Navigating the cyber insurance application process can be overwhelming, but addressing the right questions in detail helps ensure you get the right cybersecurity insurance coverage for your organization. Here’s a rundown of common questions on cyber insurance applications and some tips for filling them out. Each question touches on critical areas of cybersecurity, compliance, and data protection that insurers prioritize. These tips are designed to help you provide accurate responses and highlight your security efforts.
Data Records
For how many individuals does the Applicant store or process sensitive information?
Knowing the total number of individuals whose sensitive data you store or process is vital for cyber risk assessment, as it helps insurers gauge potential risks in data protection. Take an accurate inventory of data storage to avoid underreporting, as this could impact claim outcomes.
Indicate which of the following types of sensitive information the Applicant stores or processes:
Driver’s license, passport, SSN, Date of Birth, other state ID, or federal ID numbers
Financial account information (e.g., bank accounts)
Payment card information (e.g., credit or debit cards)
Protected health information (PHI)
Combinations of usernames or email addresses with passwords to online accounts
Categorizing the data you handle is essential for risk assessment. Include only data types stored and processed by your organization, as any oversights might result in non-disclosures that complicate claims.
Encryption & Data Security
Does the Applicant encrypt data stored and processed on databases and servers?
Encryption demonstrates your commitment to protecting sensitive information, making data encryption a key factor in cybersecurity and data protection. Many insurers look for encryption practices as a primary factor in reducing potential breaches, so providing a clear answer can aid in coverage evaluation.
Does the Applicant have written policies or governance frameworks in place that define requirements for storing, securing, and transferring sensitive personal and corporate information?
Documentation of these policies signals that your organization takes data governance seriously. Outline policies like access control, data handling, and secure transfer methods to show compliance with regulatory standards.
Compliance & Payment Processing
Has the Applicant confirmed compliance with HIPAA?
Has the Applicant confirmed compliance with the Payment Card Information Data Security Standard (PCI-DSS)?
What is the Applicant’s current PCI Compliance Level?
Does the Applicant fully outsource payment card processing?
Compliance with regulatory standards is crucial for both cybersecurity and insurance. If you handle health information or payment processing, HIPAA compliance and PCI-DSS compliance demonstrate adherence to best practices, potentially qualifying you for better cyber insurance coverage rates.
Financial Fraud
Does the Applicant have controls in place which require all fund and wire transfers over $25,000 to be authorized and verified by at least two employees prior to execution?
Does the Applicant conduct computer and network security training for all employees (such as training on phishing prevention)?
These questions focus on fraud prevention and employee training, both of which are important factors for minimizing cyber-related financial risks. Clearly outline your authorization procedures and any regular training initiatives.
Security Controls
Which of the following security controls are used by the Applicant?
Antivirus
Data Loss Prevention (DLP)
Intrusion Detection/Prevention System (IDS/IPS)
Multi-factor Authentication
Regular Penetration Tests
Does the Applicant have multi-factor authentication enabled on email access and remote network access?
Does the Applicant have multi-factor authentication enabled for accounts with administrative privilege?
Detailing your security controls gives insurers insight into your organization’s level of defense against threats. Multi-factor authentication (MFA) is often a required security feature, so be sure to note its use across systems and access points.
Backups & Recovery
Does the Applicant have procedures and tools in place to back up and restore sensitive data and critical systems?
Does the Applicant keep offline backups that are disconnected from its network or store backups with a cloud service provider?
Does the Applicant have a formal Business Continuity / Disaster Recovery Plan that has been tested in the last year?
Regular, tested backups show readiness in the face of a cyber event. Be specific about the type of backups you have, whether they are offline or cloud-based, and the frequency of testing your recovery plan.
Media
Does the Applicant post content under license from a third party (including copyrighted or trademarked materials or images) to its websites, social media accounts, or promotional materials?
Does the Applicant have a process in place that includes legal review of content prior to publishing on its websites, social media accounts, or other promotional materials?
Compliance with intellectual property laws and having legal review processes in place can mitigate risks related to media exposure. Insurers look at this as a measure to prevent costly lawsuits.
Loss History
In the last three (3) years, has the Applicant experienced any Cyber Event, Loss, or been the subject of any Claim made for a Wrongful Act that would fall within the scope of the Policy for which the Applicant is applying?
Is the Applicant aware of any fact, circumstance, situation, event, or Wrongful Act which reasonably could give rise to a Cyber Event, Loss, or a Claim being made against them that would fall within the scope of the Policy for which the Applicant is applying?
Disclosing past incidents and potential exposures is critical. Transparency here helps insurers evaluate your organization’s risk profile, allowing them to customize policies and avoid denied claims due to undisclosed issues.
Get Expert Help on Cyber Insurance Applications
At Crandall & Associates, our mission is to clarify the complexities of insurance purchasing with creative and cost-effective solutions. For more guidance on cyber insurance applications or to explore tailored cybersecurity insurance solutions, don’t hesitate to reach out. Our team is here to support you with expert advice and personalized strategies, and if you need help implementing some of these security measures, call Uprite.
Author: Crandall & Associates
