5 Steps to Take Before You Apply for Cyber Insurance
Cybersecurity is a critical issue for businesses of all sizes. Partly this is because of the rapid development of artificial intelligence, which is creating new types of threats. Pronouncements like these, from the National Security Administration’s (NSA) annual cybersecurity report, highlight reasons why we should be thinking about not just cybersecurity, but cyber insurance.
Cyber insurance plays a key role in your response to a successful cyberattack, but obtaining the right coverage is challenging. As a specialized coverage, underwriting typically involves assessing your company’s ability to identify, prevent, and respond to an attack or breach.
Applying for cyber insurance before you are ready can lead to denials, mandated security measures, and/or higher premiums. Any of these outcomes will have a lasting impact on your business.
Here are five steps you can take before you apply for cyber insurance that can help ensure you get the right coverage at the right price.
Step 1: Prepare before you apply
Cyber insurance carriers expect you to have adequate cybersecurity measures, including appropriate policies and procedures. For small businesses, this means protection from the most common types of cyberattacks (phishing and ransomware) and the most costly forms of attack (business email compromise (BEC) attacks). While less common, BEC attacks often result in rapid, significant financial losses.
Next-gen endpoint protection, advanced threat protection, multi-factor authentication, and PC continuity are examples of low-cost and free protections.
Step 2: Avoid “reject” or “require”
If the insurance carrier finds your application or security measures are inadequate, they may reject or deny coverage. Carriers may also require you to make specific changes before issuing a policy.
With your cyber insurance application, carriers require a cybersecurity assessment via a questionnaire or survey. In addition to your attestation of accuracy, the underwriter may ask you to validate select answers, require a more formal audit, or hire a third-party auditor.
If your assessment indicates higher risks, the insurer may:
- Approve your application with (significantly) higher premiums and/or limited coverage
- Deny or reject your application
- Require specific cybersecurity measures before approving your coverage
Rejection of coverage is damaging, as you must disclose the denial on future cyber insurance applications.
With conditional acceptance, carriers often require you to add enterprise-class security services that are beyond smaller business budgets. And while some carriers will allow you to withdraw your application, others will treat a decision not to move forward as a denial.
Step 3: Be careful with “yes” and “no”
Most cyber insurance questionnaires use “yes or no” questions. Your “yes” and “no” answers are absolute and binding. Any misrepresentation may be seen as grounds to deny claims or cancel your policy.
For example: If asked about using multi-factor authentication (MFA), a “yes” means that every single account on every system has MFA enabled. If you answer “yes,” experience a breach, and forensics show any accounts without MFA, your insurer may reduce or deny your claim.
If you cannot provide “yes” or “no” as an absolute answer, respond with “see attached” and provide an explanation so the underwriter can assess the risk.
Step 4: Be ready to own your answers
Most small businesses rely on IT service providers, vendors, and legal counsel for assistance with cybersecurity questionnaires. You need to understand the answers, as you are contractually responsible for the information. Incorrect or misleading information may result in reduced or denied claims, policy cancellation, and other liabilities.
If you do not understand, or are not comfortable with any answers, seek additional advice. An objective second opinion helps avoid future problems.
Step 5: Use a specialist
Cyber insurance is a specialized technical insurance product. To obtain appropriate and affordable coverage, work with an agent or broker with specialized cybersecurity and cyber insurance expertise.
While your general business liability agent may offer an “easy application” cyber insurance policy, these policies often lack appropriate coverage. A specialist, particularly one who can solicit policies from multiple carriers, is your best guide through the application and underwriting process.
Taking the time to prepare before applying for cyber insurance, or putting your current policy out to bid, can save you money, time, and aggravation. You also reduce your risk of inadequate coverage and denied claims.
Connect with an Old National Small Business Banker for more insights to help your business grow.
This article was written by Allen Falcon from Inc. and was legally licensed through the DiveMarketplace by Industry Dive. Please direct all licensing questions to legal@industrydive.com.