AI Responsibly with ndMAX
As the general manager of a managed service provider that works with law firms across the United States on all things IT-related, not much surprises me when it comes to technology requests from lawyers. However, we recently had an eye-opening experience that led us to explore the requirements for obtaining cyber liability insurance, which is increasingly being added to organizations’ security and disaster recovery strategies. In fact, Fitch Ratings recently reported that standalone cyber coverage increased by 92% in 2021, with Munich RE citing cyber premiums worldwide at $9.2 billion.
Our client was enthusiastic about installing two-factor authentication on their systems and wanted us to help implement it immediately. Obviously, that’s a topic we’re equally excited about. Two-factor authentication is a security process in which users provide a password and proof of identity, such as a code sent to their phone via text message notification, adding an extra layer of security to ensure your information stays protected. The idea is that it’s very unlikely that a hacker would have access to both your password and your mobile device at the exact same time.
There was a sense of urgency to the request, so I had to learn more. When I dug deeper, I found out that the reason they were so passionate about the topic was because they had applied for cyber liability insurance and were rejected for not having multifactor authentication (MFA) installed. Believe it or not, they couldn’t even find someone who would quote them for a policy without it.
If you’re thinking of applying for cyber liability insurance, there are a few things you should know. Chief among them is that during this process you’ll be asked to share a lot of information about your current risk surface and what measures you’re already taking to prevent some type of incident from taking place. If you look at your average cyber liability insurance policy application, the questions you’ll be asked can seem quite overwhelming.
In terms of email security controls, for example, you’ll need to provide information about whether you tag external emails to alert employees that the message is coming from someone outside of the company. You’ll need to state whether you pre-screen emails for potentially malicious attachments and links.
Regarding internal security controls, you’ll have to disclose whether you use a cloud storage solution to store data or host applications. Given that most firms use either Microsoft 365 or the GSuite, cloud storage is now almost universal. You’ll need to outline what efforts you’re making in terms of multifactor authentication for services like Amazon Web Services, Microsoft Azure, or Google Cloud. The list goes on and on.
A cyber liability insurance provider is still...an insurance provider. It’s no different than if you were trying to get auto insurance — they would look at your driving history, the number of accidents you’ve been in, the number of traffic tickets you’ve gotten, and more — all to come up with the most accurate risk assessment possible. If you’re deemed "too risky," they’re not going to offer you coverage because you’re almost certainly headed for an issue.
Therefore, these types of measures are essential — not just in terms of preventing a cyberattack, but for making this type of insurance policy possible in the first place. They’ll want to make sure that you not only have backups of data, but that those backups are encrypted. They’ll need to know whether your backups are kept separate from your network or in a cloud service designed for this purpose. They’ll even deep dive into whether your employees have company social engineering training — something that in and of itself can help prevent the vast majority of attacks you may face.
Does all of this sound like a tremendous amount of effort? Yes – because it is. But it’s also worth it, because you’re doing your part to help mitigate risk and avoid the type of disaster that such a policy would need to pay out on.
The best strategic move to help strengthen your security posture is to work with experts who understand cyber liability insurance requirements to implement better processes, policies, and industry-leading cloud-based technologies. Solutions like NetDocuments for document and email organization and management, for example, have advanced security capabilities for things like data loss prevention, workspace security management, and customer managed encryption keys. And with integrations with other technologies you use daily, everything stays within the protection of the DMS.
With the right tools and processes in place, hopefully you never have to use your cyber liability insurance coverage. But having it can help ensure you’re prepared for a worst-case scenario and bring you peace of mind, so worries about ransomware aren’t keeping you up at night.
With 27 years of experience, Kevin Haight is the General Manager for WAMS, Inc., a NetDocuments implementation partner and IT support provider for law firms in the Southern California region.
