RCR 012: Cyber Insurance Minimum Security - CISSP Study and Training!

Description:  

Shon Gerber from Reduce Cyber Risk.com reveals to you the steps each week the information you need to best protect your business and reduce your company’s cyber risk. Shon provides cybersecurity for business training and how you can begin to address the cyber risk for your daily business.

In this episode (Part 9), Shon will address, the minimum security practices you should consider when looking at a cybersecurity insurance policy. Implementing these Minimum Security Practices can help reduce your premiums as well better protect your business.

Transcript:

welcome to the reduce cyber risk podcast where we give you the tools you need to meet your regulatory requirements while helping keep the evil hacker hoarded Bay hi my name is Sean Gerber and I'm your host for this action packed and forwarded podcast join me each week cuz I provide the information you need to best protect your business and reduce your company's cyber risk this episode where we talked about on cybersecurity insurance and some key points around it so first I was minimum security practices when you initially the last episode we kind of talked a little bit about how we need to consider for the exclusions and so forth one and we also talked about how the minimum security practices that you have those in place for your business you can potentially reduce the premiums associated with the insurance for your business so there's no Define thing that you have to do to make your security for your business there's no minimum security however as defined by you and you need but it needs to resemble current best practices so what are some current best practices well just put out the cybersecurity framework for critical infrastructure and that would be one there's also the iso 27001 which is another one there's nist National Institute for Santa Rosa Technology 800-53 that's another one so there's multiple using and what were them provide some training cyber risk and some other things I'll be putting out there that will give you what you need to basically walkthrough from beginning to end on building out of framework for your business and we're focusing specifically as we mentioned before and small medium businesses on how what you can do to protect the security around your company and put Security in place to protect your company so one of the key things around a minimum-security practices is a secure network design what does that mean so let's just say you got a small business the Wireless in your business but you don't protect it you don't lock it down you don't do anything in place for that security around the wireless of your business and so anybody can log on from anywhere that's around your building and get in your network that would be an insecure Network design okay so I recommend you get with an IT professional to help you as you define your network of what is secure now I caveat that with this keep it simple stupid don't make this more complicated than it has to be and I will say from IT professional many times we make it way more complicated then it must be you need to decide for your business what is the minimum that you need to be secure the more you complex you make it in the more Gucci you make it when it's up happening is you actually increase the phone ability chance within your organization and you don't want that to happen so you got to have enough open up yourself to more vulnerable didn't want to have on here on the security of society does that mean example is let's just say you have a point in a point and you have data talking to each other through these points right and it's protected in a an encrypted tunnel so the total of talky talky they're good to go right Cryptid awesome but the data lands on a little let's go a database server and on a database it's sitting in that database now is it protected well is encrypted don't know you need understand from a security for your insurance standpoint what are they talking about encryption's required what does that mean does that mean the fact that all of it has to be in place from talk to talk from beginning to end or just in the middle that may or may not work you just have to decide and you need to ask insurance company that you're getting these policies cybersecurity framework for critical infrastructure it's also the 27001 use a framework which is basically guidelines on how to do accomplish the challenges as these can be very big and owners example nist 800-53 that thing is like 80 pages long you if you want to go to sleep read it okay it is especially if you're someone who used to making a business you're like this stuff is just mind-numbingly painful so recommendation is go online and see what's available for you we're going to have something to reduce cyber risk to help you with that but bottom line is find somebody out there that can help you guide you through that process if you can afford a security professional do it on the books if you can't do either one of those don't worry about it how you're going to do that for freaky things you can think about what your cybersecurity is also terms and condition the t's and C's those are the ones that are going to get you every time and so you need to understand what is that language what is the fine print and how does it work get a lawyer to help you with that I recommended do not rely on a guy like me to help you because you know what I'll probably let you know I can give you guidance or somebody like me can give you guidance of what that means however if you are in doubt get a lawyer to help you with it and I highly recommend a cyber security lawyer if you can make that happen also there's a little