These days, cyberattacks are happening at a dizzying pace, witheach breach more expansive than the last. As a result, more companyleaders are seeking out cyberliability insurance, fueled either fueled by clientmandate or by their own actualization that these threats are nevergoing away.

Cyber crime is a much different risk, with a different and oftenmore complicated remediation path than other business risks. Itfollows that the application process for cyber liability coverageis unique.

Related: Ransomware attacks leave insurers and businessesexposed

The application forms aren't standardized, and they can vary inlength from a few pages to more than a dozen, depending on thecarrier. However, regardless of what the application looks like,most insurers assess risk by seeking out information in thesethree, key areas: people, process andtechnology/data. 

Let's take a look at each.

People

The "people" part of the application delvesinto your organizational structure around security. Carriers wantto know who in your organization is responsible for responding to abreach, how developed is the information security team, areregulatory or compliance frameworks used, and how often do youtrain your employees on evolving IT threats to your business.Carriers will also want to know who your vendor providers are, fromInternet service to software technologies to credit cardprocessors.

Related: The cyber liability insurance marketrises

Process

The "process" part of the application digs into your Internetservices; your process for actively managing your network includingsoftware, hardware, updates/patches, user account management, etc.;whether vulnerability assessments and remediation steps are done tomitigate critical vulnerabilities; and whether third-party vendorrelationships are audited periodically to maintain data security.The carrier is trying to determine how secure your network and ITprocesses are, regardless of whether you're handling theseinternally or through an outsourced provider.

Data technology

This part of the application asks for the details of yoursoftware, as well the types of records you retain, including:

• |
  • |
    • |
      • |
        • Payment card information
        • Personal health information, i.e., HIPAA-protected data
        • Employee benefits
        • And any other Personally Identifiable Information (PII) thatcould be monetized by cyber criminals

In addition, carriers will want to know how long youarchive this information on your systems.

All of this data is used to determine risk.

While it may seem like they're asking a lot, cyber liabilitycarriers need quantifiable numbers to accurately quote a policyprice and to assess limits.

Accuracy is everything

So, it's critical that you spend some time gathering the mostaccurate data you can for a cyber insurance policy application.

If you use an outsourced vendor for your IT management, ask thatprovider to quantify the data on your networks. Talk to youraccounts receivable department to gather the average number ofpayments coming in each month, and how many of these are made bycredit card. Get a solid estimate on how much PII you have,including employee data.

Quantifying the data exposure on your network can be daunting.Guessing can leave your company underinsured or over-insured,either of which can have dire financial consequences.

It's important to note that cyber liability insurance is one ofthose coverages that's underwritten to each individual organization.Every company network, internal team and IT infrastructure aredifferent, and the appropriate carrier and limits will be asindividual as the company.

If you're concerned about costs, there are options to bring theprice down without sacrificing coverage. For example, if yourcompany needs $6 million in coverage, you can get a quote from onecarrier who will, for a price, take on all the risk. However, somecarriers won't assume all the risk. Your broker can write the first$3 million of coverage of that policy with a carrier on a primarybasis and the second $3 million as an "excess" policy with anothercarrier. Typically, excess coverage comes at a lower cost thanprimary, as these carriers only take on risk after the primarylimitations are exhausted. You can potentially save money withoutincreasing exposure. Excess policies are often "follow form" inthat they follow the primary carriers' forms, saving you fromcompleting a second application as well.

Related: 5 keys to managing a data breach

Honesty is (and will get you) the bestpolicy

Whatever you do, be honest about your organizational setup, yoursecurity protocols and when you're asked whether or not yourcompany has experienced a breach before.

If you don't disclose a prior attack and you have anotherbreach, forensics will uncover that prior breach and anycorrespondence shared about it. In addition to nullifying yourcoverage, you could have a directors & officers claim on yourhands.

If you have had an incident, whether you had insurance at thetime or not, paint a clear picture of what happened. Then, explainwhat you did to resolve it, and how you've improved processes toguard against a breach of that type ever happening again. Carrierswill reward you if you've taken action to reduce your risk.

Related: Top 5 ways to avoid a data breach

Never put off what you should do today

But, what about middle market companies, with one-person ITdepartments and no breach recovery plan in place? Do they need todefer until they're less of a risk?

I recommend that these companies go through the cyber liabilityapplication process to see where those vulnerabilities lie, thenstart an internal remediation process. Delve into worst-casescenarios — what would happen if you lost your ecommerce site for aday or a week, if you couldn't dispatch personnel or if yourmanufacturing operation came to a standstill? That exercise helpsyou identify the most mission-critical areas of your company, soyou know where a breach would have the greatestimpact. 

Your broker could work with one or two carriers to get you thecoverage you can get right now. Then, next year, when yourprocesses are stronger, he or she can shop the coverage to multiplecarriers, with the leverage to negotiate better rates.

Rembers these do's and don'ts

Although it may seem daunting at first, securing the right cyberliability coverage is well worth the effort. The coverage is aconduit to services you'll desperately need if the unthinkablehappens. Just keep these guiding principles top ofmind: 

• |
  • |
    • |
      • |
        • Do work with an experienced broker who can walk you through theprocess.
        • Do involve the right people from finance, IT, accounts payableand your managed service provider (if you use one) in theapplication process.
        • Don't guess on numbers or other application data, or you won'tget adequate coverage.
        • Do be honest about prior breaches, as these will be exposedduring forensics if another breach occurs — and nullify yourpolicy, often without a premium refund.
        • Do know you have options to reduce cost for the same coverage,like dividing the risk between a primary and excess carrier.
        • Do use the application process to recognize vulnerabilities inyour organization's security, and make the appropriatechanges. 

In today's world, cyber breaches are, unfortunately, facts ofbusiness life. By devoting the time and research to the cyberliability insurance application process, you can get the coverageyou need to protect your business and the information you need tostrengthen your security protocol going forward.

Evan Taylor is a risk consultant and vice presidentat NFP.He can be reached by sending email to [email protected].

See also:

3 takeaways from the 2017 Cost of Data BreachStudy

What can IT security experts and insurance prosteach each other about cyber risks?