1. Know your risks
Prior to looking for a policy, some due diligence ahead of time on your cybersecurity practices can be helpful in obtaining the best premium possible and getting terms that are important for your organization.
- Know the potential number of records your company maintains that could be exposed. This number is not always defined as the current customer count in your database. This number could also include; past customers, potential customers, if dealing with company groups (their individual contacts within that company), and your own employees’ records.
- Conduct a cyber risk assessment. A thorough assessment can identify what cyber risk you may want to cede via coverage, as well as demonstrate your company’s strong security practices and technology infrastructure to potential insurers. The assessment should be looking at a wide angle of those risk exposures such as your weak spots and what you plan to do about them.
- Provide details about how your organization transacts with vendors or other third parties that may have access to your sensitive information and make them accountable for implementing the same level of prudent security practices as your own organization. Demonstrating due diligence in managing these relationships will go a long way.
- A well-documented data breach response plan demonstrates your commitment to cyber security and also helps you be organized to discuss your procedures and needs with your broker. Experian and several other data breach experts can provide guidance on response planning which can be a useful place for companies to start. Insurers know that small to mid-size businesses may not always have the resources for an elaborate cyber security program, but they are looking for companies that can demonstrate they have safeguards in place that reduces the likelihood of an incident.
2. Work with your broker
Companies need to properly evaluate policies to ensure they are getting coverage that meets their risk profile. Whether it is supplemental coverage added on to an existing policy or a stand-alone cyber policy, a knowledgeable broker can help you navigate the wide variety of coverage options. Below are some key aspects to look for in a cyber policy:
- Coverage for crisis response services including forensics, legal and data breach resolution partners that are well established and are experts in the industry. Often times a policy will outline the outside experts that can be used during an incident and it’s important that risk managers and your broader response team are comfortable with the options. In some cases, companies and brokers can negotiate using their own preferred providers, but this should be done prior to binding coverage.
- Coverage for third-party cloud or other IT providers who have access to sensitive information of the covered company. While some of the liability may ultimately lie with the third-party provider, this isn’t always the case and could be an area of oversight. Also, the cloud provider may not have sufficient coverage given the amount of sensitive data they hold (similar to an underinsured motorist).
- Risk management programs implemented in advance can help a company more effectively prepare for and manage security and privacy incidents. Many policies offer resources and guidance on incident-response plans and practices that will help a company prepare for an incident. Some will also take companies or departments through a cyber-security drill to help them better prepare.
3. Ask smart questions
Questions your broker should ask insurers include:
- What is the breadth of coverage and what exemptions are in the policy? Does the insurance company demonstrate a clear understanding of the real risks this company faces from security threats?
- How much loss experience does the insurer have in this area? Has the insurer paid actual data breach claims and covered other previous, major incidents?
- Does the insurer have specific policies that account for the risks or needs of your organization’s industry?
Ultimately, most companies will benefit greatly from cyber insurance. Know your security risks, work with your broker and review the variety of policy options available and understand your coverage needs. Following these tips will assist you in being an educated buyer when working with your insurance broker and can help ensure that you get a policy that fits your organization’s needs.