Pratum Blog

Insurance cost graph overlaid on person working on computer

When your cyber insurance coverage comes up for renewal this year, you can plan on a couple of new factors:

  • Your premium will be significantly higher.
  • Your insurance company will ask a lot more tough questions about your cybersecurity policies.

The new demands from insurance companies have gotten so rigorous that Pratum has had more than one client call to say, “They’re telling us that if we don’t implement some new cybersecurity policies ASAP, we’ll lose our cyber insurance coverage.”

Clearly, the cyber insurance market is navigating uncertain times. A 2021 AM Best report flatly stated that, “prospects for the U.S. cyber insurance market are grim.” In this blog, we’ll help you make sense of the factors driving changes in your policy and pricing right now. (If you’re just getting started with cyber insurance, read this blog to learn the basics of cyber policies.)

Somebody Has to Pay All Those Ransoms

If a run of forest fires torches your area, you expect your homeowners’ insurance to spike in the coming years. Cyber insurance is no different. It’s a fairly recent insurance product, with only a few years of claims to guide insurance companies as they underwrite policies, set premiums and establish their profit expectations. In such a young market, many insurance companies were fairly lax on their underwriting procedures, echoing the days of easy mortgages before the 2008 financial crisis. Throw in constantly changing threats and security plans, and you have all the dry ingredients required to blow a volatile industry sky high.

In the last year, ransomware has been the match tossed into the cyber insurance tinderbox. Ransomware attacks jumped 151% in the first half of 2021, and ransom payments have quintupled from an average of $43,600 in 2019 to more than $220,000 this year.

Hackers Learn to Leverage Cyber Insurance

Hackers have learned how to operate in a world where more victims have cyber insurance. When hackers breach a system, they often run a search for cyber insurance policies, just to find out what kind of budget they’re working with. If a victim balks at paying a ransom demand, the hackers are known to screen shot the victim’s own cyber insurance policy and send it over with a note saying, “Don’t lie about how much you can pay us. We’re looking at your policy’s provisions right now.”

What It Means for Insurance Companies

Charts of cyber insurance claims over the last year look like hockey sticks, which means some insurance companies are losing money on their cyber insurance lines as premiums fall behind what they’re paying out in claims. Articles from within the insurance industry are using phrases like “spiraling loss costs” and “existential threat.” A recent report from Howden states, “The cyber insurance market is undergoing one of its most transformative changes since the first cyber policy was underwritten some 20 years ago.”

Earlier in 2021, seven major cyber insurance companies banded together to form CyberAcuView, “a collective effort to enhance cyber-risk mitigation efforts.” In short, the companies will be sharing claim data to make their businesses more accurate and sustainable. Will this teaming up of major players do anything good for customers? Time will tell.

Some industry watchers argue that all this represents a healthy clean-up for the industry. They’re hoping that the trials of 2021’s ransomware surge will mold a new breed of insurance company that uses more accurate underwriting, provides healthy coaching to clients and uses a combination of carrots and sticks to get clients to use better risk mitigation strategies.

10 Most Common Information Security Risks

10 Most Common Information Security Risks

You can address insurance companies' typical concerns by solving these key issues we see on nearly every risk assessment.

Get it Now

What It Means for You

As insurance companies work to stave off this seeming existential threat, expect two developments:

  • Higher Rates – Cyber insurance rates are averaging a 32% increase this year, with some customers seeing quotes 50% higher than a year earlier.
  • Tougher Underwriting – We’re all used to getting better rates on health insurance or car insurance if we quit smoking or drive more safely. In today’s cyber insurance market, the issue isn’t just whether you’ll get a better rate. It’s whether any company will even be willing to insure you without the right cyber safeguards in place.

Many insurance companies are requiring steps such as implementing multifactor authentication before they’ll renew policies or grant new ones. And unlike in the old days of a year ago, the insurance company may not take your word for it when you say you’re doing all the right things. The insurance company may hire a third-party assessor to confirm you have the right tools in place, or it may ask to run a scan of your system for proof.

