Cyber Insurance and Cybersecurity Policies and Procedures

A McGriff client recently asked us for a draft or recommendations of a Secrets Management Policy and a Vulnerability & Patch Management Policy. A Secrets Management Policy and a Vulnerability & Patch Management Policy are crucial for protecting an organization’s data and systems from various cyber threats. Understanding the importance of this request, we share our recommendations with you.

What is a Secrets Management Policy?

A Secrets Management Policy defines the rules and procedures for securing and managing sensitive information, such as passwords, API keys, and encryption keys, within an organization. It outlines how secrets should be created, stored, accessed, and rotated to minimize the risk of unauthorized access and data breaches.1 An organization policy should include:

  • A clear definition of what constitutes a secret, e.g., passwords, API keys, database credentials)2
  • Directions for how secrets should be stored, such as in secure vaults, encrypted files, or environmental variables3
  • Who will have, or has, access to which secrets and the level of access they’ve been granted;
  • A schedule for rotating secrets (e.g., passwords, API keys) to minimize the impact of breaches4
  • A plan for how to respond when secrets are compromised, such as rotating compromised secrets and investigating the incident.

What is a Vulnerability & Patch Management Policy?

A Vulnerability and Patch Management policy defines the procedures for identifying, assessing, and addressing security vulnerabilities in an organization’s IT infrastructure, including the application of security patches.5 This policy is crucial for mitigating risks associated with unpatched vulnerabilities and maintaining a secure IT environment. The Vulnerability and Patch Management Policy should apply to all software, hardware, and network devices in the organization’s IT infrastructure. Along with policies and procedures, the IT department can create IT rules that would respond when vulnerabilities are found.6 

The main difference between patch management and vulnerability management is that patch management is the operational process of applying patches to vulnerable systems while vulnerability management is the process of identifying, scanning, and prioritizing vulnerabilities for remediation.

Vulnerability Management7

Patch Management8

Vulnerability management is a process designed to proactively identify, classify, remediate, and mitigate vulnerabilities in an IT infrastructure with the goal of reducing overall risk to an organization.

Patch management is the management removing software vulnerabilities. This typically includes adhering to a patch management policy and operational process to include what to patch, a patching timeline, and levels of priority.

A process that includes the following steps to action a patch:

  • Development an inventory of production systems such as IP addresses, OS, and applications
  • Organize all security controls
  • Use inventory and controls to compare with reported vulnerabilities
  • Mitigate the vulnerability by applying the patch
  • Document the patching and review

A broader approach to managing vulnerabilities, including the patch management life cycle. It includes these steps:

  • Assess vulnerabilities and their level of risk to the organization
  • Prioritize patching (it’s not always from most severe to least reported vulnerability, rather it should be prioritized as the vulnerability with the most relevant impact to your organization)
  • Patch the vulnerability
  • Review and assess the patch
  • Improve the process by continuously monitoring and reporting vulnerabilities

 

A comprehensive vulnerability management program will include separate policies for both patch management and vulnerability assessments. And keep in mind, when creating a vulnerability and/or patch management policy, you will almost certainly need buy-in and review not only from security program leadership at your organization, but also with business units such as, IT, legal, operations, and finance.9

What is a Cyber Incident Response Plan?10

Coalition explains that Incident Response plans help businesses before, during, and after a cyber incident. Incident response plans are tailored to individual companies and should contain information about key roles, responsibilities, and guidance on key activities. The end goal of the cybersecurity incident response process is to minimize business downtime while responding to the incident in the most effective way possible. As such, an Incident Response plan should incorporate a Secrets Management Policy and a Vulnerability & Patch Management Policy depending on your organization needs and wants.

Cyber Security Policies and Cyber Insurance Policy

Many organizations are, or should be, adopting protective strategies, incorporating both cybersecurity measures and cyber insurance. Considering, these two serve different purposes, organizations need all bases covered—from efforts to prevent cyber incidents to managing their aftermath in order to bounce back from the financial impacts of cyber incidents. Cyber Insurance addresses recovery after a cyber incident, whereas Cybersecurity Policy is all about preventing incidents.

Cybersecurity Policies

Cyber Insurance

Internal rules, guidelines, and standards that define an organization’s approach to protecting its information systems, networks, and digital assets from cyber incidents.

A specialized type of insurance coverage designed to protect businesses from the financial losses associated with cyber incidents, such as data breaches, cyberattacks, and network outages.

Designed to establish a framework for managing risks, securing data, and ensuring compliance with regulations, protecting vulnerabilities, and maintaining a secure IT environment.

