If the company maintains a website, insurers are likely to ask who has access to it, whether it is used to conduct transactions using credit cards or online bill payment, what type of information is available from it, and whether the contents are screened by an attorney for disparagement and copyright infringement issues.
Insurers typically inquire about the prospective insured's three-to-five year history with regard to any actual or alleged failure to prevent unauthorized access to private information. The applicant will be asked to provide information concerning the nature of the event, including whether it was caused by a company insider or a third party, and any associated costs and damages. Some insurers ask how much time elapsed between the breach and its discovery, and how long it took to resolve the problem after the breach was discovered.
Insurers may ask if the company has been threatened with extortion, such as a threat to disable the company's computer network or website if certain demands are not met. Applicants also will be asked to disclose any denial of service attacks or known intrusions into their computer system. In addition, insurers want to know if the applicant currently is aware of any facts or circumstances that reasonably could give rise to a claim under prospective policy. Some insurers also ask if any other insurer has canceled or refused to renew a cyberinsurance policy within the past few years.
It is unlikely that a single department of a company can complete the typical cyberinsurance application. The team required to do so will likely cut across legal, human resources, compliance, risk, internal audit, and technology departments. The applicant's CIO, CTO, and/or CPO should be involved at the earliest phases of the application process. Inquires directed towards compliance with HIPAA, GLBA, and other data protection standards will require the assistance of the compliance or legal departments.
Cyberinsurance applications often call for the applicant's president, CEO, or CIO to sign the application and declare that the information being submitted is true and correct to the best of their knowledge, and that every reasonable effort has been made to facilitate the proper and correct completion of the application. The applicant also is required to notify the insurer of any application changes prior to the issuance of the policy. Great care should be taken in connection with the completion of the application because it will become a part of the cyberinsurance policy itself, if it is issued. Depending on the circumstances, incorrect information submitted in the application may become an issue if a claim is tendered for coverage under the policy.
Once the application is submitted, for smaller risks the insurer may simply provide a quote for the coverage. Larger risk applicants should expect to receive some follow-up questions from the insurer. Due to the variety and complexity of the various policies on the market, cyberinsurance applicants are urged to work with experienced professionals to ensure that they obtain the best coverage for their particularized needs.