Start Your Cybersecurity Plan Now

While you may find all this heavy-handed, we have to point out that the insurance companies are really just requiring what a wise organization would be doing anyway. In a world overrun with cyber threats, you’re needlessly gambling your job and your company’s future if you ignore basic cyber hygiene steps such as implementing MFA, regularly patching software, etc. And if your insurance company isn’t the one pushing you to take these steps, your industry partners and clients probably will be soon.

If you need help getting started on a set of cybersecurity policies that boost your insurance prospects along with your overall peace of mind, contact Pratum today.

If you’ve never taken the time to create a data flow diagram (DFD) of your system, you should make that investment. The value doesn’t lie simply in having the diagram in your files. The actual process of creating the diagram will almost certainly reveal new things about how your data ecosystem works.

That’s why many IT auditors and frameworks (such as PCI DSS) consider network diagrams and DFDs so critical that they expect to see them as part of the audit process. Cybersecurity consultants frequently use DFDs to drive detailed conversations about the environment, knowing that the clarity they provide can be a deciding factor in your network’s security.

In this blog, we’ll explain how a DFD helps ramp up your overall cybersecurity and how to get started creating one.

Data Flow Diagram

What a DFD Can Tell You

A DFD shows exactly where your data is going so that you can make sure every step is secure. Diagramming your process may show, for example, that your data is far more widespread and replicated than you previously thought. Replicating data in multiple places, or passing it through several resources while in transit, can represent a security risk you need to analyze.

In large or complex organizations, the leadership team may rely upon a DFD to help them understand the entirety of what’s going on across what could add up to hundreds of business processes. Some organizations require several DFDs to accurately portray all the operations.

Be careful of telling yourself, “We get a good view of our system through other tools.” Don’t think you’re covered just because someone on the team can verbally explain the system. They’re probably leaving things out, and that person may not be around forever. And don’t count on a typed explanation of the system. A written description almost certainly includes enough ambiguity to let problems hide in the fine print.

Diagramming Third Parties

A thorough diagram follows your data beyond the limits of your own system. Here’s an example of the kind of process red flags that a DFD can reveal:

While making the diagram, you start asking how your payroll processor sends and receives sensitive data. It turns out that they’re sending it over unencrypted channels. If that’s happening, even the best cybersecurity posture on your end won’t protect sensitive data such as employees’ personal information. If client information were compromised through a similar process weakness, your organization could face immediate financial losses and long-term damage to your reputation.

In some cases, Pratum’s consultants create DFDs specifically for each third-party system connecting to the client organization. This clearly shows how data flows in/out of the third-party’s environment and where it may need additional protection.

The DFD Creation Process

DFD Process: Discussion, Inventory Listings, Develop Diagrams

Pratum follows three core steps to build an organization’s DFD, with the details varying based on the organization’s overall cybersecurity maturity.

1. Discussion – Leadership, possibly guided by cybersecurity consultants, reviews the potential risks facing an organization. They identify protective systems already in place, cybersecurity protocols, corporate governance, connected vendors, and key business processes. As you start building the DFD, be sure to look over the results of your most recent risk assessment for information on what you should map. This helps leadership identify risks, plan mitigating controls and evaluate whether the remaining risk is acceptable.

2. Asset Inventory – Now the organization documents the hardware, software, and data used throughout the business. That includes both at-rest and in-transit systems.

  • Hardware – The asset list should include any physical asset that may store or come in contact with an organization’s data. That includes computers, mobile devices, network equipment, printers, scanners and more.
  • Software – Every organization has a set of approved applications that typically includes financial applications, fixed contract applications and licensed applications. The software inventory should include documentation of the software’s end of life.
  • Data – Include a list of data types stored, how it is stored, and who in the organization owns it.

