What are the requirements for cyber insurance?
Here in the New Mexico, Southern Colorado, and Orange County areas, Kosh is getting asked more and more about the requirements for companies to get cyber insurance. Our customers lean on our expertise to work with them and their insurance broker to help align their technology with the cyber insurance policy.
In general, cyber insurance companies want to know about the physical, electronic, and administrative safeguards you have in place to protect your data, systems, and customers. Cyber insurance providers may require an audit of your IT environment to verify your claims, which is where an IT professional and insurance broker can help.
There are many variables when it comes to cyber liability insurance coverage so, please use this information as an overview of the topic, not as any hard and fast rules. Your situation will be unique and will need to be addressed by an IT professional and your insurance provider. Below we show you the list of questions we have seen insurance companies asking when applying for cyber insurance. Keep in mind, that you don’t have to have everything listed here in place to get coverage. With this list of questions, you should be able to see if your company is ready to apply for cyber liability insurance or identify areas that need remediation.
Don't get too hung up on getting your company to meet all these requirements. Nickie Tran of IQ Risk Insurance Services says the best way to get started is to fill out a cyber liability application. It's a great starting point to determine your needs and the current state of your technology.
To get Kosh Solutions’ printable PDF checklist for cyber security insurance emailed to you, enter your info here:
1) Cyber Security Management
This is the high-level view of your cyber defenses. Questions about cyber security management are all about your company’s planning and documentation sophistication.
Examples of cyber security management you should have:
Security risk assessment
Written security policies
Incident response plan
Employee cyber security training
Restriction of sensitive information based on role
Cyber security officer
What might some of these questions look like on an insurance form?
Here is how Travelers Insurance phrases the question regarding a cyber security officer:
What position is responsible for information security? (e.g.: Chief Security Officer)
To what position within the organization does this person report?
2) Contingency Management for Cyber Insurance
This section is about what you have in place should an incident occur. The insurer is looking to see if you are prepared if you get breached. Having these pieces in place will also position your company to bounce back much faster from a cyber-attack.
Examples of contingency management you should have in place are:
Documented disaster recovery plan
Documented data backup procedures
Redundancies for all critical systems
Warranty coverage for all hardware
Support contracts for all critical systems
While you may not have all of these in place, it’s a good idea to get them on your radar because they will be on the cyber insurer’s list.
Here’s how these questions look on the Travelers Cyber Insurance form:
With respect to computer systems, does the Applicant have (select all that apply):
Secondary/backup computer system
Business continuity plan
Disaster recovery plan
Incident response plan for network intrusions and virus incidents
3) Information Records for Cyber Insurance
This section is asking about the type of information you collect and store. Cyber insurance providers care about this because in the event of a breach you may be hit with fines from government entities (think HIPPA violations!) and/or lawsuits from third parties that have claims stemming from your breach. In the current business environment, virtually all businesses collect sensitive data, so you need to take action to protect that data.
Examples of information records:
Do you store, collect, host, process, control, use, or share any private or sensitive information?
Have you reviewed the policies concerning storing and collecting such information?
Do you process, store, or handle credit card information?
How Information Records questions look on the Travelers Cyber Insurance form:
Which of the following types of data does the Applicant collect, receive, process, transmit, or maintain as part of its business activities?
Credit/Debit Card Data
Social Security Numbers
Bank Accounts and Records
Intellectual Property of Others
What is the maximum number of unique individuals for whom you collect, store, or process any amount of personal information?
If applicable, is Applicant currently compliant with Payment Card Industry Data Security Standards (PCI-DSS)?
Total number of annual credit card transactions:
If applicable, is Applicant currently HIPAA compliant?
Does the Applicant encrypt private or sensitive information (if Yes, select all that apply):
Data at rest
Data in transit
Data on mobile devices
4) Information and Infrastructure Security Controls
This section is about all the ways you are mitigating risk throughout your organization - in particular, from human error.
Examples of information and infrastructure security controls
All systems and devices are fully patched and on the most up-to-date versions
Antivirus on all servers, workstations, and endpoints
MFA is used to secure remote access and applications
The dark web is scanned regularly
Is email encrypted
How these questions look on the Travelers Cyber Insurance form:
Which of the following does the Applicant currently have in place (select all that apply):
Up-to-date, active firewall technology
Patch management procedures
Multi-Factor login for privileged access
Remote access limited to VPN
Updated anti-virus software active on all computers and networks
Intrusion detection software
Valuable/Sensitive Data Backup procedures
Procedure to test or audit network security controls
5) Information and Infrastructure Continuity Controls
This section is about the ways you are prepared to get your system back up and running during (or shortly after) an attack.
Examples of information and infrastructure continuity controls
Do all servers use an uninterruptible power supply?
The estimated amount of time it would take to restore essential functions?
Are backups encrypted?
Are backups kept separate from your network (air-gapped)?
Have you tested a successful restoration from backups in the last 6 months?
There’s a lot of information here and it can be a bit daunting to go through. To get your free PDF version of the checklist enter your email below (it’s easier to read and more complete!).
Remember, the key people who should help you answer these questions are your IT service provider and your insurance broker. Nickie Tran, President of IQ Risk Insurance Services, says, “the coverage modules of cyber insurance are standardized but we tailor the policies and coverage options to the individual needs of our clients.”
Also, your company doesn’t have to have all these components in place to receive coverage. Each insurance company will have its own list of requirements so be sure to work with your insurance broker to get the exact list you will be working with.
The information contained in this communication is intended for limited use for informational purposes only. It is not considered professional advice, and instead, is general information that may or may not apply to specific situations. Each case is unique and should be evaluated on its own by a professional qualified to provide advice specifically intended to protect your individual situation. Kosh is not liable for improper use of this information.