Ok, so you have read my first post about cyber insurance, and you have determined that you need it.
What do you need to know before you call your insurance agent?
Over the past ten years or so, the insurance questionnaire has gotten longer and longer, with more and more detailed questions about the data you keep and the controls you have in place to protect that data.
If you have a good security program in place, then answering the questions won’t be hard. If you have a program in place but you have gaps, you need to know what those are before making that phone call.
If you have no program in place, you might not qualify for insurance at all.
What do you need to know first?
Here are some general guidelines for what you should review before you call your agent.
Start with your information security risk. These questions are similar to what your car insurance agent asks to gauge how risky you are to insure, questions like: How old are you? Are you married? Have you had any accidents recently? What kind of car do you drive?
For cyber insurance the questions are more like these:
Q. Do you or your company collect, store, process, or transmit protected or sensitive data, like credit cards, Protected Health Information (PHI), or social security numbers?
If you answer yes to this question, you will have regulatory requirements to maintain, process, collect, store or transmit this data. Those requirements help provide guidance on the controls you need to have in place.
Then you will have to check boxes to qualify the kinds of data in your control.
Next, you’ll be asked how many records with protected or sensitive data you have or process or transmit: 100? 1000? 10,000? 100,000? More?
You will also have to share how many unique individuals you collect protected or sensitive data for. Notice this is similar to the preceding question but is not the same.
Q. Is your company subject to any specific regulation, like GDPR, HIPAA, FERPA, SOX, GLBA, CCPA, PDPA, PCI-DSS?
If you answer yes to this question, you will have guides or requirements you need to follow to be compliant with these regulations. You might not know that you have requirements, but you do, so get the appropriate guide(s) that will help you follow those regulations.
In this vein, are there any industry security frameworks that you have to follow, like NIST or COBIT?
Q. Do you allow your employees to use portable devices to work on your data, like laptops or their own devices?
Portable devices are really nice, but they involve additional risk. Most of the risk is related to loss of data, either by physically losing the device (i.e., data loss) or having data on the device compromised or stolen (other people use the laptop and accidentally infect the machine or copy or delete sensitive data).
Q. Do your vendors or third-party contractors have access to your computer systems?
If you grant third parties’ access to your computer systems and data, do you know what kind of security controls they have in place?
Could they be infected with malware that then infects your computers? Would you know if that happened?
Do you audit your third-party vendors or suppliers?
Q. Do you have a formal information security program?
Do you have any information security policies?
Do you have a person or role that is responsible for information security at your company or organization?
What is the budget for your information security program?
In addition to those questions about your information security program, be prepared for detailed questions about your network and system configuration, such as:
Do you have a firewall? Who is the vendor, and do you keep it updated?
Do you have antivirus software on your servers and workstations? Do you keep it updated?
Do you have a network Intrusion Protection System (IPS) or Intrusion Detection System (IDS)? Do you keep it updated?
Do you have an anti-spam device to block phishing e-mails?
Do you require Multi-Factor Authentication for network and e-mail access?
Do you require complex passwords?
Do you require passwords to expire?
Do you have policies and procedures for network access, account creation, and acceptable use policies?
What else do the insurance companies want to know?
Because you likely do not operate in a technological silo, you will have to answer questions about any cloud service providers you use for your business.
Does your cloud service provider have a security program?
Do they audit their security program with a third party?
Can they provide a SOC type 2 report?
Can they meet your security requirements (like GDPR, SOX, HIPAA, FERPA, etc.)?
Sometimes the insurance questionnaire will ask about the contracts you have with your customers, looking for information like:
Do you use contracts with your customers?
Do your customer contracts have “hold harmless” clauses?
Do your customer contracts get reviewed by your legal team?
There can be additional questions depending on your industry, but these are the kinds of questions you should prepare to answer when you start looking for Cyber Insurance. In my next blog post I’ll show you how to get prepared if you have gaps or do not have a security program in place.