3. Develop Diagrams – With all of the information gathered, you can start mapping out the DFD.

DFD Basics

A DFD uses a universally accepted set of symbols to portray information flow within and between network segments as well as through the institution's perimeter to external parties. A basic Level 0 diagram shows the overall system, while Level 1 diagrams drill down into individual processes.

Chart of Data Flow Diagram Universal Symbols
Data Flow Diagrams use universal symbols to communicate the path of data.

DFDs should identify:

  • Data sets and subsets shared between systems.
  • Applications sharing data.
  • Classification of data (public, private, confidential, or other) being transmitted.
  • How data is identified at rest and in transit.

Who Is Using the Data?

While creating the DFD, you’ll look at how two types of users touch your data:

Employees - Look at the roles of each employee involved at the different steps of data flow. All employees have some level of responsibility for information, communication, and reporting between each level. Evaluating employee roles and access helps you spot gaps in the process. For example, organizations frequently realize that they should reduce the network access employees have at several steps, which reduces the potential for a breach and pivot into the larger system.

Vendors - Working with vendors inevitably poses a threat by allowing outside access to internal processes. Consider these factors about vendor access:

  • Identification – Create a profile on each vendor with name, address, key contacts, service provided, contract details, and expenses.
  • Grouping – Group vendors to determine which ones may be considered “critical.”
  • Level of Risk – Does the vendor have access to information that would be highly impactful to the business?

What Is Happening to the Data?

Determine whether employees, vendors/partners or systems are writing, modifying, storing, or processing data. The answer is crucial to protecting data and mapping out the process with a DFD.

Where is the Data Going?

Knowing where individuals, resources, and entities are located helps you judge the risk of an interaction. For example, data moving between two resources in the same building may be less risky than data traveling from an office in the United States to resources in a foreign country, or vice versa.

For more information on how to properly establish a DFD, reach out to a Pratum consultant to find out how the process can look for your organization.

Image with three levels of incident response including Tabletop Exercise, Walkthrough, and Cutover Test

You’re listening to best practices, and you care about protecting your organization’s operations. So you’ve written a solid incident response plan and shared it with your team.

But does it work in the real world? To quote the philosopher Mike Tyson, “Everyone has a plan until they get punched in the mouth.” And when a real data security incident occurs, the punches will be flying. So you need to regularly test your cybersecurity incident response plan, along with the humans and technology that will carry it out. In this blog, we’ll share the three most common testing approaches, from basic discussions to full simulations.

Choosing the Right Incident Response Plan Test

If you’re not motivated to do regular testing, others may provide the incentive you need. Major third-party compliance frameworks such as SOC 2 and PCI DSS, for example, require an annual test of your incident response plan, even though they rarely specify an exact testing approach. And your organization’s cybersecurity maturity and risk level may indicate that you need semi-annual or quarterly tests. You’ll get more practice and more frequent opportunities to spot parts of the plan that have gone out of date.

Your biggest customers may be pickier than the frameworks about the testing approach. At Pratum, we increasingly see contracts requiring vendors to run annual incident response tests to prove they can deliver their services, even if they face a major cybersecurity incident. We’ve seen some companies recently tell potential vendors that their testing process isn’t rigorous enough. That left the vendor to decide whether the contract was valuable enough to justify the time and expense of running a thorough simulation every year to satisfy the customer.

Below are the three most common levels of incident response plan testing, arranged by order of escalating realism and, thus, ability to truly reveal your plan’s value.

Icon with three people around table

Tabletop Exercise

This is the most basic and theoretical test of your incident response plan. You’ll gather all the key players in a conference room, throw out several breach scenarios and have everyone talk through their part of the response, as dictated by the plan.

