NOTE: Brian Brown is a guest author for INSUREtrust. He is an expert in cyber liability coverage, and has held a number of senior positions in the insurance industry for over a decade. He may be contacted by email at firstname.lastname@example.org or by phone at 404-849-3004.
In Brian’s previous article, Part 1, he explained why completing a cyber liability insurance application can be challenging and how to think through some of the obstacles involved.
When considering how to tackle a cyber insurance application, it is important to remember that there is no universal application. Each carrier has their own flavor. However, most carriers are willing to work with another carrier’s application and offer a bindable quote. Although different in format, each application has similar sections:
General Information section
The General Information section is the same as for any insurance application, with common fields such as name, address, years in business, etc. One quick note on international companies: Networks do not have national boundaries and trying to insure just the US entity might pose a problem. Also, included in this section may be questions which request a description of services or products provided. This is one area where scrimping on information may be costly, since, as mentioned above, premium is determined on revenues and then discounted based on operations. It is critical that the underwriter has a complete understanding of the business. Any underwriter is going to go to the “About Us” section of the enterprise’s website. Information here, however, may include what the insured may want to become, not what they actually are. The more detailed the description of services or products provided is on the application, the better the ultimate outcome will be. A breakdown of sales by method (online, retail, and wholesale) is invaluable, for instance. Underwriters will penalize for uncertainty or ambiguity. It is in their nature. Details on clients are critical since much of the pricing is determined by the amount of PII the organization collects and maintains.
System Controls section
Typically completed by the IT department, the information from the System Controls section is meant to help underwriters determine how the organization’s controls stack up against its peers. Unsavory individuals will exploit easy targets, so underwriters want assurance that the insured does not fall into that category. Questions will include:
• Technical controls – Firewalls, intrusion detection and antivirus
• Network structure – Including the architecture of the network, number of data centers, number of servers, is there a hosting company, etc.
(If you are an agent and you are hesitant about broaching technical technology subjects because of lack of in-depth knowledge, don’t be. You are not expected to understand the nuances of protection. You are just assisting your client in accurately representing their security posture with respect to a baseline standard for that particular industry. Just as you don’t need to know the exact water flow necessary for an automatic sprinkler system to write property insurance, you don’t need to know the intricacies of information security to write cyber.
It may be helpful to think of the exposure in terms of “Realms”:
• Network – This is loosely defined as the information contained digitally within the system.
• Remote Access – For employees not working within the network, this is how they access the system’s functionality and how it is protected. Also, since access is typically through laptops, the protection of laptops is critical. One of the largest loss areas is lost or stolen laptops. Encryption of laptops may be the best “bang for your buck” risk management investment available. Hard drive encryption is surprisingly inexpensive. There are even free sources, such as TrueCrypt. The additional protection afforded is enormous.
• Wireless – The lessons of the DSW loss have tightened these controls in nearly all instances, so now this realm is normally secure.
• Vendors – In some cases, part of the network’s functionality lies with third party vendors. These vendors could be responsible data storage, hosting, managed security, backup tape storage, etc. Contracts with these providers should be included with the application if possible, and should contain hold harmless and indemnity clauses. The language in such contracts will demonstrate that contractual protections are in place and also offer a sense of how the network is structured.
General Security section
In the General Security section, there may be questions that will give an indication of the corporate orientation with regard to digital and privacy risks. Questions such as, “Do you have a formal security and privacy program in place?” and “Is training given to employees with regard to security and privacy?” are examples. The answers will have an impact on the amount of credit given by underwriters because one of the elements that has the most impact on an underwriter’s comfort (reflected in the price) is management’s attitude and their willingness to expend resources on security and privacy.
• Backup Tape Procedures – Many claims have occurred due to lost or misplaced backup tapes. Networks need regular (usually daily) backups in case something devastating should happen. The enterprise has the assurance that they can re-create the network quickly back to its previous state and little data will be lost. However, by necessity, all the data on the network is now exposed to compromise. Most organizations hire an outside firm to transport and store tapes. These might be picked up in a locked box which was left the night before. Or, another method is to ship tapes via air carrier. (There was one claim where an airfreight carrier was used and the package with the tapes never arrived. A large loss was paid because the PII may have been compromised.) Ideally, backup tapes should be encrypted. State laws, as a rule, consider encrypted data to be similar to shredded documents, which do not require notification.
• Website Media and Extortion – As cyber evolved, additional coverages were added to address specific loss instances. Cyber Extortion and Website Media are two examples.
o Cyber Extortion primarily occurred in the mid 1990’s when cyber thieves would steal data and extort the organization for money: “Give me a half a million dollars, and I won’t post your information on the Internet.” This quickly fell out of vogue since there had to be a physical exchange and law enforcement was able to capture perpetrators.
o Website Media is a standard cyber coverage because some General Liability policies may not appropriately cover this new form of advertising, particularly if the company can be construed as being “in the business of advertising.” Therefore, the application asks questions regarding content, such as “Who creates content?” and “If content is not original, how is the company protecting itself against copyright suits?”
When asked if anyone ever tried to break into his system, one CIO checked his watch and said, “There are about a dozen right now… School is out.” If the answer to any of the claim questions is “Yes,” a narrative is mandatory. It may be that privacy losses are a regular occurrence. A good example would be a hospital, where an incorrect email is used when sending personal medical information or a medical file is inadvertently left unattended. A short narrative will put the underwriter at ease and also help fix an appropriate deductible amount.
To get a quote, you need to complete a cyber application
Cyber coverage appears here to stay. Agents, brokers and companies need to address this emerging exposure to loss. There is a multitude of pre-loss security and privacy measures such as encryption, technical security precautions and employee awareness training, but ultimately an informed business decision should be made regarding the purchase of cyber insurance. In order to obtain a quote, a cyber application is necessary.