How to Buy Coverage against Data Breach
Submitted by Mark T Reilly CPCU, CIC, CRM,
Every business should be looking to protect against one of the fastest growing exposure to loss and that is loos from Cyber types of incidents. That can be from you breaching personal information of employees or clients, to infecting a customer’s computers from an attack traced back to you to loss from social media and blogging, just to name a few. But this is a very new area and the policies on the market are not very uniform. SO saying you have coverage may be a false sense of security. So what should you do to prepare yourself to purchase or review your current protection? Every insurance policy starts with an application, and cyber liability insurance is no different. While the underwriting process in long-established insurance lines is streamlined, this is not the case for cyber liability insurance. Currently, application forms for cyber insurance are not standard and can be complex—often consisting of dozens of pages.
What Type of Information is usually asked for?
An underwriter’s job is to assess risk and determine limits and pricing. Insurers depend on the detail contained in an organization’s application, and any vagueness or incorrect information can create issues if and when you file a claim. In order to properly determine your organization’s cyber risks, insurers will review information related to the following:
• The basics. Insurers will want to know what industry your organization operates in, as well as how much and what types of information your organization stores, processes and transmits. In addition, underwriters will look to see how you manage data security and who is in charge of overseeing cyber-related matters.
• Information security. When it comes to on-site security, underwriters want to know if you have a formal program in place to test and audit security controls. In addition, underwriters typically look to see if you have basic controls in place, including firewall technology, anti-virus software and intrusion detection software.
• Breach history. During the application process, underwriters will take a closer look at your breach history. In general, they want to know if the data you house is particularly vulnerable and how effective your data security techniques are.
• Data backup. Knowing how your organization handles data backup helps insurers better understand your level of data loss risk. Underwriters will want to know if you back up all of your valuable data on a regular basis, if you utilize a redundant network and if you have a disaster recovery plan in place.
• Company policies and procedures. Communication is important when it comes to reducing your organization’s cyber risk. That’s why, during the underwriting process, insurers want to know what types of cyber security and incident response policies you have in place. In addition, it’s likely you will be asked how you handle password updates, the use of personal devices and revoking network access to former employees.
• Compliance with legal and industry standards. Failing to comply with cyber-related legislation can be incredibly costly, and insurers will want to know how you handle compliance. Specifically, they will review whether you are compliant with applicable regulatory frameworks, are a member of any outside security or privacy groups, or utilize out-of-date software and hardware.
The more detailed and specific an organization can be during an initial underwriter review, the more likely it is that the organization will receive the proper amount of coverage and with competitive pricing and terms.
Tips for Applying
For cyber coverage to be effective, it requires a significant due diligence on the part of prospective policyholders. To get the most out of your policy, you will want to consider the following best practices when applying for cyber insurance:
1. Gather accurate data. Before the application process, it’s critical to speak with your information technology (IT) management team and/or any vendors you utilize in order to collect accurate data. It’s important to quantify the data on your network. Above all, get a solid estimate on how much personally identifiable information you have, including employee data.
2. Be honest. To complete the application process properly and get the best possible policy, honesty is important. When working with your insurer, be clear about your organizational setup, security protocols and breach history. Not only will this help in securing adequate coverage, but it will also reduce the risk of your policy being voided if carriers find out you were dishonest during the underwriting process.
3. Don’t wait. Even if your organization hasn’t taken the appropriate steps to reduce its cyber risk, going through the cyber insurance application process can help identify exposures. Your insurer can work with you to get the best coverage possible today, leaving room to negotiate down the line when your data security methods are stronger.
4. Involve the right people. The application process for cyber insurance can be complicated, and it’s important to have key personnel help you. In order to complete a cyber liability insurance application, an organization may need to work with their risk managers, IT professionals, HR department, financial officers, board of directors, executives, privacy officers, marketing team and legal professionals. Regardless of the size of your operation it is important to include all of these viewpoints even if you wear several of these hats.
5. Work with experienced brokers. Because cyber insurance is relatively new, some brokers are more experienced in the underwriting process than others. To get the most out of your policy, work with a carrier who can accurately assess your exposures and offer your organization the best protection. More experienced brokers can even provide details on how similar companies in your industry handle cyber security.
Taking all the above into account will not only prepare you for the cyber insurance underwriting process, but it can also improve data security up front.
Don’t Go in Unprepared
The application process for cyber insurance is both detailed and exhaustive. However, taking the proper steps before the application process for cyber insurance should reduce your data breach risk, making your organization more attractive to insurers and reducing your insurance costs overall. When applying for cyber insurance, be sure to carefully review policy terms, premiums and underwriting programs. Doing so can put you in a better position to secure the right coverage.
Mark T Reilly CPCU, CIC, CRM, has almost 40 years’ experience as an insurance underwriter, agent, instructor and expert witness. If you have any questions you can reach Mark at mark@ inbuzzgroup.com