Skip to content ↓ | Skip to navigation ↓

It’s that time of year: business insurance renewal. I received the “Network Security & Privacy” section of an application for Errors & Omissions (E&O) insurance from our CFO last week.

Nothing terribly noteworthy there, but as I started to read through the list of 20+ questions I was surprised and impressed with the information the insurance provider wanted us to provide and how much more specific and rigorous their expectations are in 2013 than they were when we last completed this application in 2011 (when they only asked 15 questions!).

Evidently, this particular provider has bought into the wisdom of adopting the SANS 20 Critical Security Controls for Effective Cyber Defense! Here are a few examples of how the questions they want answers to map to the SANS “Top 20.”

One of the first things they asked was whether or not we have a firewall in place. That’s a pretty standard question. Check.

But then they asked if our “firewalls, information systems and security mechanisms” are securely configured,” and further qualified that by stating, in bold print no less, than we should “Check ‘NO’ if your systems are configured using factory default settings.”

While this is clearly a leading practice and maps directly to SANS 3, 10, and 13, I was gratified that they called it out as an expectation for applicants for insurance. (And check again, in case you were wondering!)

On to the next question: “Do you enforce a software update process that includes monitoring of vendors or automatically receiving notices from them for availability of security patches, upgrades, testing and installing critical security patches?”

Another leading practice and another check, but here again, they went on to ask how often we do this: weekly, within 30 days, or more than 30 days.

This reflects the “remediation” element of SANS 4. What’s interesting about this question was that on the 2011 form from the same provider, they simply wanted to know if critical security patches, etc. were installed “as soon as possible, but not later than 30 days.”

They’re clearly probing for – and expecting – a much higher level of security rigor in 2013 than they did two years ago!

For the final example, they ask about our use of encryption of information stored on databases, servers, and data files, which maps to SANS 17 and the importance of data loss prevention.

Here again, though, what’s interesting is the additional questions they’ve added in the last two years. Specifically, if encryption isn’t in place, they want to know if we’ve deployed compensating controls, e.g. segregation of servers storing confidential information and/or role-based access controls.

We all know information security is getting more complex and the expectations for how we implement and manage it are increasing in concert. This application serves as tangible evidence of that added complexity and increasing expectations.

In my next post, I’ll talk about how I used this document as an opportunity to “connect security to the business” by reviewing it with our aforementioned CFO and General Counsel.

Stay tuned!


Related Articles:


P.S. Have you met John Powers, supernatural CISO?


Title image courtesy of ShutterStock

10 Ways Tripwire Outperforms Other Cybersecurity Solutions
  • Pingback: Angeline()

  • Cyber security and risk management have become a major concern of errors and omissions insurance carriers with the increase of claims related to hacking of identity, financial and other sensitive data from computer networks. Having competent IT personnel is a big step in the right direction of electronic security and loss prevention but most small and even medium size businesses do not have the proper safeguards in place.

    Take for instance most independent CPAs or insurance agents who depend on computer networks and third party vendors to conduct their everyday operations and deal with sensitive financial and personal information – rarely do they have the expertise or personnel that understand the risks beyond having their computers stolen physically from their offices.

    Most will not understand the questions let alone know the answers. But if they take the hint from their insurance provider they will hire a professional to make sure they are complying to the higher standards or risk denial of coverage if they answer incorrectly on the “Network Security & Privacy” section of their E&O application in the event there is a breach of the network and sensitive data is stolen.

<!-- -->