In 2014, major data breaches were reported at retailers, restaurants, online marketplaces, software companies, financial institutions and a government agency, among others. According to the nonprofit Privacy Rights Clearinghouse, 567 million records have been compromised since 2006. Companies with data at risk should consider purchasing so-called cybersecurity insurance to help them weather storms created by assaults on their information infrastructure. A company’s insurance broker and insurance lawyer can be of significant help in procuring insurance that meets a company’s need.
As an additional benefit, preparation for the cybersecurity insurance underwriting process itself likely will decrease the risk of a debilitating cyber incident. The underwriting process for cybersecurity insurance is focused on the system that a company employs to protect its sensitive data, and can be detailed and exhaustive. Like other insurance carriers, cybersecurity insurance carriers use the underwriting process to investigate prospective policyholders and ascertain the risks the carriers are being asked to insure. Before applying for cybersecurity insurance, companies should perform due diligence on their information systems and correct as many potential risks as possible before entering the underwriting process.
Applicants for cybersecurity insurance may expect to answer questions about prior data breaches, information-technology vendors, antivirus and security protocols, and the species of data in their custody. Carriers might also ask about “continuity plans” for the business, the company’s security or privacy policies, whether those policies are the product of competent legal advice, whether the company’s networks can be accessed remotely and, if so, what security measures are in place. The investigation might even extend to a company’s employment practices, such as password maintenance and whether departing employees’ network access is cancelled prior to termination. If a company has custody of private health information, carriers might delve into a company’s compliance with the Health Insurance Portability and Accountability Act of 1996. Anything that makes a company more or less at risk for a data breach is fair game in the cybersecurity underwriting process.
Due diligence and corrective action prior to approaching an insurance company should yield three related results. First, it should reduce the company’s risk of a data breach. Because the insurance carriers are focused on what makes a company a larger or smaller risk to underwrite, companies can use carriers’ underwriting questions as a roadmap to improving the security of their information-technology systems. Second, it should make the company more attractive to the prospective insurance company. Insurance companies obviously prefer policyholders that do not present substantial risk of claims. A company’s ability to present its systems as safe and secure will give a carrier a greater degree of comfort in reviewing and approving the application for insurance. Finally, it should reduce the company’s premium for cybersecurity insurance. Premium rates have a simple, direct relationship with risk. As a policyholder’s risk profile increases, so too does the premium. Shoring up gaps in a company’s security profile therefore should pay dividends in lower insurance costs.
Companies with sensitive data in their care should investigate options for cybersecurity insurance. In addition to scrutinizing policy terms and premiums, companies should examine carriers’ underwriting programs. Attention to those programs puts companies in a better position to secure effective cybersecurity insurance and gives companies tools to better protect themselves from data breaches.