cyber security insurance
Parishes, schools and other AOC organizations are not protected with cybersecurity insurance coverage.
Program coverage is available to individual AOC entities who provide acceptable applications!
The following notes the current underwriting standards in three categories, RED-YELLOW-GREEN, to better client risk profiles and improve coverage and premium rates. Your path to coverage is dependent on your organization’s ability to demonstrate you clear these hurdles.
There is no ‘one size fits all’. Every organization’s need is unique and based on what you are protecting.
RED
YELLOW
GREEN
RED
Critical: Absent these steps cyber insurance coverage is unlikely
- Identity Access Management – Put the following behind multifactor authentication (MFA):
- Employee email
- Remote Access (Virtual Private Network (VPN) and Remote Desktop Protocol (RDP))
- Privileged Access (Admin accounts)
- Endpoint Protection – Deploy Endpoint Detection & Response Solution (EDR) on all managed endpoints and servers and place in blocking mode.
- Backups – Maintain segmented, encrypted, offline or immutable backups of critical data, with separate credentials for access protected by MFA, and test recovery at least annually.
- Patching and Vulnerability Management – Have a documented plan that addresses:
- Segmented End of Life (EOL) software and hardware.
- Regular patching and scanning cadence.
- Demonstrated ability to apply critical security patches immediately (<48 hours), particularly in response to high profile zero-day exploits.
- Cybersecurity Awareness and Phishing Training – Train all new employees upon hire and retrain annually for all users. Conduct quarterly phishing campaigns on all users.
YELLOW
Preferred: May help you secure more competitive pricing and coverage
- Email Filtering – Utilize strong email filtering tools that block malicious attachments, suspicious file types, and executables. Utilize tools that can run suspicious attachments in a isolated environment or sandbox. Employ SPF, DKIM, and DMARC.
- Privileged Access Management (PAM) – Incorporate privileged access account security measures and/or an integrated PAM tool that actively manages admin accounts and maintains audit logs. Utilize domain/service account restrictions across the environment and separate from day-to-day accounts. Limit the number of service accounts in the DA group (<5). Review vendor access regularly. Turn off local admin control on all owned/managed endpoints or implement compensating controls
- Segmentation – Segment your network by operational function, data classification, operational risk, and geography. Incorporate safeguards to prevent lateral movement across your network.
- Security Operations Center (SOC) – Utilize a 24/7 SOC, either internal, third party, or hybrid.
- Security Monitoring – Invest in a security information and event monitoring (SIEM) tool.
- Encryption – Encrypt all critical data, in-transit and at rest on servers. Encrypt all end user devices, especially those with critical data.
GREEN
Desirable: May help you be classified as best-in-class within your risk profile segment.
- Password Management – Require strong user passwords that must be periodically changed. Provide employees with a password manager.
- Data Loss Prevention and Intrusion Detection – Invest in a tool that monitors data loss (DLP) and place in blocking mode. Invest in an intrusion detection system (IDS).
- Data Governance – Have a unified data governance solution to help manage and govern your data.
- Plans – Have written Disaster Recovery (DRP), Business Continuity (BCP), and Incident Response (IRP) Plans in place and updated yearly. Have a Ransomware Playbook and conduct regular tabletop exercises.
- Standards – Follow an information security framework (i.e., IS2700, NIST SP 800-53,171, CSF, CIS Controls, HITRUST and COBIT).
- Vendor Management – Require cyber insurance, ask for indemnification, and enforce minimum security standards.
- Access Management – Utilize a zero-trust security framework with just-in-time (JIT) access.
HOW TO APPLY FOR COVERAGE
Click the images to the right for the basic Cybersecurity application form and Ransomware application form.
Complete as accurately as possible.
Return to [email protected]
Contact Risk Management with any questions.
ransomware
A few Parishes and Schools within the Archdiocese of Cincinnati have been victims of a computer-related “ransomware” attack whereby a remote hacker locked up all files on their network servers in an effort to extort a ransom payment for the “key” (essentially a code) to unlock the files. The entities took action to secure their systems and commenced a prompt investigation working closely with external forensic cybersecurity professionals. The computer systems were disabled by the cyber attack for several weeks and it was very disruptive to their operations. These incidents are being shared to raise awareness that Cyber attacks are a very real risk. In the unfortunate situation this occurs at your location: DO NOT PAY THE RANSOM.
Ransomware is a form of malware that targets critical data and systems for the purpose of extortion. Ransomware is the fastest growing malware threat and can lead to temporary or permanent loss of sensitive information, disruption to operations, financial losses incurred to restore systems and files, and harm to Parish/School’s reputation.
Protecting Your Networks
- Attackers often enter the system by tricking a user to disclose a password or click on a virus-laden email attachment. Train employees to never click on unsolicited links or open unsolicited attachments in emails. Don’t open attachments in unsolicited emails, even if they come from people in your contact list, and never click on a URL contained in an unsolicited email.
- If your location contracts with an outside IT support company take the time to consult with them to insure proper safety measures are in place.
- Disable Remote Desktop protocol (RDP).
- Perform regular backups of all critical information to limit the impact of data or system loss and to help expedite the recovery process. Secure the back-ups and ensure backups are not connected permanently to the computers and networks they are backing up.
- Configure access controls including file, directory, and network share permissions with the principle of least privilege in mind. No users should be assigned administrative access.
- Maintain updated Antivirus software on all systems. Enable strong spam filters to prevent phishing emails.
- Keep the operating system applications, MS Office, browsers, browser plugins up-to-date with the latest patches.
- Block the attachment of file types: exe, pif, tmp, url, vb, vbe, scr, reg, cer, pst, cmd, com, bat, dll, dat, hlp, hta, js, wsf.
- Follow safe practices when browsing the web. Ensure the web browsers are secured enough with appropriate content controls.
- Configure firewalls to block access to known malicious IP addresses.
Direct Questions to:
Bill Maly
Director of Risk Management
513.263.3354
Gregg Marino
Benefits & Risk Management Admin Analyst
513.263.6678
