The challenge with cyber insurance is that approximately 67 companies sell the coverage, and there are no standard forms to follow.
Cyber coverage is customized to a specific company, and pricing is scaled to the size of the organization, the kinds of data to be protected and the types of cyber risk the organization faces.
Filling out the application correctly is a critical step in obtaining cyber insurance coverage. As with most insurance applications, incorrect answers could cause the carrier to rescind the policy. It doesn’t happen often, but it remains a possibility that businesses need to be aware of.
The person meeting with the underwriting team should be involved in filling out the application and well versed in the information included with it.
In addition to technical questions about the way your company manages data and security, most applications will also be about prior claims within the past five years and whether your company will need media website cybersecurity.
Here is a look at six categories of the most common questions asked — and the level of detail required — across most cyber insurance applications. The questions are taken from cyber risk coverage applications for ACE/Chubb, Hartford, Travelers and USLI, all of which are available on the internet.
[NOTE I have heavily edited this – the intent is to give you a flavor, please see the article for more details or call your broker.]
1. Information privacy and governance
Do you have a person designated for overseeing information privacy? Provide name and title.
Which of the following types of privacy information (personal information or third-party corporate information) does your company store, process, transmit or is otherwise responsible for securing?
2. Information security
Do you have a person designated for overseeing information security? Provide name and title.
Do you have a formal program in place to test or audit network security controls?
3. Intrusion detection software
Do you use intrusion detection software to detect unauthorized access to internal networks and computer systems?
Do you regularly review the results of automated database monitoring tools that continually monitor, record, analyze and sent alerts, including automatic shutdown when data access irregularity is detected?
4. Data backup
Is all valuable and sensitive data backed up by the applicant on a daily basis?
Do you conduct training regarding security issues and procedures for employees that use the applicant’s computer systems?
5. Policies and procedures
Do you publish and distribute written computer and information systems policies and procedures to its employees?
Do you have a formal documented procedure in place regarding the creation and periodic updating of passwords used by employees or customers?
6. Compliance with industry standards
Are you compliant with ISO 27001 IT Security Standards?
Are you compliant with any regulatory or compliance frameworks? Provide the names of all that apply and the most recent date of compliance.
In sharp contrast to getting coverage for your drone, there is not much these underwriters don’t want to know about how you handle your data. If you are part of a large organization, you can point to someone down the hall or across the country. If you are going “huh” and “in your dreams” you are at risk – all the more so if you are managing your own or your customer’s drone data.
My takeaway is that minimizing risk is deliberate and extremely specific.
There must be a designated person or people who are responsible. Data management and security is a complex subject and it needs to be someone’s job.
Documentation of policies and procedures is essential.