Designed to provide financial protection in the event of a cyber incident, covering costs like incident response, legal fees, data breach notification, and reputational damage.

 

By combining both Cybersecurity policies and Cyber Insurance, organizations are better prepared to handle disruptions and recover swiftly.

Who Can Assist with a Company Policy?

Organization leaders and directors should be involved in preparing the standards, guidelines, and procedures in support of the Cybersecurity policies. Also, organizations could form a Cyber Security Task Force that incorporates representatives from the organization, external privacy counsel and IT forensics.

Who Can Assist with a Cyber Insurance Policy?

McGriff can help you compare policies from different insurance companies and tailor them to your specific needs. McGriff Cyber Claims Team also plays a crucial role, acting as advocates throughout the process, including reporting, initial claim triage, addressing coverage-related questions, develop appropriate claim handling strategies, providing cyber vendor recommendations, post claim support just to mention a few of our services.

Sources

  1. https://www.legitsecurity.com/aspm-knowledge-base/what-is-secrets-management#:~:text=Secrets%20management%20is%20the%20process,data%20with%20the%20right%20precautions;
    https://www.cloudflare.com/learning/security/glossary/secrets-management/#:~:text=Secrets%20management%20is%20the%20practice,to%20connect%20to%20each%20other
  2. https://www.cyberark.com/what-is/secrets-management/
  3. https://www.paloaltonetworks.com/cyberpedia/secrets-management#:~:text=Always%20encrypt%20secrets%2C%20both%20at,access%20control%20of%20encryption%20keys
  4. https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotate-secrets_schedule.html
  5. https://www.sentinelone.com/cybersecurity-101/cybersecurity/patch-management-vs-vulnerability-management/#:~:text=into%20a%20cyberattack.-,What%20is%20Vulnerability%20Management?,compliance%20with%20laws%20and%20regulations
  6. https://www.bluevoyant.com/knowledge-center/vulnerability-management-complete-guide-to-process-and-tools#:~:text=Establish%20a%20Vulnerability%20Management%20Policy,%2C%20database%20servers%2C%20and%20more
  7. https://frsecure.com/vulnerability-management-policy-template/;
    https://www.nyu.edu/about/policies-guidelines-compliance/policies-and-guidelines/policy-on-security-vulnerability-management.html; https://www.cisa.gov/sites/default/files/publications/CRR_Resource_Guide-VM_0.pdf
  8. https://www.techtarget.com/searchenterprisedesktop/tip/Creating-a-patch-management-policy-Step-by-step-guide#:~:text=What%20is%20a%20patch%20management,are%20applied%20to%20various%20systems;
    https://www.esecurityplanet.com/compliance/patch-management-policy/
  9. https://purplesec.us/learn/patch-vs-vulnerability-management/#:~:text=Keep%20in%20mind%2C%20when%20creating,legal%2C%20operations%2C%20and%20finance
  10. https://www.coalitioninc.com/topics/7-steps-to-effective-cyber-incident-response-plan;
    https://www.crowdstrike.com/en-us/cybersecurity-101/incidentresponse/

 

This document is not intended to be taken as advice regarding any individual situation and should not be relied upon as such. Marsh & McLennan Agency LLC shall have no obligation to update this publication and shall have no liability to you or any other party arising out of this publication or any matter contained herein. Any statements concerning actuarial, tax, accounting or legal matters are based solely on our experience as consultants and are not to be relied upon as actuarial, accounting, tax or legal advice, for which you should consult your own professional advisors. Any modeling analytics or projections are subject to inherent uncertainty and the analysis could be materially affected if any underlying assumptions, conditions, information, or factors are inaccurate or incomplete or should change. d/b/a in California as Marsh & McLennan Insurance Agency LLC; CA Insurance Lic: 0H18131.

Contributor

By Natalia Santiago, JD

Executive Risk Advisors

SVP & Claim Manager

McGriff

As seen in the McGriff Risk Review newsletter.

Subscribe to the LinkedIn Edition of Risk Review

Insights

Articles

Compliance Q&A: Best Practices for Level-Funded Plan Compliance

Read More

Articles

Compliance Q&A: Rehire Rules After the Affordable Care Act

Read More

White Papers

Weathering the Storm 2025

Read More

Newsletters

May 2025 Employee Benefits Newsletter

Read More

White Papers

Large Verdicts & Settlements

Read More

Newsletters

April 2025 Employee Benefits Newsletter

Read More

Articles

Are Chronic Conditions Driving Up Your Workers’ Comp Spend?

Read More

Articles

The Early Bird Gets the Worm – And Other Lessons for Better Recruitment Results

Read More