Ok, so you have read my first post about cyber insurance, and you have determined that you need it.
What do you need to know before you call your insurance agent?
Over the past ten years or so, the insurance questionnaire has gotten longer and longer, with more and more detailed questions about the data you keep and the controls you have in place to protect that data.
If you have a good security program in place, then answering the questions won’t be hard. If you have a program in place but you have gaps, you need to know what those are before making that phone call.
If you have no program in place, you might not qualify for insurance at all.
Here are some general guidelines for what you should review before you call your agent.
Start with your information security risk. These questions are similar to what your car insurance agent asks to gauge how risky you are to insure, questions like: How old are you? Are you married? Have you had any accidents recently? What kind of car do you drive?
For cyber insurance the questions are more like these:
Q. Do you or your company collect, store, process, or transmit protected or sensitive data, like credit cards, Protected Health Information (PHI), or social security numbers?
Q. Is your company subject to any specific regulation, like GDPR, HIPAA, FERPA, SOX, GLBA, CCPA, PDPA, PCI-DSS?
Read more: Can you be ransomware-proof? Is that even possible?
Q. Do you allow your employees to use portable devices to work on your data, like laptops or their own devices?
Q. Do your vendors or third-party contractors have access to your computer systems?
Q. Do you have a formal information security program?
Read more: Essential security practices to protect your business
In addition to those questions about your information security program, be prepared for detailed questions about your network and system configuration, such as:
Because you likely do not operate in a technological silo, you will have to answer questions about any cloud service providers you use for your business.
Sometimes the insurance questionnaire will ask about the contracts you have with your customers, looking for information like:
There can be additional questions depending on your industry, but these are the kinds of questions you should prepare to answer when you start looking for Cyber Insurance. In my next blog post I’ll show you how to get prepared if you have gaps or do not have a security program in place.
John Bruggeman’s Cyber Insurance series:
Part 1: What is Cyber Insurance and do I need it?
Part 3: Cyber Insurance, part 3: Filling out the questionnaire
More tools for your cybersecurity toolbox from CBTS Consulting CISO John Bruggeman:
Getting ransomware-proof, continued: CIS controls for medium-size organizations
Improve your cybersecurity defense with centralized logging
Improve your cybersecurity defense with centralized logging, continued: A deeper dive!
Zero Trust Networks (ZTN): what are they and how do I implement one?