standard right now for around with the policies include so what does that consider consider like a life insurance policy things that we come but the other day you have a pretty good idea of how life insurance policies setup cybersecurity man it's all over the place in latter comes down to which size your business do you have security place do you understand it'll very company to company at the thing is though is cybersecurity as a whole the insurance Market is exploding so there's money there from the insurance company standpoint so you because of that they're going to have many more products available for you I think about his Discovery so appointed as you come in and you go okay I've been breached when did you discover that was a Billy Bob your it guy figured it out or the fact that all of a sudden you see all of your pictures of your puppies online I don't know the point of it is is that they have they have points in there that may say you have to let them know within a. Of time within a couple days of knowing when there was a breach you got to ask a question to the insurance company what does that mean what do you consider a breach and when should you be notified of that breach okay so that's important knowledge because it could take weeks days months years even to get to find out that you've been pwned that you've been owned by it by somebody is accidental disclosure is there a point in there about the fact that you disclose one of your employees disclose something about your business on your server on your cyber insurance policy what are all that fine-tooth what are the different animals around this because it can move all different directions other one that I didn't even know about it until I was talking to a friend of mine is this new virtual assistants using Alexa do you use that within your business is there a call out any insurance policy saying well if you use that and you get breach because of that you don't get paid I don't know but you need to consider all those aspects you look nice something other points that are exclusions not these are the gotchas first one is cyberterrorism insurance company to find what is cyberterrorism what I mean by that is it the Isis or the the bad guys alkayida or somebody like that that's hacking your system that's considered cyberterrorism we won't pay for it so they're going to say okay but let's just say it's the guy down the streets the kid down the street that hacks into your Wi-Fi because you left it open steals all your stuff does that cyberterrorism and then you left a big note that saying I hate you because you have green hair and purple eyeballs is that cyberterrorism I don't know if he says I'm going to go ahead and blow up your dog when they say those keywords intellectual property are they want to pay for it so does your business have gobs and gobs of money investment in like in Electra property so you crave this widget it's worth billions of dollars and that IP is just everything and it gets stolen and they come back and say you know what for it how much are the IPR they going to cover and what are the terms under around that IPO wish they were governmental claims if you have a business and you deal with the government is a vendor's that work for government contracts now have to have a security program in place they have to meet certain requirements will it's just that you get hacked is that included what are the fines associated with that are they going to pay for those negligence failure of the business to meet the security standards you set up your standards you don't follow Casey went to the effort to make you stand as go well I've got my standards checkbox done but you actually don't do it what is that what is that do you not get paid listen cryption is is void if is not used what does that mean understand those exclusive bottom-line cybersecurity insurance or transfer your liability risk but you gotta understand you're going to end up going in for asking hey I've been breached I want my cybersecurity insurance and I paid good money for and then exclusions and soul food and I hope you enjoyed it or just check it out on YouTube or Elver here on any other course I may have out there available right thanks a lot have a great day California and now it's happening with South Carolina and Alabama it's basically telling the federal government they better come up with something if not you have all these states are going to do something that's very different and in the passwords typically happen is California is used as the the litmus test with these kind of regulations either Maryland or it's California so this is going to be another one of those little data points going to add up the California act that the Privacy Act doesn't really get into the cybersecurity pieces of this however what it really is aspects of it now it was going to be interesting as I'm talking through this realize that no one really knows what's going on but in South Carolina and how it is based on insurance with in South Carolina that is comes from a quote from a Justin or cut and I'll have his Link in the in the show notes but it's on the South Carolina Insurance data Security Act Now quote it was signed the law on May 14th 2018 by South Carolina Governor Henry McAllister it's the first piece of cyber security legislation ever to be passed in United States aimed at covering insurance industry so this industry insurance and just picked this cybersecurity act Insurance data security model that they came up with nasik Nana is Seattle Association of insurance commissioners to plan and it's a model by which people Security Programs as well so it's basically taking you are as a business owner got a build you got to build a security program