I 25 Table of Contents 27 30

Pub. 11 2021-2022 Issue 3-1

coloradobankers.org 26 Navigating Cyber Insurance in 2021 and Beyond By Chris Tuzeneu, VP-Information Security CivITas Bank Solutions, a Bankers’ Bank of the West Bancorp Company I f you’re anything like the number of banks I polled at a recent cybersecurity conference, your cyber insurance policy is up for renewal in the next few months, if you haven’t already been through the cycle. For those of you nearing a renewal period, you should be aware that there are some pretty substantial changes coming your way, as this will most likely not be a simple “rinse and repeat” extension. If you have access to a legal team, now will be the time to use some of those hours to ensure you don’t miss some important and costly details of the contract. Here is a high-level overview of some new and slightly shifting requirements you can expect to see: Multifactor Authentication (MFA) requirement on all endpoints. This includes any external connections such as a VPN. Cyber insurance providers are now requiring MFA as a condition of insurance or at the very least an implementation plan with a concrete and short deadline. The security novelty of five years ago has now moved from a tool to get you brownie points with your regulator to a tool to get you insured. If you don’t already have something in place today, it’s a good idea to start the vetting process now. Questionnaire about security controls in renewal paperwork. It’s not quite an audit request list, but you can expect IT to be more involved in filling out the re- up packet than they have in the past. This may include questions about your backup methods and scope, Incident Response procedures and testing, and details about your Disaster Recovery Plan. Coverage amounts may decrease, or your premiums may be higher. In at least one instance, we heard from a bank that coverage specific to ransomware payment was broken out into its own category and was reduced from a maximum of $10 million to $2 million. Increases of 5-15% are generally being reported in this renewal cycle. Restrictive lists of authorized third-party providers. This isn’t necessarily new, but it’s worth looking at when you do renew just to ensure there haven’t been any changes. Vendors in the arena of incident response,

RkJQdWJsaXNoZXIy MTIyNDg2OA==