Skip to content

Security Requirements for Cyber Insurance

The Canadian insurance industry has responded to the rise of ransomware attacks and increasing cost per breach by requiring businesses that operate with any online presence or remote offering to have Multifactor Authentication (MFA) implemented, a data breach response plan in place, and cybersecurity awareness training. Businesses must demonstrate that they have adequate security measures to protect their customers’ and employees’ identity and personal information to secure insurance against cyber attacks and data breaches. 
oct newsletterv3
What is MFA?
The simplest authentication standard is known as Multi-Factor Authentication (MFA). It combines something you know with what you have, like a smartphone to strengthen your security posture. 
MFA and Single-Sign-On (SSO) should be applied to all cloud applications. SSO is a way to use one of your main services as your identity provider, such as your email. Pointing your other cloud services to authenticate with one source ensures that you are not inundated with a bunch of credentials to manage and allows your organization to have better control and administration.
What is included in a Data Breach Response Plan?
A data breach is defined as a cyber attack in which personal, confidential, or protected data has been accessed or disclosed in an unauthorized way. Common causes of a data breach include: weak or stolen credentials, application vulnerabilities, unauthorized employee access (insider threats), malware, accidental leaks, lost or stolen devices, insecure email and more. Given the sheer number of daily cyber incidents, every business (yes, of every size) should have a data breach response plan in place. NIST 800-53, one regulatory standard we adhere to at Nucleus takes a four-pillar approach that includes the elements below. Every plan, however, should be updated on an ongoing basis to respond to evolving risks and be tested regularly:
  • Preparation 
    • How is a data breach going to be prevented? 
  • Detection and analysis
    • The type of data breached; 
    • The parties responsible for the breach (root cause of the breach)
  • Containment
    • Internal processes for remediation
    • Employee responsibilities
  • Post-incident activity 
    • Will you engage outside help?
    • What government parties need to be notified?
    • How will the breach be communicated to customers?
    • How will systems/data be restored?
    • Address long-term legal or business reputation issues
Your Microsoft Secure Score
If your business has adopted Microsoft 365, you are now provided with a security score. A Microsoft Secure Score is a real-time measurement of an organization’s security assigned by Microsoft to help organizations best understand their security posture and how to improve it. Having a strong Microsoft Secure Score is not just important for risk awareness and keeping on top of your cybersecurity roadmap, but it’s also now being requested for by some insurers for cyber liability insurance.  
How can a Managed IT Service Provider (MSP) help?
An MSP will assist businesses identify their risks and implement standard security tools and best practices that help prevent data breaches and/or reduce the severity of an incident. One of the best ways to ensure your cybersecurity solution is meeting the standards now required by Canadian insurers is to complete an IT assessment. During an IT assessment, an MSP will review all aspects of the IT environment and assess employees’ security awareness and best practices as it pertains to IT security.
At Nucleus, we deliver a Cybersecurity Scorecard following an IT assessment which highlights the businesses’ current security posture, benchmarked against industry IT security best practices. Each scorecard category will outline the current state, risk level, and recommendations for remediation.
Cyber attacks are increasing in Canada, with the average cost of cybercrime costing Canadian organizations a whopping $6.75 million per incident in 2021. -IBM Security Report 2021
Nucleus has developed our cybersecurity assessments based on experience, trends, industry best practices and three cybersecurity frameworks: NIST 800-53, CIS Controls V8.1 and MITRE ATT&CK Matrix. NIST 800-53 is a regulatory standard that defines the minimum baseline of security controls for all U.S. federal information systems except those related to national security. CIS Controls V8.1 (formerly known as Critical Security Controls) provides specific and actionable ways to stop today's most pervasive and dangerous attacks. The final framework, MITRE ATT&CK Matrix helps us bridge gaps across different parts of an organization.
An MSP can also assist in implementing a Security Awareness Training program for your staff. Unfortunately, most cybersecurity breaches are caused by human error and it’s now more critical than ever for employees at businesses of every size have some basic cybersecurity awareness training. Learn about our offering here. 
You Cannot ‘Set and Forget’ your Cybersecurity Solution
Every approach to cybersecurity needs to be layered, you cannot simply put a solution in place that will offer protection forever. Cyber threats and the technologies that protect our businesses from such threats are constantly evolving. Working with an MSP will help your organization identify your risks at any given time and help your business evolve your cybersecurity maturity. A strong cybersecurity solution is one that is reviewed and refreshed on an ongoing basis.
For more information regarding security, contact us.
Meet with us

We are local!

WE HAVE PRESENCE IN VICTORIA, VANCOUVER, PRINCE GEORGE, CALGARY, AND TORONTO.