Sorting Through Cyber Insurance

Winnipeg Law Courts

Cyber Security Insurance – Manitoba Law Firms

If your firm is like many other firms in Manitoba, the cyber security requirements may seem unfamiliar to you.  The goal of this document is to help you understand:

a) Why these new initiatives are being introduced

b) What actions are required to stay compliant with cyber insurance

c) Developing a business strategy to maintain securit

Why Are These New Initiatives being Introduced?

The number one threat against any organization is a cyber threat, outpacing fire, theft, drought, or Act of God.  In 2021, attacks increased 50%, much more than businesses or insurers expected or budgeted for. 90% of all threats are introduced into the network via malicious email.

Given that most cyber incidents involve compromised credentials, it’s no wonder insurance companies are tightening requirements related to Privileged Access Management (PAM). Specifically, insurers are taking a close look at how well businesses follow PAM practices such as granular access control, Multi-Factor Authentication (MFA or 2FA), and the principle of least privilege to protect privileged accounts and systems.

Legal professionals exist to provide legal services; that is your passion. Administering the security of the tools they use to do their job is not ever going to be your most enjoyable task. However, the data that hangs in the balance – that being your clients’ most critical information – has enormous ramifications if captured by bad actors. And let’s be clear that these actors are highly skilled and organized. They have their own best-practises, departments, policies, quotas, negotiators and, yes, marketing tools including websites to attract RaaS (Ransomware as a Service).  The average bad actor will reside undetected in your network for over 266 days, dropping a cobalt strike beacon and learning your tendencies, valuation, competitors, critical opportunities, VPN access and optimum ransomware deployment while rendering network-connected backups useless.

The cyber insurance industry has never generated a profit. This is now becoming your problem. The edges of any cyber insurance agreement have historically been poorly defined, so an adjustment is being made over the entire industry to create some form of standardization. The word that best describes this scenario is hygiene. Legal professionals are required to understand and implement network hygiene tasks.  

SolutionsIT considers Cyber Security Insurance a best practice for appropriate network health. We do not ever make recommendations on which insurance company to use, or which package is appropriate. We also cannot guarantee that the desired outcomes of purchasing cyber insurance will be provided, neither can we guarantee that services provided on a network will result in meeting the threshold of requirements toward the insurance company. Insurance is a moving target, so our job is to make recommendations at a fixed point in time, working toward reasonable thresholds of cyber insurance requirements.

What Actions Are Required to Stay Compliant with Cyber Insurance?

At the time of this writing, Manitoba law firms should consider the following services:

a)       24/7 network monitoring

b)      Patch Management

c)       Standardized email hosting via Microsoft 365

d)      Multi-Factor Authentication on all critical applications

e)      Active Directory with established permissions

f)        Off-site backup with Recovery Time Objective (RTO) clearly defined

g)       Scheduled network inspections and tested against best practises

h)      Full reports and alerts of network health on a regular basis

i)        Commercial grade router with enabled firewall

j)        Email Phish Training

k)       Mobile Device Policy with remote wipe capability

l)        Workstation Terms of Use Policy with remote wipe capability

m)    Software Enablement Policy

n)      VPN Policies

o)      Hardware Replacement schedule or policy

p)      Repository of all credentials and SOP’s

q)      Business Continuity Plan documenting:

a.       Business organization chart and responsibilities

b.       Gag order

c.       All policies

d.       Incident Response Action Plan

e.       Critical contact information including

                                                               i.      IT Service Provider

                                                             ii.      Cyber Insurance

                                                           iii.      Legal

                                                           iv.      Vendors

                                                             v.      Media

                                                           vi.      Clients

                                                          vii.      Alarm

                                                        viii.      Board of Directors  

                                                          ix.      Police


These services can be quoted based on consultation.

Developing A Business Strategy to Maintain Security

For many business professionals, cyber security protocols are new and can be uncomfortable. The reality is that the present course of action, outlined above, is here to stay and likely will be mandated in the future. The protocols have an associated cost and should be factored in when budgeting for the next fiscal year. Regardless of the size of your organization, it would be prudent to factor a value associated per computer user in your organization and integrate those costs into your client fees.  Good network hygiene can be itemized into a per-user monthly cost.

Another business strategy is to extend confidence to your client that your data collection habits are uniformly gathered and secured with strict policies and procedures. This can make a significant difference to today’s security-conscious client.

Lastly, seek out an IT provider that understands what you are trying to accomplish. Challenge them on their own processes and make sure you are being understood.

For more information about cyber security, please reach out to your account manager or:

Wes Ens

New Business Development