What are the requirements for cyber insurance?
ere in the New Mexico, Southern Colorado, and Orange County areas, Kosh is getting asked more and more about the requirements for companies to get cyber insurance. Our customers lean on our expertise to work with them and their insurance broker to help align their technology with the cyber insurance policy.
In general, cyber insurance companies want to know about the physical, electronic, and administrative safeguards you have in place to protect your data, systems, and customers. Cyber insurance providers may require an audit of your IT environment to verify your claims, which is where an IT professional and insurance broker can help.
List of Free Cybersecurity Resources For Small & Medium Businesses
There are many variables when it comes to cyber liability insurance coverage so, please use this information as an overview of the topic, not as any hard and fast rules. Your situation will be unique and will need to be addressed by an IT professional and your insurance provider. Below we show you the list of questions we have seen insurance companies asking when applying for cyber insurance. Keep in mind, that you don’t have to have everything listed here in place to get coverage. With this list of questions, you should be able to see if your company is ready to apply for cyber liability insurance or identify areas that need remediation.
Don't get too hung up on getting your company to meet all these requirements. Nickie Tran of IQ Risk Insurance Services says the best way to get started is to fill out a cyber liability application. It's a great starting point to determine your needs and the current state of your technology.
To get Kosh Solutions’ printable PDF checklist for cyber security insurance emailed to you, enter your info here:
1) Cyber Security Management
This is the high-level view of your cyber defenses. Questions about cyber security management are all about your company’s planning and documentation sophistication.
Examples of cyber security management you should have:
Security risk assessment
Written security policies
Incident response plan
Employee cyber security training
Restriction of sensitive information based on role
Cyber security officer
What might some of these questions look like on an insurance form?
Here is how Travelers Insurance phrases the question regarding a cyber security officer:
What position is responsible for information security? (e.g.: Chief Security Officer)
To what position within the organization does this person report?
2) Contingency Management for Cyber Insurance
This section is about what you have in place should an incident occur. The insurer is looking to see if you are prepared if you get breached. Having these pieces in place will also position your company to bounce back much faster from a cyber-attack.
Examples of contingency management you should have in place are:
Documented disaster recovery plan
Documented data backup procedures
Redundancies for all critical systems
Warranty coverage for all hardware
Support contracts for all critical systems
While you may not have all of these in place, it’s a good idea to get them on your radar because they will be on the cyber insurer’s list.
Here’s how these questions look on the Travelers Cyber Insurance form:
With respect to computer systems, does the Applicant have (select all that apply):
Secondary/backup computer system
Business continuity plan
Disaster recovery plan
Incident response plan for network intrusions and virus incidents
3) Information Records for Cyber Insurance
This section is asking about the type of information you collect and store. Cyber insurance providers care about this because in the event of a breach you may be hit with fines from government entities (think HIPPA violations!) and/or lawsuits from third parties that have claims stemming from your breach. In the current business environment, virtually all businesses collect sensitive data, so you need to take action to protect that data.
Examples of information records:
Do you store, collect, host, process, control, use, or share any private or sensitive information?
Have you reviewed the policies concerning storing and collecting such information?
Do you process, store, or handle credit card information?
How Information Records questions look on the Travelers Cyber Insurance form:
Which of the following types of data does the Applicant collect, receive, process, transmit, or maintain as part of its business activities?
Credit/Debit Card Data
Social Security Numbers