When filling out a cyber insurance application, it is critical the answer reflects the reality. When the reality is inconsistent with the answers on the application, the assumed coverage may not be granted in the event of a data breach or ransomware attack.
In a recent court case, Travelers Insurance asked the court to cancel and rescind a policy because the insured allegedly misrepresented its use of multifactor authentication (MFA). MFA was a safeguard required to get cyber insurance coverage.
Statements made in the application were “misrepresentations, omissions, concealment of facts, and incorrect statements”—all of which “materially affected the acceptance of the risk and/or the hazard assumed by Travelers,” the insurer alleged in the filing.
Insurance carriers are zeroing in on threats involving privileged accounts. A common thought among IT service providers is that they have this area covered.
Checkboxes to watch for and plan for accordingly:
⬜ “If the applicant accepts credit cards, are they compliant with PCI/DSS?”
Specifically, PCI 8.5, 8.5.1 and 8.6 speak directly on the requirement for unique credentials tied to each individual’s access. See more on this here.
⬜ “Is MFA used on privileged access accounts?”
MFA is designed to provide an extra layer of security for the account holder’s identity. When sharing MFA credentials, such as one-time codes or security tokens, it negates the security benefits of the process and can put the account and the organization’s sensitive information at risk. Each user needs to have their own unique MFA credentials and should never share them with others.
Cyber security framework areas that cyber insurance are pulling from as required practices for credential security are Ruffian Software’s driving pemise with TechIDManager. Ruffian Software knew the need in having non-repudiated traceabilty and security is persistent regardless of the human element.
This is more than access management. This is account management. Want to find out more? Book a demo with us and see what TechIDManager would mean to you!