Vince Gremillion – President and Founder of Restech: CISSP, CvCISO, GCIH
Travelers policy – requires MFA on switches. They require you comply with the intent of that.
Recent Cowbell application did not require MFA!
What is required is contingent upon the coverage you are asking for.
- Never fill out an app for a client, not even partially
- MSP comms to a client should be in a document in a detailed format and it should be digitally signed and locked for editing through that digital signature. I use Adobe EchoSign for that.
- I address everything in a CRAQ format and then include for the client a spreadsheet which is a cross reference. I will never answer any of those questions on the application directly because I can tear holes in every single one of those questions.
- I reject many of those cybersecurity insurance application questions as yes or no. Yes/No just does not fit.
- All the insurance carriers and underwriters have accepted my method which I fine to be the only defensible approach since yes/no is inadequate and does not protect the insured/applicant or their MSP.
This is exactly why we need CISO platforms which have automatic data ingestion and transmission of the data to insurance carriers in standardize pre-scored format.
Check out this podcast on the topic: https://qpcsecurity.podbean.com/e/ciso-workflows/
Business owners: You own the risk, you decide what to do with that. If you did not vet the MSP or the vendor or their stack, that is ultimately your risk problem.
HUB International as a broker specifically tried to suggest to one of our clients that the MSP should be filling out the cybersecurity insurance application. I found working with HUB International to be very difficult. Marsh McLennan Agency https://www.marshmma.com/ was very good to work with, but they cater only to larger employers.
Gem from Vince: Compliance as a threat
If law firm A can no longer do business with customer B because they don’t have compliance, that is a threat.