Cyber Bytes: How Does Your Cybersecurity Stack Up to an Insurance Application?

Cyber Bytes: How Does Your Cybersecurity Stack Up to an Insurance Application?

March 22, 2023

Cyber liability insurance is becoming a necessity, not a luxury. The proliferation of data crimes has pushed cybersecurity into the risk management mainstream. If you don’t have a plan in place, it can affect your coverage options. 

Before issuing a cyber liability policy, insurance companies will request information to assess your vulnerability and threat levels. This includes your:

  • Data sharing, collection and storage
  • Cybersecurity strategy
  • Cyber incident response plan

If you have a high vulnerability for a cyberattack, you’re at increased risk for a data breach and subsequent insurance claim. A data breach can be catastrophic if you don’t have a robust cybersecurity and incident response plan. These factors determine if an insurance company will offer you a cyber liability policy (and at what cost) or deny it.

Gather your IT team and evaluate your systems and protocols before you apply. 

Cyber liability insurance application

Here are some questions you might see:

Claims history

  • Have you had any known cyberattacks or network-related interruption claims?
  • Has anyone sued you for privacy data loss or intellectual property infringement?

Personal information data storage

  • How many individuals’ personal information do you collect, store, process or handle? (This includes paper data files.)
  • Do you require clients to store personal information, like credit cards and Social Insurance numbers?
  • Do you collect or store biometric data (fingerprints, facial images or iris scans)?
  • Can you allow clients to opt out of sharing nonessential personal information with third-party vendors?
  • Is your sensitive data encrypted?
  • Do you rely on a third party to store or process nonpublic personal information on your behalf?


  • Have you designated an individual or group responsible for information security?
  • Do you have a designated individual or group responsible for compliance and regulation issues? Are they independently audited or reviewed by an attorney?
  • Do you use layers of security technology such as firewalls, antiviral software, strong passwords and multifactor authentication?
  • Do you back up mission-critical business data regularly?
  • Are mission-critical logs reviewed for suspicious activity on a scheduled or real-time basis?
  • Do you store recent backups offline or solely in the cloud? 
  • Do you have a document destruction and retention policy?
  • Do you isolate your backup data to minimize threats to operational processes?
  • Do you implement system security updates or patches? How often? 
  • Do you have a process for managing open accounts, including removing access for former employees, clients and vendors?
  • What network security do you impose on remote workers? 

Cryptocurrency and mining

  • Does your business engage in cryptocurrency operations like initial coin offerings, mining, trading, storage or exchanges?
  • Does your business accept or process transactions using cryptocurrency tokens or digital coins?

Incident response planning

  • Do you have a written cyber incident response plan?
  • Do you have a business interruption plan that includes alternate operations while recovering from a cyberattack?

Employees, vendors and contractors

  • Do you have written contracts to enforce your information security with third-party service providers?
  • Do you audit your third-party vendors and suppliers to ensure their cybersecurity protocols and protections are adequate?
  • Are you using the least privileged access to data for all employees and third parties?
  • Do you have an asset management inventory to track your computers and devices?
  • Do you perform background checks for all employees, vendors and contractors?
  • Do you train employees on cybersecurity?
  • Do you have a formal procedure or hotline for reporting suspected cyber incidents or suspicious behaviors, both internal and external?

Be truthful about your cybersecurity to avoid future denials

When you apply for a cyber liability policy, don’t embellish your security protocols or downplay your data to get favorable rates. 

If you say you have a security team, perform weekly system updates or use multifactor authentication, follow through. If you don’t, you risk a claim denial based on false statements on your application.

Get started on cybersecurity

The questions on a cyber liability application can be overwhelming, but they can also offer a helpful road map for assessing your data vulnerabilities. Reducing your cyber risks now could help lower your policy premiums in the future. Call your broker for more information on cyber coverage options for your business.