Obtaining insurance coverage starts with an application, whether you're looking for inexpensive auto insurance online or complex coverage for a multinational business.

Cyber coverage is no different, explained Judy Selby, managing director of BDO Consulting, as she moderated the panel titled "You Finally Bought the Cyber insurance Policy. Now What?" as part of ALM's cyberSecure conference on Sept. 27.

The challenge with cyber liability insurance is that approximately 67 companies sell the coverage, and there are no standard forms to follow. In most cases, although there are some commonalities for businesses in the same industry, Cyber coverage is customized to a specific company, and pricing is scaled to the size of the organization, the kinds of data to be protected and the types of cyber risk the organization faces.

Filling out the application correctly is a critical step in obtaining cyber coverage, noted panelist Scott N. Godes, a partner with Barnes & Thornburg LLP. As with most insurance applications, incorrect answers could cause the carrier to rescind the policy. It doesn't happen often, but it remains a possibility that businesses need to be aware of.

In-person interviews are also part of the application process, said fellow panelist Dan Twersky, assistant vice president at Willis Towers Watson. The person meeting with the underwriting team should be involved in filling out the application and well versed in the information included with it.

In addition to technical questions about the way your company manages data and security, most applications will also be about prior claims within the past five years and whether your company will need media website cybersecurity.

Here is a look at six categories of the most common questions asked — and the level of detail required — across most Cyber insurance applications. The questions are taken from cyber risk coverage applications for ACE/Chubb, Hartford, Travelers and USLI, all of which are available on the internet.

Confidential-on-chalkboard-information-privacy-Shutterstock

(Photo: Shutterstock)

1. Information privacy and governance

Do you have a person designated for overseeing information privacy? Provide name and title.

Which of the following types of privacy information (personal information or third-party corporate information) does your company store, process, transmit or is otherwise responsible for securing? Please indicate the total number of records (if known) inclusive of internal staff and third parties:

    • Government-issued identification numbers (for example, Social Security numbers).
    • Credit card numbers, debit card numbers or other financial account numbers.
    • Health care or medical records.
    • Intellectual property (for example, third-party intellectual property trade secrets or merger and acquisition information).
    • Usernames and passwords.
    • Does the company maintain documentation that clearly identifies the storage and transmission of all privacy information?
    • When was the company's privacy policy last reviewed? Provide specific date.

Does your company have a person designated for overseeing information privacy?

Does your company encrypt privacy information when it is:

  • Transmitted over public networks (for example, the Internet)?
  • Stored on mobile assets (for example, laptops, phones, tablets, flash drives)?
  • Stored on enterprise assets (for example, databases, file shares, backups)?
  • Stored with third-party services (for example, cloud providers)?

Does your company store privacy information on a secure network zone that is segmented from your internal network?

What other technologies are used to secure privacy information (for example, tokenization)?

Man-wearing-black-T-shirt-security

(Photo: iStock)

2. Information security

Do you have a person designated for overseeing information security? Provide name and title.

Do you have a formal program in place to test or audit network security controls?

How often are internal audits performed?

How often are outside or third-party audits performed?

Do you use firewall technology?

Do you use antivirus software?

    • Is antivirus software installed on all of the applicant's computer systems, including laptops, personal computers and networks?
    • Has the antivirus software been updated? Provide date of last update.

Is it your policy to upgrade all security software as new releases or improvements become available?

Has the security software been upgraded on schedule? Provide date of last update.

Is multi-factor authentication or a layered security approach required to access secure areas of the applicant's website? Describe the authentication and verification methods used.

Connect-dots-info-security-Shutterstock

(Photo: Shutterstock)

3. Intrusion detection software

Do you use intrusion detection software to detect unauthorized access to internal networks and computer systems?

Are mobile or wireless devices also protected with intrusion detection software?

Do you conduct periodic intrusion detection, penetration or vulnerability testing?

Do you regularly review the results of automated database monitoring tools that continually monitor, record, analyze and sent alerts, including automatic shutdown when data access irregularity is detected?

Cloud-computing-servers

(Photo: iStock)

4. Data backup

Is all valuable and sensitive data backed up by the applicant on a daily basis?

If not, please describe the exceptions.

Is there a redundant network available for backup?

When was the redundant network last tested for continuity? Provide specific date.

Do you have a disaster recovery and business continuity plan?

Do you conduct training regarding security issues and procedures for employees that use the applicant's computer systems?

Yellow binder policies

(Photo: ThinkStock)

5. Policies and procedures

Do you publish and distribute written computer and information systems policies and procedures to its employees?

Do you have a formal documented procedure in place regarding the creation and periodic updating of passwords used by employees or customers?

Do you terminate all associated computer access and user accounts as part of the regular exit process when an employee leaves the company?

Do you have a security policy for employees' personal devices that are used to access the company network?

Yellow traffic signs regulations

(Photo: Shutterstock)

6. Compliance with industry standards

Are you compliant with ISO 27001 IT Security Standards?

Are you compliant with any regulatory or compliance frameworks? Provide the names of all that apply and the most recent date of compliance.

Do you use any industry security frameworks for confidentiality, integrity and availability (for example, NIST or COBIT)?

Is your company a member in outside security or privacy groups?

Does the company use any software or hardware that has been officially retired by the manufacturer (for example, Windows XP)?

NOT FOR REPRINT

© Arc, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to TMSalesOperations@arc-network.com. For more information visit Asset & Logo Licensing.