan outlines steps for an organization to take when potentially catastrophic events like COVID take place. For example;

• Pandemics
• Fire, flooding, ice storms, and other natural disasters
• Vandalism
• Theft

If your organization is wondering about any of these areas, we can help with a Cyber Insurance Readiness Assessment – contact us at info@birmingham.ca to learn more today.