It seems that everyone these days, from President Obama to Facebook account holders, is concerned about cybersecurity. Data breaches and cyberintrusions are front page news, and businesses are warned to take a "when, not if" approach to these threats.
In light of this reality of modern life, more and more businesses are treating data security as one of their most important business risks, and a growing number of insurance companies are offering policies to help businesses prevent and respond to data breaches and attacks.
Cyberinsurance policies generally provide both first-party and third-party coverage for such risks. First-party protections include the costs of a forensic investigation to uncover and remediate the breach, retention of privacy lawyers to ensure compliance with relevant laws and regulations, public relations experts to mitigate reputational damage, and companies to notify affected parties of the breach and to conduct credit monitoring, if required. Third-party coverage includes the defense of lawsuits and payment of damages, and coverage for regulatory actions in connection with a security failure, privacy breach, or the failure to disclose a security failure or privacy breach.
While cyberinsurance is not a replacement for diligent in-house data security policies and procedures, prudent businesses should seriously consider it as part of their risk management program. In fact, even the process of applying for cyberinsurance can serve as a useful road map for a business to improve its data security processes.
• The policy application.There are a variety of different cyberinsurance products on the market, each with its own unique policy application. Different applications and underwriting standards may be employed depending on the insurer, the applicant’s size and industry, and the type, quality, and quantity of confidential data it handles and/or maintains.
As with any type of business insurance application, cyberinsurance applications seek general financial information about the prospective insured, including business assets and revenues, number of employees, and anticipated merger and acquisition activity. But cyberinsurance applications delve deeply into other specific areas of the applicant’s business that directly impact its data security risk, including the following.
• Management of confidential or private information.Applicants often are asked about the volume and types of data they handle and/or maintain. For example, does the company deal with credit/debit card data, Social Security numbers, employee and human resources information, banking/financial records or medical information? How many confidential records are maintained? Does the company have written, attorney-approved policies and procedures concerning the handling of private information? How often are they updated? Is the company compliant with security standards implemented by the credit card industry? Does the company annually assess its compliance with state and federal regulatory standards, such as the Health Insurance Portability and Accountability Act and Graham-Leach-Bliley Act? Does the company employ a chief privacy officer?
• Computer systems and network.Cyberinsurance applicants are asked about their existing network security program, including the use of firewalls, antivirus software, programs to test and audit network security controls, network intrusion testing procedures and the use of remote access to their computer network. They can be asked if they employ a chief information or chief technology officer. Insurers will want to know about the applicant’s encryption policies, backup procedures and the existence of disaster recovery plans. If the applicant utilizes an outside vendor or consultant to manage its computer system and network, the insurer may inquire into their qualifications, processes and procedures. In light of the trend towards "bring your own device" programs, insurers want to know if systems are in place to secure mobile devices that have access to business data.
For policies with business interruption coverage, insurers also ask about the volume of sales transacted online on an hourly basis during a normal business day. Applicants with networked point-of-sale systems, such as computer registers and kiosks, may be asked about their average sales per hour.
• Employees.Insurers often ask about the applicant’s pre-employment screening procedures, such as criminal background checks and drug testing. They also inquire as to the applicant’s written security training policies and procedures and if/how they are distributed to employees, policies for creating and updating passwords, and termination of computer access as part of the business’s regular employee exit processes.
• Business partners.If the applicant shares confidential information with other companies, insurers will want to know if those business partners are required to demonstrate adequate security, indemnify the company for data breaches and maintain their own insurance for breaches.
• Websites.If the company maintains a website, insurers are likely to ask who has access to it, whether it is used to conduct transactions using credit cards or online bill payment, what type of information is available from it, and whether the contents are screened by an attorney for disparagement and copyright infringement issues.
• Prior incidents.Insurers typically inquire about the prospective insured’s three-to-five year history with regard to any actual or alleged failure to prevent unauthorized access to private information. The applicant will be asked to provide information concerning the nature of the event, including whether it was caused by a company insider or a third party, and any associated costs and damages. Some insurers ask how much time elapsed between the breach and its discovery and how long it took to resolve the problem after the breach was discovered.
Insurers may ask if the company has been threatened with extortion, such as a threat to disable the company’s computer network or website if certain demands are not met. Applicants also will be asked to disclose any denial of service attacks or known intrusions into their computer system. In addition, insurers want to know if the applicant currently is aware of any facts or circumstances that reasonably could give rise to a claim under prospective policy. Some insurers also ask if any other insurer has canceled or refused to renew a cyberinsurance policy within the past few years.
It is unlikely that a single department of a company can complete the typical cyberinsurance application. The team required to do so will likely cut across legal, human resources, compliance, risk, internal audit and technology departments. The applicant’s CIO, CTO, and/or CPO should be involved at the earliest phases of the application process. Inquires directed towards compliance with HIPAA, GLBA, and other data protection standards will require the assistance of the compliance or legal departments.
Cyberinsurance applications often call for the applicant’s president, CEO or CIO to sign the application and declare that the information being submitted is true and correct to the best of their knowledge and that every reasonable effort has been made to facilitate the proper and correct completion of the application. The applicant also is required to notify the insurer of any application changes prior to the issuance of the policy.
Great care should be taken in connection with the completion of the application because it will become a part of the cyberinsurance policy itself, if it is issued. Depending on the circumstances, incorrect information submitted in the application may become an issue if a claim is tendered for coverage under the policy.
Once the application is submitted, for smaller risks the insurer may simply provide a quote for the coverage. Larger risk applicants should expect to receive some follow-up questions from the insurer. Due to the variety and complexity of the various policies on the market, cyberinsurance applicants are urged to work with experienced professionals to ensure that they obtain the best coverage for their particularized needs.