Back to Blog Home

Cybersecurity insurance, part 2: Preparing for insurance company questionnaires

In the previous post in this cybersecurity blog series, we gave an overview of cyber insurance, how it works, and who should purchase it. Once companies have done the preliminary research and decided to purchase a policy, it’s time to prepare for a conversation with your agent.

As data security has become more complex, the list of questions insurance companies asks to qualify new cyber insurance clients has increased in both length and detail. Agents will want to know what data your company stores and what security measures are in place to protect that data.

Completing your insurance questionnaire will be much simpler if your organization already has a formal and documented cybersecurity program. Otherwise, you should prepare yourself to focus on improving your security controls before speaking with the agent. If your company does not currently have data security measures in place, odds are you may not qualify at all. 

What will an insurance agent ask?

Your review may begin with identifying information security risks at your organization. The agent will ask questions like these:

Q: Does your company process or store sensitive credit card numbers, protected health information (PHI), or other personal identifiers, such as social security numbers?

  • If the answer is yes, your company must remain compliant with regulations that oversee this type of data. The guidelines from regulators will steer you toward what kinds of controls must be in place to secure that kind of sensitive data.
  • From here, you will need to fill in what types of information your business stores, processes, or collects.
  • Then, you will be asked to disclose the amount of sensitive data your organization stores.
  • Finally, you will need to document the number of unique individuals your company stores data for, or about.

Q: Is your business required to follow regulatory requirements, such as HIPAA, GDPR, FERPA, SOX, GLBA, PDPA, and PCI-DSS?

  • If so, your company will already have regulations you must follow to stay compliant. For example, HIPAA has strict rules about how healthcare providers can use, transmit, and store patient data. Knowing what security controls must be in place in advance of your insurance meeting will help you to know what action steps to take before and after securing cyber insurance.
  • Along these lines, are there any government-specific security frameworks your organization needs to follow? Examples include the Canada Privacy Act, CASL (anti-spam regulations), PIPEDA (data protection and privacy laws), or provincial privacy laws.

Read more: Building a culture of cybersecurity awareness

Q: Do you provide laptops or other devices for employees or allow employees to use personal devices?

While allowing employees to use personal devices for work is tempting, there is a substantial risk. If a device is lost or stolen, sensitive data could be lost. Additionally, unsecured devices are a vulnerability that hackers could exploit.

Q: Do you allow vendor access to your systems or network?

  • If you give third-party contractors or vendors access to your data, you need to know what security controls they have.
  • What are the chances that your partners could be subject to a cyberattack? What are your vendors’ policies on announcing data breaches?
  • Do you regularly audit the security of contractors in your supply chain?

Q: Does your organization currently have cybersecurity protocols or a formal cybersecurity program in place?

  • What data protection policies and controls do you currently have in place?
  • Do you have an information security team or department? Additionally, who has formal, documented responsibility for its oversight?
  • How much of your annual budget do you allocate to information security?

Read more: What to look for in a cloud security partner

Cyber insurance agents will also want to know specifics about your current computer systems and network setup. Questions may include:

  • Does your company use a next generation firewall? Do you have a patch management program and update your computers and firewall regularly?
  • What antivirus software has your organization deployed, and how often is it updated?
  • Is there a network intrusion protection system (IPS) in place? What about an intrusion detection system (IDS)? How often is each system updated?
  • Does your e-mail service have anti-spam filters or an e-mail security gateway?
  • Do you require multi-factor authentication (MFA) to log in to your computer network and access e-mail?
  • Does your company practice good “password hygiene?” Do you require complex or randomly generated passwords? Do you require passwords to be updated routinely?

What policies are in place for acceptable use, data security, password complexity, incident response, and others?

Also read: Information privacy and information security: is there a difference?

Other cyber insurance considerations

Today, many companies have turned to the Cloud for hosting data and information storage. In this case, you will need to provide information about your company’s cloud service providers.

  • What security policies does your cloud provider have in place?
  • Does your provider audit cybersecurity via a third-party vendor?
  • Can your provider supply a SOC type 2 report on request?
  • Can your cloud provider meet compliance regulations from federal or provincial governments or PCI DSS?

Some cyber insurance questionnaires ask about customer contracts with questions like:

  • Are your customers required to agree to a contract that defines who is responsible for data privacy and security?
  • Does your contract contain “hold harmless” or other indemnification clauses?
  • How often are your contracts reviewed by a lawyer or your legal team?

Some insurance companies will ask additional questions based on what sector your company is in. In the following post in this series, we will discuss addressing security gaps or starting a new cybersecurity program from scratch.

Need help strengthening your company’s cybersecurity program? Talk to our experts today.


Read more from the cybersecurity insurance blog series:

  1. Part 1: What is Cyber Insurance and do I need it?
  2. Part 3: Completing the risk and liability questionnaire
  3. Part 4: What happens if your company is denied cyber insurance coverage