More and more companies are considering specialized cyber insurance policies to insure against cyber breaches.
Insurers offering such policies use their applications to understand the company's current cyber security protections and assess the risk of providing cyber insurance. Accordingly, the applications for cyber insurance can be highly technical and lengthy. The applications may inquire about your company's privacy policies, business practices, revenue, the number of sensitive files and the type of software and technology utilized by the company. As a result, navigating the application process can be difficult.
For example, you may find the following questions on a cyber insurance policy application.
- Do you have a designated Chief Security Officer or a Chief Privacy Officer?
- Do you regularly test or audit your network security?
- Do you have a firewall?
- Do you password protect computers and other electronic devices?
- Do you require passwords be changed at given intervals?
- Do you have anti-virus software which you regularly update?
- Do you allow remote access to your network?
- Do you have a plan in place if your system becomes inoperable?
- Do you train your employees on cyber security?
- Do you have written policies and procedures that are distributed to your employees?
- What types of information does your company keep (credit card numbers, social security numbers, medical information, bank account information, etc.)?
- Does your company have a website?
- Does your website allow financial transactions?
- What is your loss and cyber breach history?
These questions require specific knowledge about the policies and protocols the company employs. If your company's current cyber security protocols are insufficient, the insurer may deny your application or charge higher premiums for the same coverage. Alternatively, if you purchase the policy and later have a cyber breach, triggering a claim under the policy, the insurer may scrutinize your application. Mistakes or misrepresentations on the application may result in a denial of coverage.
Beyond simple questions and responses on the applications, some insurers require warranty statements in which the company seeking insurance warrants or swears under oath that it has certain security measures in place. Be wary of signing such statements. If the company fails to ensure continued compliance (even inadvertently), the insurer may attempt to rescind or void the policy.
For these reasons, it is critical you and your insurance broker work together, along with your company's security and information technology department, to fully and accurately complete the application for cyber insurance. In addition, it may be helpful to assess your company's cyber security strengths and weaknesses and implement a cyber security program prior to applying for cyber insurance to ensure insurability and obtain a good rate. A cyber security attorney can assist you with these risk assessments.