[BreachExchange] What to expect: the cyber liability insurance application process

[Audrey McNeil]

http://www.propertycasualty360.com/2017/09/26/what-to-expect-the-
cyber-liability-insurance-appli?t=cybersecurity?ref=featured-topics

These days, cyberattacks are happening at a dizzying pace, with each breach
more expansive than the last. As a result, more company leaders are seeking
out cyber liability insurance, fueled either fueled by client mandate or by
their own actualization that these threats are never going away.

Cyber crime is a much different risk, with a different and often more
complicated remediation path than other business risks. It follows that the
application process for cyber liability coverage is unique.

The application forms aren’t standardized, and they can vary in length from
a few pages to more than a dozen, depending on the carrier. However,
regardless of what the application looks like, most insurers assess risk by
seeking out information in these three, key areas: people, process and
technology/data.

Let’s take a look at each.

People

The "people" part of the application delves into your organizational
structure around security. Carriers want to know who in your organization
is responsible for responding to a breach, how developed is the information
security team, are regulatory or compliance frameworks used, and how often
do you train your employees on evolving IT threats to your business.
Carriers will also want to know who your vendor providers are, from
Internet service to software technologies to credit card processors.

Process

The "process" part of the application digs into your Internet services;
your process for actively managing your network including software,
hardware, updates/patches, user account management, etc.; whether
vulnerability assessments and remediation steps are done to mitigate
critical vulnerabilities; and whether third-party vendor relationships are
audited periodically to maintain data security. The carrier is trying to
determine how secure your network and IT processes are, regardless of
whether you’re handling these internally or through an outsourced provider.

Data technology

This part of the application asks for the details of your software, as well
the types of records you retain, including:

- Payment card information
- Personal health information, i.e., HIPAA-protected data
- Employee benefits
- And any other Personally Identifiable Information (PII) that could be
monetized by cyber criminals

In addition, carriers will want to know how long you archive this
information on your systems.

All of this data is used to determine risk.

Accuracy is everything

So, it’s critical that you spend some time gathering the most accurate data
you can for a cyber insurance policy application.

If you use an outsourced vendor for your IT management, ask that provider
to quantify the data on your networks. Talk to your accounts receivable
department to gather the average number of payments coming in each month,
and how many of these are made by credit card. Get a solid estimate on how
much PII you have, including employee data.

Quantifying the data exposure on your network can be daunting. Guessing can
leave your company underinsured or over-insured, either of which can have
dire financial consequences.

It’s important to note that cyber liability insurance is one of those
coverages that’s underwritten to each individual organization. Every
company network, internal team and IT infrastructure are different, and the
appropriate carrier and limits will be as individual as the company.

If you’re concerned about costs, there are options to bring the price down
without sacrificing coverage. For example, if your company needs $6 million
in coverage, you can get a quote from one carrier who will, for a price,
take on all the risk. However, some carriers won’t assume all the risk.
Your broker can write the first $3 million of coverage of that policy with
a carrier on a primary basis and the second $3 million as an “excess”
policy with another carrier. Typically, excess coverage comes at a lower
cost than primary, as these carriers only take on risk after the primary
limitations are exhausted. You can potentially save money without
increasing exposure. Excess policies are often “follow form” in that they
follow the primary carriers’ forms, saving you from completing a second
application as well.

Honesty is (and will get you) the best policy

Whatever you do, be honest about your organizational setup, your security
protocols and when you’re asked whether or not your company has experienced
a breach before.

If you don’t disclose a prior attack and you have another breach, forensics
will uncover that prior breach and any correspondence shared about it. In
addition to nullifying your coverage, you could have a directors & officers
claim on your hands.

If you have had an incident, whether you had insurance at the time or not,
paint a clear picture of what happened. Then, explain what you did to
resolve it, and how you’ve improved processes to guard against a breach of
that type ever happening again. Carriers will reward you if you’ve taken
action to reduce your risk.

Never put off what you should do today

But, what about middle market companies, with one-person IT departments and
no breach recovery plan in place? Do they need to defer until they’re less
of a risk?

I recommend that these companies go through the cyber liability application
process to see where those vulnerabilities lie, then start an internal
remediation process. Delve into worst-case scenarios — what would happen if
you lost your ecommerce site for a day or a week, if you couldn’t dispatch
personnel or if your manufacturing operation came to a standstill? That
exercise helps you identify the most mission-critical areas of your
company, so you know where a breach would have the greatest impact.

Your broker could work with one or two carriers to get you the coverage you
can get right now. Then, next year, when your processes are stronger, he or
she can shop the coverage to multiple carriers, with the leverage to
negotiate better rates.

Rembers these do’s and don’ts

Although it may seem daunting at first, securing the right cyber liability
coverage is well worth the effort. The coverage is a conduit to services
you’ll desperately need if the unthinkable happens. Just keep these guiding
principles top of mind:

- Do work with an experienced broker who can walk you through the process.
- Do involve the right people from finance, IT, accounts payable and your
managed service provider (if you use one) in the application process.
- Don’t guess on numbers or other application data, or you won’t get
adequate coverage.
- Do be honest about prior breaches, as these will be exposed during
forensics if another breach occurs — and nullify your policy, often without
a premium refund.
- Do know you have options to reduce cost for the same coverage, like
dividing the risk between a primary and excess carrier.
- Do use the application process to recognize vulnerabilities in your
organization’s security, and make the appropriate changes.

In today’s world, cyber breaches are, unfortunately, facts of business
life. By devoting the time and research to the cyber liability insurance
application process, you can get the coverage you need to protect your
business and the information you need to strengthen your security protocol
going forward.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170926/0a353eed/attachment.html>