Applying for cyber insurance? Here’s what you need to know
Everything you need to know to apply for cyber insurance and protect your business against cyber threats
In today’s business environment, there are many cyber risks that could put your company’s computer systems or valuable data in jeopardy. Ransomware, cyberattacks, and breaches of security are on the rise and more consequential than ever, and cyber insurance is fast becoming a must-have coverage for businesses large and small.
Cyber insurance covers the liability and property losses associated with cyberattacks such as data breaches, ransomware, hacks, and more. While cyber coverage varies widely between insurers and is quickly evolving, it generally covers cyber-related losses from the costs of recovering compromised data in a breach to regulatory fines to legal fees if your business is sued.
The cyber insurance application process is typically more rigorous than other types of policies, as cyber risk is a constantly evolving coverage area facing new and different threats every day. When it comes to cyber insurance, insurers want to understand and evaluate your cybersecurity infrastructure and determine your level of risk. How well can the people, processes, and technology you have set up for your company’s cybersecurity protect and respond to the ever-increasing number of cyber threats?
It’s important to be as thorough as possible in your application, as coverage can often be denied for a number of common reasons. The insurer may conclude that your company has inadequate cyber incident response plans, insufficient testing procedures, or incomplete policies and processes, among other reasons.
Insurers will generally be looking for the answers to the following questions:
1. Who is dealing with cybersecurity at your company?
The insurer will want to understand who is responsible for responding to cybersecurity threats at your company and whether you have an effective team set up, including specific individuals you’ve designated to handle cybersecurity. The insurer will also consider whether you have set up effective frameworks to maintain regulatory compliance and how well you have trained your teams. You’ll also need to disclose the names of vendors that come into contact with your data.
- Does your company have an individual designated for overseeing information security?
- Do you outsource (or plan to outsource) a critical part of your internal network/computer system or internet access/presence to others?
2. What valuable data is at stake?
The insurer will seek to understand the nature of the data that’s protected and the value that it holds. You may need to disclose the types of data that you’re securing, including:
- Payment information such as credit card numbers
- Personal health information (HIPAA-protected data)
- Employee benefit information
- Trade secrets of customers or suppliers
- Personally identifiable information (PII), such as:
- Email addresses
- Social Security numbers
- Passport numbers
- Property title numbers
- Vehicle identification numbers
3. What technologies are you using to protect your data and systems?
The insurer will want to know if you have basics such as data encryption, firewall technology, intrusion detection software, and anti-virus software, in addition to more sophisticated cybersecurity protection software in place that addresses vulnerabilities and risks from cyber threats. The insurer will seek to understand how the entire computer network is managed, including issues with software and hardware, and how vendors are interacting with the data and IT system.
- Does your company store privacy information on a secure network zone that is segmented from your internal network?
- Do you perform virus scans of email, downloads, and portable devices?
4. What policies and processes do you have to address cybersecurity risks?
Cybersecurity involves putting in place people and teams, software, policies, and practices that together will protect the company’s electronic data and systems. What plans you have created and the risk controls you put in place matter.
The insurer will be looking to understand whether you have a process to protect your IT network and mitigate risks, whether you actively seek to audit the vulnerabilities in the system, and whether you take appropriate steps to address risks and vulnerabilities even as they are evolving. These can include the response policies you have created, in addition to how you deal with employee training, password updates, access from employees’ personal devices, software patching and updates, data backups, and revoking network access.
- Do you have restrictions regarding access to sensitive information of a third party?
- Do you have a written business continuity/disaster recovery plan that includes procedures to be followed in the event of a disruptive computer incident?
5. What’s your company’s history of cyberattacks?
Obtaining this history can help insurers understand how vulnerable your network is and how well you are able to protect your systems.
- During the past three years whether insured or not, have you sustained any losses due to unauthorized access, unauthorized use, virus, denial of service attack, electronic media liability, data breach, data theft, fraud, electronic vandalism, sabotage, or other similar electronic security events?
6. Do you comply with industry standards and regulations?
Insurers will want to know whether you comply with current cyber-related regulations and laws (e.g., GDPR in Europe or CCPA in California) and if you follow any industry-standard frameworks (e.g., NIST Small Business Security Standard) or have joined an industry group that sets standards for cybersecurity.
- Does your company leverage any industry security frameworks for confidentiality, integrity, and availability (e.g., NIST, COBIT)?
- Is your company an active member in outside security or privacy groups (e.g., ISAC, IAPP, ISACA)?
When applying for cyber insurance coverage, it’s important to put your best foot forward and take the time to complete your application to the best of your ability. The following are a few guidelines to follow when applying for cyber coverage:
Obtain information from key experts
As a policyholder, you’ll need to get accurate and detailed information about your company’s cybersecurity infrastructure, policies, and teams. You should compile an accurate assessment of the types of sensitive data your company holds and the processes and technologies that are in place to protect it.
Giving a clear and accurate picture of your cybersecurity infrastructure and your history of breaches will help you secure the best insurance policy. If you hide information to make it seem like your data is better protected, there are ways for the insurer to find out the real story. For example, prior breaches can be uncovered by the insurance company’s forensics team. Instead of hiding information about breaches, you can show the insurer how you responded to them or made changes that would mitigate future risks. Proving that you have taken action can help you get a better premium.
Being dishonest about your situation can lead to your policy being voided. If the insurer can prove that you made misstatements or omitted information on the policy application in a legal case, then the insurance company may be able to rescind the policy or deny you coverage.
Take action immediately
As you are gathering information on your company’s cybersecurity strengths and weaknesses, you will be able to identify your exposures to cybersecurity risks. Take action immediately to address these risks and vulnerabilities as you identify them to make your cybersecurity more effective. Insurers may even be able to give you a better premium later on as you remedy some of the vulnerabilities.
Consult a broker
Cyber insurance is a relatively new coverage area that is constantly evolving. As new cyber threats emerge, as new technologies develop, and as more historical data is available, insurers are making changes to their cyber products. Coverage breadth and depth may change, including limits of insurance, covered incidents, and pricing. It may be helpful to consult with an experienced cyber insurance broker, such as Evolve MGA, who can guide you through the application process and give you detailed information on what products and coverage levels are available for your business.
In the cyber insurance application process, insurers will be evaluating businesses on their level of cyber risk. Obtaining accurate information from the relevant people in the organization is critical to a successful application.
Being honest about the risks and vulnerabilities your company may face from cyber threats is important to getting the best insurance coverage and not ending up with a rescinded policy or denial of coverage. The application process will help your company identify exposures that can then be addressed immediately. Although the cyber insurance application is more rigorous than most insurance applications, you can secure the right coverage by doing your due diligence.
About Plow Networks
Plow Networks is a leading IT services provider, connecting businesses to technology since 2012. With deep expertise in network, cloud, and end user support services, we partner with clients to leverage technology in ways that simplify operations and fuel growth. Plow Networks is based in Brentwood, Tennessee.