You’ll get definite value from this approach. In most organizations, questions like the ones below tend to highlight some holes and generate some meaningful to-do items after the meeting:

  • “How long will it take to actually get all of our data restored from backup?” You may know that you have backups, but have you ever drilled down into what the restoration process actually looks like? Most teams leave a tabletop exercise with an urgent assignment to work out the details on this front.
  • “Where can I find this list of phone numbers for every employee?” It probably turns out that the list is saved somewhere on the company server—which may be exactly what is compromised in your scenario. Now where do you go to get the numbers?
  • “How long do we have to restore things before we violate the service level agreements in our key contracts?” There’s a big difference between having several days to restore operations and having 8 hours before you’re in breach of contract. Defining your exact window may change your plan.
  • “What does this step mean when it says _______?” If you get that question, it’s time to rewrite parts of the plan to ensure that it can’t be misunderstood, even by people working under extreme stress.

The tabletop exercise’s weakness, of course, is its theoretical nature. When someone answers a question confidently, do you trust that they’ve done the homework to prove that their answer is correct and capturing the full implications? Pratum vCISO Jeff Franklin points out that, “Colonial Pipeline paid the ransom to get the decryption key, and it still took them days to decrypt their data.” You could get a false sense of security if your only testing comes from conversations in a meeting room with no pressure bearing down as your organization goes dark.


Icon with three people and a gear

Walkthrough

In this test, your team actually steps through the plan as it’s designed, stopping short only at the point of actually flipping a switch to do something like turning on the building’s alternative power source. Typical walkthrough activities include:

  • Calling people listed in the plan to confirm that the phone numbers work, they answer in a timely fashion, etc.
  • Walking to different parts of the building to confirm that things will happen as the plan specifies. Can you, for example, walk into the IT department unannounced and find the team required by the incident response plan?
  • Sending test messages. If the plan calls for an all-company e-mail telling everyone to evacuate the building, you’ll send that e-mail to confirm that it works (with a bold note at the top of the message stating that it’s only a test).
  • Confirming real-world timelines. During the walk-through, the incident response team will walk into someone’s office and find out how long it would really take to accomplish their assignment if they had to start right now. Is that person even in the office anymore? If not, can you reach them promptly? Can they accomplish their assigned tasks remotely?

With all of these tests, remember to include the human resources aspects of the situation. If you plan to use a text alert to find out who is out of the building, do you expect people on vacation to answer that text? If your operations go down for a half day, do you send everyone home? Do they still get paid?


Icon with cloud and a gear

Cutover

In this test, you’ll pull out all the stops to truly find out how your team handles a crisis. In a cutover, an incident response leader might walk into the IT department and declare that the team needs to switch from on-prems servers to the cloud. Right now. Then you see what happens. Does everything actually come on through the alternate system? Does it take longer than expected?

Some Pratum customers go so far as killing the power to their building to force the generator to kick in and see what happens. (Note that no one does a cutover of all systems simultaneously.)

One big eye-opener for most organizations comes when they try to restore data from backup. Many teams find that the restore takes far longer than they expected, that the team isn’t fully trained to perform the backup quickly or that your equipment can’t handle moving that much data in the required timeframe.

Clearly, a cutover test will create an operational interruption. If your plan allows eight hours to restore critical data, you could be down that long during a cutover test. For that reason, we’ve seen some clients turn down big contracts that required an annual cutover test. With that downtime and staff commitment factored in once a year, the contract’s profit margin wasn’t compelling enough.


Third-party Facilitators

No matter which test you choose, it’s wise to have outside observers/advisors present. If you believe that you’ve achieved a high level of cybersecurity maturity, you can probably manage the tests internally. But it’s still wise to have a third party watch, take notes and share feedback during the post-game analysis. An expert cybersecurity observer will always see issues that you don’t even know about.

“One side knows the business, and one side knows incident response planning,” says Pratum’s Franklin. “You want to marry those two to manage that responsibility.”

Even if you do hire a third-party advisor to run your tests, Pratum recommends that someone from your team provide the hands-on leadership during the test. This gives your team critical experience that will benefit your organization for a long time.

If you need help identifying the right testing method for you, contact Pratum’s consulting team today.

The information we track while users are on our websites helps us analyze site traffic, optimize site performance, improve our services, and identify new products and services of interest to our users. To learn more please see our Privacy Policy.