Insurance Companies are Requiring Cybersecurity Business Continuity Plan (BCP)
What is a Business Continuity Plan (BCP)?
The comprehensive Business Continuity Plan (BCP) details how to reestablish office productivity, enterprise data and software so that key business operations are restored. The Business Continuity Plan (BCP) includes strategies for managing IT disruptions to networks, servers, and computers due to cyberattack, fire, flood, theft, hardware failure, pandemic, etc. The plan contains business processes, assets, human resources, and business partners – every aspect of the business that could be impacted and defines how a business will continue to operate during an unplanned disruption in service. Manual workarounds should be included within the plan, enabling operations to continue until systems are restored.
It is becoming standard protocol for insurance companies to require a comprehensive Cybersecurity Business Continuity Plan (BCP) for businesses seeking to purchase or maintain cybersecurity insurance. However, cybersecurity is only ONE aspect of disruption to services, focusing on security breach and recovery.
I.T.WORKS! can assist clients in Cybersecurity Business Continuity Plan (BCP) preparation, ensuring the documentation is comprehensive, ready and available when required.
A qualified MSP relationship will reduce the risk of attack to begin with, because if systems are properly and proactively maintained, the risk of attack is dramatically reduced. In addition, your MSP is a strategic partner at every step of the Cybersecurity (BCP) as this relationship will significantly increase a business’s chance of recovering with swift response and execution. It is much better for small and medium sized businesses to have a trained partner (and team) in a cyber-attack or ransomware situation, than to search for this partner after the attack has taken place. Options rapidly deteriorate as time passes following a breach. The longer an attack goes on, the more damage is done.
Why You Need a Cybersecurity Business Continuity Plan (BCP) Right Now?
A cyber or ransomware attack can leave the systems you need to run your business inoperable. A Cybersecurity (BCP) is crucial for your business to recover quickly. Such plans help businesses prepare for the day a cyberattack occurs, so access to data and systems is maintained, loss is reduced, and businesses get back to work faster.
Not only will insurance companies require this information, but it is core business information necessary to keep your company operational.
A Cyber-Security Business Continuity Plan (BCP) should include:
- A checklist of your business network environment:
- Loss of connectivity
- Data backup
- Backup site locations
- A risk assessment of your system using these questions:
- What is it?
- Data used?
- Identify external and internal interfaces?
- Who uses the system?
- What is the data flow?
- Where does the information go?
- Geographical risks?
- Nature of customers?
- Relevant industry risks?
- What business processes are impacted?
- Identification of potential cyber security risks:
- List all potential risks and rate them on a scale of low, medium, and high risk.
- Identify level of risk – tolerable, impactful, catastrophic
- Identify likelihood of breach – high, medium, low
- Identify as acceptable or not acceptable risk
- Measure cybersecurity risks against best practices
- Identify evaluator of current cyber security risks (i.e.: self-evaluations, third-party evaluations)
- Identification of safeguards and procedures to monitor, assess, respond, and mitigate risks:
- Identify teams, tools, methods, and guidelines that will mitigate cyber security risks
- Current risk management practices
- Legal and regulatory requirements
- Organizational constraints
- Data and financial backup and recovery strategy, policies, and guidelines
- Identification of the outreach process to emergency responders if a threat occurs:
- Contact information for emergency responders per pre-identified threat
- Identify plan administrators, key personnel, and backup site providers
- Document plan should have both a digital and physical copy, and make emergency responders aware of the plan locations
- Schedule regular testing and review of the plan regularly to ensure it is up to date
- Re-Evaluate plan to address potential issues
- Develop both internal and customer facing communications plans
- Train partners or vendors on their responsibilities during a cyberattack.
- Implement the Action Plan:
- Test process and procedures to ensure the plan works
- Track progress and completion
- Evaluate to ensure gaps are closed and risks are monitored
- Additional questions
- What is our firewall, is it enterprise grade, and how often is performance verified?
- What is our antivirus, is it enterprise grade, and how often is performance verified?
- What is our spam filtering, is it enterprise grade, and how often is performance verified?
- Are networks segregated?
- Password policy for all employees and devices?
- Data encrypted at-rest and in-transit?
- Are VPNs required for remote users?
- How often are we backed up and where do the backups reside (i.e. every night, every hour, and cloud based or on premises)?
- How often are backups physically verified?
- What is the ransomware protocol when this happens?
- Employee Cybersecurity training? (What not to click on, etc.)
- Multi-factor authentication in use?
- Evaluation of employees working remotely, including the systems, data, and software they need to access.
- Team member sign in process?
- Training for newly remote employees on how to safely access the network.
- Are technologies secure for videoconferencing, messaging, and collaboration?
- Plans may provide detailed strategies on how business operations can be maintained for both short-term and long-term outages.
Plans should include critical systems listed in order of priority to avoid confusion during recovery efforts, and to make certain things are backed up in a way that facilitates the smooth recovery. Think of it like this. Do you want payroll, sales, or operations to be recovered first? Maybe it’s a line of business app that is most important, for a medical or law practice that might be the EMR or case manager respectively. Just make sure that you have each critical item (and user(s)) listed in the order that they should be restored. Make certain everyone at your organization agrees with this order before there is an issue, so time isn’t wasted debating what is “most important”. We don’t want to make bad decisions under duress, so it’s FAR better to work it out while things are working.
Understand how your business IT works, how it can break, and what actions can be taken to fix it.
Make it much harder for a cyberattack to happen with proper IT management. Being prepared for the worst by taking proactive steps to safeguard your technology, training your team, and better preparing your business if the worst does happen, will help to mitigate the damage. It is not just technology, but also the people and process that increase safety. If you do get hacked, you need processes in place to return to normal business operations and alleviate the risk.
If your business is continuously down and dealing with support tickets, or if technology is consistently having issues, it lacks the proper hygiene needed to keep business systems safe. This is where MANY businesses find themselves.
Hindsight is 20/20. Many businesses will go through an attack to figure out how they need to protect their business technology. Many more will get hacked over and repeatedly, which is a tough lesson to learn and a terrible way to learn it.
This is an issue that requires a very candid conversation. Cybercriminals are going to steal from those who make it easier to steal, the path of least resistance. If you are an easier target, chances are, you will be hit at some point.
We are available for conversation, please feel free to contact us.