Cybercrime is big business. In 2023, global cybercrime is expected to inflict damages of $8 trillion, making the industry more profitable than the entire global illegal drug trade. The United Kingdom takes the unfortunate award for having the highest number of cybercrime victims per million internet users, with the United States next in line.
As cybercrime increases, so too does the need for cyber insurance. The increased risk and severity of cyberattacks has led more organizations to opt to place cyber coverage – up from 26% in 2016 to 47% in 2020. But opting to buy cyber coverage is not that simple. Insurers require policyholders seeking cyber coverage to disclose a large amount of information in the application process, and any misrepresentations in the application process – even if unintentional – may have severe consequences for the insured, depending on the nature of the misrepresentation and applicable law.
The application and underwriting process can be lengthy and is a team effort
Organizations seeking cyber coverage should be prepared to engage in a lengthy, highly detailed application process. The risks are quickly evolving, and insurers have adapted by asking large numbers of questions to attempt to evaluate and price the risk.
To start with, insurers have been increasingly engaged in heightened underwriting practices. No one person in any organization is likely to be able to provide all the information necessary to complete an application for cyber coverage. Accurately completing an application is likely to require input from an organization’s information security, risk management, finance, operations, legal, marketing and human resources departments.
In addition to the lengthy general application for cyber coverage, certain insurers may have specific applications for companies operating in specific industries, particularly those that are considered “attractive targets” for cybercrime, such as infrastructure, law firms, health care providers and financial institutions. These industries generally hold very valuable data, which makes them more likely to be targeted for ransomware and other types of cyberattacks. Then, if an insured seeks additional coverage or features that may be offered by the insurer, it may need to complete supplemental questionnaires and addendums, all of which likewise seek detailed information, require input from multiple stakeholders and take significant time to complete.
This process should begin well in advance of the anticipated policy inception or renewal date, and all departments must work collaboratively to obtain accurate and detailed information in response to the insurer’s requests to secure the best available policy.
Insurers request a lot of underwriting information
An application for cyber coverage will seek basic computer and network security and privacy information. The application will likely ask the applicant to identify the person or persons responsible for information security and whether the applicant has a secondary computer system or disaster recovery plan. The insurer will also want to know whether the applicant has up-to-date, active firewall technology, multi-factor login for privileged access, remote access limited to VPN, intrusion detection software, protocols in place for timely updating or patching of enterprise software and a procedure to test or audit network security controls. The applicant must also disclose basic information security, such as the types of data it maintains as part of its business activities (e.g., credit card data, bank accounts and records and social security numbers).
Because cyber criminals often exploit human error, information about personnel policies, procedures, security training and vendor management is critical for the insurer to underwrite the policy. Common questions from insurers are whether a company trains employees to spot phishing attempts or other attempted attacks at regular intervals and whether the company uses software in the cloud, such as Office 365. They also typically request lists of the company’s critical IT vendors.
Insurers may also seek technical information regarding the company’s assets (web applications, end user systems and critical Internet of Things devices), hosting, email, domain name, network management, content network delivery, financial systems and security services. Among other things, insurers will ask whether the company performs regular backups that are stored offsite, whether the company uses endpoint protection in its network and what steps the company takes to prevent data breaches or ransomware attacks.
Insurers’ requests for information are also industry-specific. For example, because health care companies maintain large amounts of protected health care information, insurers will seek detailed information regarding the number and location of health records, which personnel have access to them and what security measures are in place to prevent exposure.
Although insurers seek all of this information, it is important to remember that no two companies are alike, and no company applying for or renewing coverage is expected to be perfect. Just because the application asks whether the company is engaged in a certain preferred practice does not mean that the company must respond “yes” to receive coverage. Unfortunately, cyber criminals can be very sophisticated, and companies with the best security and privacy controls sometimes fall victim to cyberattacks.
Policyholders may also need to demonstrate compliance with applicable laws and regulations
Insurers generally do not require a policyholder to show compliance with certain laws or regulations as a pre-requisite to coverage or as a general warranty. However, there may be circumstances where an insurer will inquire into the insured’s compliance programs when the coverage the insured is seeking covers risks specific to certain regulations.
For instance, if the policyholder seeks insurance to cover General Data Protection Regulation (GDPR) risk, an insurer may want to know about the policyholder’s GDPR processes and policies and whether the company has a data protection officer. Similarly, depending on the information a company maintains, an insurer may also ask whether the company complies with the Payment Card Industry Data Security Standard or whether it is HIPAA compliant.
Cyber coverage application materials are highly scrutinized
We previously wrote about the importance of a thorough and accurate cyber insurance application. This is especially important because insurers often have the benefit of a forensic investigator’s technical report after a loss to compare against an insured’s application for any deficiencies. Any misstep in the application process, even if unintentional, may be detrimental to the insured during the adjustment process.
Even when the best-laid plans go awry, with careful planning that starts during the application process, insureds should be in the best position to obtain the full benefit of their coverage.
