It seems that everyone these days, from President Obama to Facebook account holders, is concerned about cybersecurity. Data breaches and cyberintrusions are front page news, and businesses are warned to take a "when, not if" approach to these threats.
In light of this reality of modern life, more and more businesses are treating data security as one of their most important business risks, and a growing number of insurance companies are offering policies to help businesses prevent and respond to data breaches and attacks. Cyberinsurance policies generally provide both first-party and third-party coverage for such risks. First-party protections include the costs of a forensic investigation to uncover and remediate the breach, retention of privacy lawyers to ensure compliance with relevant laws and regulations, public relations experts to mitigate reputational damage, and companies to notify affected parties of the breach and to conduct credit monitoring, if required. Third-party coverage includes the defense of lawsuits and payment of damages, and coverage for regulatory actions in connection with a security failure, privacy breach, or the failure to disclose a security failure or privacy breach.
While cyberinsurance is not a replacement for diligent in-house data security policies and procedures, prudent businesses should seriously consider it as part of their risk management program. In fact, even the process of applying for cyberinsurance can serve as a useful road map for a business to improve its data security processes.
THE POLICY APPLICATION
There are a variety of different cyberinsurance products on the market, each with its own unique policy application. Different applications and underwriting standards may be employed depending on the insurer, the applicant's size and industry and the type, quality, and quantity of confidential data it handles and/or maintains.
As with any type of business insurance application, cyberinsurance applications seek general financial information about the prospective insured, including business assets and revenues, number of employees, and anticipated merger and acquisition activity. But cyberinsurance applications delve deeply into other specific areas of the applicant's business that directly impact its data security risk, including the following.
MANAGEMENT OF CONFIDENTIAL OR PRIVATE INFORMATION
Applicants often are asked about the volume and types of data they handle and/or maintain. For example, does the company deal with credit/debit card data, Social Security numbers, employee and human resources information, banking/financial records, or medical information? How many confidential records are maintained? Does the company have written, attorney approved policies and procedures concerning the handling of private information? How often are they updated? Is the company compliant with security standards implemented by the credit card industry? Does the company annually assess its compliance with state and federal regulatory standards, such as the Health Insurance Portability and Accountability Act and Graham-Leach-Bliley Act? Does the company employ a chief privacy officer?
COMPUTER SYSTEMS AND NETWORK
Cyberinsurance applicants are asked about their existing network security program, including the use of firewalls, antivirus software, programs to test and audit network security controls, network intrusion testing procedures, and the use of remote access to their computer network. They can be asked if they employ a chief information or chief technology officer. Insurers will want to know about the applicant's encryption policies, backup procedures, and the existence of disaster recovery plans. If the applicant utilizes an outside vendor or consultant to manage its computer system and network, the insurer may inquire into their qualifications, processes, and procedures. In light of the trend towards "bring your own device" programs, insurers want to know if systems are in place to secure mobile devices that have access to business data.
For policies with business interruption coverage, insurers also ask about the volume of sales transacted online on an hourly basis during a normal business day. Applicants with networked point-of-sale systems, such as computer registers and kiosks, may be asked about their average sales per hour.
Insurers often ask about the applicant's pre-employment screening procedures, such as criminal background checks and drug testing. They also inquire as to the applicant's written security training policies and procedures and if/how they are distributed to employees, policies for creating and updating passwords and termination of computer access as part of the business's regular employee exit processes.
If the applicant shares confidential information with other companies, insurers will want to know if those business partners are required to demonstrate adequate security, indemnify the company for data breaches, and maintain their own insurance for breaches.