top of page

Security Awareness Training Framework for Cyber Insurance


Cyber insurance plays a key role in managing and reducing cyber risk. As cybercrime becomes more common and costly every day, the cyber risk continues to increase for all organizations. Insurance providers are seeking to reduce their costly claims for ransomware and business email compromise (BEC) attacks with security awareness training incentives and requirements.

Security awareness training is the leading solution insurance providers are asking companies to implement to improve potential customers' security posture and reduce their cyber risk.

We've created a security awareness training framework for training content based on the NIST Special Publication 800-50 and CIS Critical Security Controls v8 cybersecurity frameworks.

1. Conduct a needs assessment to understand known cybersecurity risks


2. Create a security policy and inform all end-users about their IT Security responsibility to follow the policy.


3. Develop an awareness and training plan that covers the 6 training topics described below.


4. Set the metrics for a successful security awareness program based on your company culture and company needs. This should relate to the needs assessment developed in step 1.


5. Evaluate the training plan to determine if it is effective and repeat step 1.


Watch Cyberattack Preppers: Leveraging SAT in your cyber insurance plan

HacWare CEO Tiffany Ricks and FifthWall Solutions' VP & Channel Chief, Wes Spencer discuss the intersection between cybersecurity awareness training and your MSP and client's cyber insurance plans.

Watch the video on YouTube: https://youtu.be/KGSkZpqk6DQ


6 Must-Have Security Awareness Training Topics to comply with Cyber Insurance

Every security awareness program must address all 6 of these topics to improve their cybersecurity posture to comply with cyber insurance requirements or receive pricing incentives on insurance premiums.

Topic 1 - Identifying Phishing Attacks


The security awareness program must prepare your end-users on how to identify and report phishing attacks to the proper authorities. It should explain the various types of phishing attacks like BEC scams, Smishing, Vishing, Quishing, and other social engineering attacks to lure your end-users into providing access to sensitive information.

Topic 2 - Securing Passwords


The security awareness program must prepare your end-users on how to secure their password and best practices for avoiding the most common password cybersecurity attacks. The program should address best practices for setting up multi-factor authentication (MFA) and using password managers. The program should also explain the company's password policy for when to change a password.

Topic 3 - Securing Your Data and Understanding Data Privacy


The training should explain what is Personal Identifiable Information (PII) and how their industry and state require them to secure PII. The company should communicate the policy for who gains access to information and when access should be revoked.

Topic 4 - Securing your Devices


The security awareness program should explain the best practices for protecting your personal computer and other smart devices from information security attacks.

Topic 5 - Clean Desk Policy


It is important for your training program to cover why it is important to follow a clean desk policy at work and while working remotely to protect data privacy.

Topic 6 - Securing Software Vulnerabilities


Your security awareness program should address application vulnerabilities. It should explain why it is important to update software applications to the most recent version. If your company has a web developer, software developer, or IT professional that is coding, it is important to include secure code training best practices in your security awareness program to avoid application security breaches. This security awareness training program should explain what is OWASP and why it is important for software developers to patch software vulnerabilities.

‌Learn more about HacWare at hacware.com. If you are a Managed Security Service provider (MSSP) or IT professional, we would love to automate your security education services, click here to learn more about our partner program.

bottom of page