Cyber insurance is gaining in popularity as a way to protect companies from losses caused by cyber attacks. Whether it’s a small business securing IT equipment or an enterprise protecting sensitive data, cyber insurance gives businesses an extra layer of protection. Traditional liability/property insurance typically doesn’t cover the majority of losses from a cyber attack. There are several different ways to obtain cyber insurance, and the level of coverage varies based on the policy. We’ll break down some of the questions you’ll want to answer when looking for information about cyber insurance.
Just like any other insurance application, your cyber insurance underwriter will want to know some general information about your business, also known as the Named Insured. When completing this information, it’s important to put the official business name as stated in your incorporation documents to ensure proper coverage.
Additionally, have the following information prepared:
- Complete list of website domains
- The physical address of your business
- Business industry (finance, SaaS, etc.)
- Number of employees
- Revenue expected over the next 12 months
- Gross profit/net revenue expected over the next 12 months
- Revenue x profit margin = Gross profit/net revenue
- $500,000 x 40% = $200,000
The liability section of your cyber insurance application is designed to let the underwriter know of your immediate risk level. Your cyber insurance underwriter will want to know everything about your cyber history, including any previous cyber losses or events.
While the wording may vary, your cyber insurance underwriter is likely to a version of the following questions:
- Within the last 3 years has Named Insured suffered any cyber incidents resulting in a claim in excess of $25,000?
- Is Named Insured aware of any circumstances that could give rise to a claim under this insurance policy?
- Does Named Insured implement encryption on laptop computers, desktop computers, and other portable media devices?
- Does Named Insured collect, process, store, transmit, or have access to any Payment Card Information (PCI), Personally Identifiable Information (PII), or Protected Health Information (PHI) other than employees of Named Insured?
- Does Named Insured maintain at least weekly backups of all sensitive or otherwise critical data and all critical business systems offline or on a separate network?
- Does Named Insured require a secondary means of communication to validate the authenticity of funds transfers (ACH, wire, etc.) requests before processing a request in excess of $25,000?
- Within the last 3 years has Named Insured been subject to any complaints concerning the content of its website, advertising materials, social media, or other publications?
- Does Named Insured enforce procedures to remove content (including third-party content) that may infringe or violate any intellectual property or privacy right?
The liability section of your cyber insurance application essentially is designed to inform your underwriter of your cyber history, what types of data your business collects, to whom the data belongs that you’re obligated to protect, and what risks you take with this data.
Technology E&O surplus lines
Technology errors & omissions is an optional add-on available by many cyber insurance providers. Errors & omissions is typically required of professional service providers that hold licenses or bonds to perform particular services or sell specific products. Technology E&O insurance takes liability inquiry to the next step. If you’re interested in technology E&O insurance, your underwriter will likely ask a version of the following questions:
- How does your company use technology to deliver its products/services?
- Within the last 3 years has Named Insured been subject to a dispute or claim arising out of a technology error or omission in excess of $25,000?
- Is Named Insured operating as a managed service provider (MSP), or does Named Insured participate directly in or sell technology products/services designed for any of the following industries? (Cryptocurrency, cannabis, Internet of Things (IoT), financial services, healthcare, blockchain, automotive, aviation, military/defense, gambling, payment process, adult entertainment, Point of Sale (PoS) software/hardware/reseller, professional licensed services)
- How often are Named Insured’s services provided by written agreement or contract?
- What mitigating clauses or methods contained within the Named Insured’s agreements or contracts identify standard risk mitigation? (Examples include: customer acceptance/final sign-off, disclaimer of warranties, hold harmless agreements, limitation of liability, exclusion of consequential damages, indemnification clause, binding mandatory arbitration, and project phases/milestones)
Hopefully, this article has been informative and given you the tips and tricks you’ll need to apply for cyber insurance of your own. Understanding the underwriting process is key to getting the best policy possible. If you’re in the market for cyber insurance, make sure to apply at a reputable insurer that will take your needs into account. If you apply with an insurer that specializes in cyber coverage, they may be able to maximize your potential coverage and ensure that you are protected against all potential damages.