These days, cyberattacks are happening at a dizzying pace, with each breach more expansive than the last. As a result, more company leaders are seeking out cyber liability insurance, fueled either by client mandate or by their own actualization that these threats are never going away.
Cyber crime is a much different risk, with a different and often more complicated remediation path than other business risks. It follows that the application process for cyber liability coverage is unique.
The application forms aren’t standardized, and they can vary in length from a few pages to more than a dozen, depending on the carrier. However, regardless of what the application looks like, most insurers assess risk by seeking out information in these three key areas: people, process and technology/data.
Let’ss take a look at each.
The “people” part of the application delves into your organizational structure around security. Carriers want to know who in your organization is responsible for responding to a breach, how developed is the information security team, are regulatory or compliance frameworks used, and how often do you train your employees on evolving IT threats to your business. Carriers will also want to know who your vendor providers are, from Internet service to software technologies to credit card processors.
The “process” part of the application digs into your Internet services; your process for actively managing your network including software, hardware, updates/patches, user account management, etc.; whether vulnerability assessments and remediation steps are done to mitigate critical vulnerabilities; and whether third-party vendor relationships are audited periodically to maintain data security. The carrier is trying to determine how secure your network and IT processes are, regardless of whether you’re handling these internally or through an outsourced provider.
This part of the application asks for the details of your software, as well the types of records you retain, including:
Payment card information
Personal health information, i.e., HIPAA-protected data
And any other Personally Identifiable Information (PII) that could be monetized by cyber criminals
In addition, carriers will want to know how long you archive this information on your systems.
All of this data is used to determine risk.
Accuracy is everything
So, it’s critical that you spend some time gathering the most accurate data you can for a cyber insurance policy application.
If you use an outsourced vendor for your IT management, ask that provider to quantify the data on your networks. Talk to your accounts receivable department to gather the average number of payments coming in each month, and how many of these are made by credit card. Get a solid estimate on how much PII you have, including employee data.
Quantifying the data exposure on your network can be daunting. Guessing can leave your company underinsured or over-insured, either of which can have dire financial consequences.
It’s important to note that cyber liability insurance is one of those coverages that’s underwritten to each individual organization. Every company network, internal team and IT infrastructure are different, and the appropriate carrier and limits will be as individual as the company.
If you’re concerned about costs, there are options to bring the price down without sacrificing coverage. For example, if your company needs $6 million in coverage, you can get a quote from one carrier who will, for a price, take on all the risk. However, some carriers won’t assume all the risk. Your broker can write the first $3 million of coverage of that policy with a carrier on a primary basis and the second $3 million as an “excess” policy with another carrier. Typically, excess coverage comes at a lower cost than primary, as these carriers only take on risk after the primary limitations are exhausted. You can potentially save money without increasing exposure. Excess policies are often “follow form” in that they follow the primary carriers’ forms, saving you from completing a second application as well.
Honesty is (and will get you) the best policy
Whatever you do, be honest about your organizational setup, your security protocols and when you’re asked whether or not your company has experienced a breach before.
If you don’t disclose a prior attack and you have another breach, forensics will uncover that prior breach and any correspondence shared about it. In addition to nullifying your coverage, you could have a directors & officers claim on your hands.
If you have had an incident, whether you had insurance at the time or not, paint a clear picture of what happened. Then, explain what you did to resolve it, and how you’ve improved processes to guard against a breach of that type ever happening again. Carriers will reward you if you’ve taken action to reduce your risk.
Never put off what you should do today
But, what about middle market companies, with one-person IT departments and no breach recovery plan in place? Do they need to defer until they’re less of a risk?
I recommend that these companies go through the cyber liability application process to see where those vulnerabilities lie, then start an internal remediation process. Delve into worst-case scenarios — what would happen if you lost your ecommerce site for a day or a week, if you couldn’t dispatch personnel or if your manufacturing operation came to a standstill? That exercise helps you identify the most mission-critical areas of your company, so you know where a breach would have the greatest impact.
Your broker could work with one or two carriers to get you the coverage you can get right now. Then, next year, when your processes are stronger, he or she can shop the coverage to multiple carriers, with the leverage to negotiate better rates.
Rembers these do’s and don’ts
Although it may seem daunting at first, securing the right cyber liability coverage is well worth the effort. The coverage is a conduit to services you’ll desperately need if the unthinkable happens. Just keep these guiding principles top of mind:
Do work with an experienced broker who can walk you through the process.
Do involve the right people from finance, IT, accounts payable and your managed service provider (if you use one) in the application process.
Don’t guess on numbers or other application data, or you won’t get adequate coverage.
Do be honest about prior breaches, as these will be exposed during forensics if another breach occurs — and nullify your policy, often without a premium refund.
Do know you have options to reduce cost for the same coverage, like dividing the risk between a primary and excess carrier.
Do use the application process to recognize vulnerabilities in your organization’s security, and make the appropriate changes.
In today’s world, cyber breaches are, unfortunately, facts of business life. By devoting the time and research to the cyber liability insurance application process, you can get the coverage you need to protect your business and the information you need to strengthen your security protocol going forward.