Back to Blog Home

Cybersecurity insurance, part 3: Completing the risk and liability questionnaire

In the first two parts of our cybersecurity insurance series, we discussed the need for cyber risk insurance and common questions insurance agents ask. In this post, we will discuss how to answer these questions and strategies to close potential security gaps that could cause your policy to be costly or denied outright.

Will an IT team member—for example, the CIO, CISO, information system director, or IT director—be able to answer all the questions on the questionnaire? Most likely not. The IT department will have some answers, but cybersecurity is not specific to the IT department. Information security involves the entire company.

Read more: Top 5 cybersecurity actions to take right now

Departments outside of IT have ownership of data mentioned in the insurance questionnaire. For example, human resources stores sensitive employee data like salaries, social security numbers, and health insurance information. Finance ensures vendor data, payment records, bank information, and other assets are secured properly. If your organization has a software development team, secure application development and data privacy is their responsibility.

A Governance, Risk, and Compliance (GRC) team is tasked with implementing cybersecurity and data protection frameworks. In a small business, GRC teams may comprise VPs and department heads. Larger companies might have a dedicated team, or enterprise-level firms have a team that reports directly to the board.

Proactive security measures that lower premiums

Most likely, the CIO of your organization will have to complete the insurance questionnaire. If your company has a Chief Information Security Officer (CISO), the CIO can lean on them for support in answering the questions. A CISO ensures security policies are in place and approved and the controls are deployed so that you receive the best quote possible.

Examples of proactive security measures

Proactive security measures include:

  • Segmenting or micro-segmenting the organization’s network to reduce risk.
  • Deploying a next-generation firewall (NGFW) at the network perimeter.
  • Utilizing endpoint detection and response software on all endpoints that are monitored 24x7x365.
  • Implementing a security information and event management (SIEM) tool.
  • Employing monthly vulnerability assessments and cleanup.
  • Enacting multi-factor authentication (MFA) for systems logins such as e-mail, network access, and VPN access.
  • Assessing overall information security measures through a third-party evaluation based on a proven framework like the NIST cybersecurity framework.
  • Providing regular cybersecurity awareness and training to all employees.
  • Initiating a GRC program with policies, guidelines, and processes.

other hand, if your business has gaps or you don’t have a dedicated CISO, don’t panic.

Not every company can deploy a fully formed cybersecurity program that cyber risk insurance often entails—at least not without some help.

The above list is a big ask. Unless the company has experienced information security leadership or has already experienced one or more data breaches, it will need outside security help.

Read more: Three recent developments in security technologies: What you need to know

Understanding data management risks

Cyber risk insurance is a way to transfer risk to a third party. Additionally, information security controls function as prevention, detection, and deterrent against threat actors. The goal is to manage risk and prevent costly cyber breaches such as:

  • Accidental leak of sensitive or personally identifiable data.
  • A ransomware attack that locks your business out of mission-critical systems.
  • A business email compromise (BEC) that causes unexpected revenue loss.
  • An insider threat from a bad actor within the company.

Suppose your business already has a functioning security program, but you discover new, high-risk areas through the process of securing cyber risk insurance. How can you mitigate those risks as much as possible (and lower your insurance costs)?

Mitigating risks

To start, you will need to understand the fundamentals of your company’s data.

  • Who are you gathering data on? Customers? Employees? Visitors to your website or mobile application? Are they prospective customers? Are you purchasing email lists?
  • What information is collected? Demographic data such as addresses? Sensitive data like credit card numbers, birthdates, and social security numbers? Do you track metrics about employees and customers?
  • When is data gathered? At the point of first contact? At each customer interaction?
  • Where is the data stored?
  • Why are you storing that information, and how long is it stored?
  • How is it secured? Is it encrypted? Is it secured by other means?

Also read: Information privacy and information security: Is there a difference?

Finding help with cybersecurity and insurance

As you fill out the insurance questionnaire, you will see where your cyber risk insurance provider may find vulnerabilities in your environment. Thankfully, the questionnaire will provide a starting point for risk management approaches to consider. Improving your security program will require you to work with each department of your company, and you may need to partner with a third-party cybersecurity provider. That partner could be in the form of auditors or an advisor like OnX that prioritizes cybersecurity and information security management.

Get in touch to learn more about how OnX can guide your company on the journey to cyber risk insurance and enhanced cybersecurity. 

Read more from the cybersecurity insurance blog series:

  1. Part 1: What is Cyber Insurance and do I need it?
  2. Part 2: Preparing for insurance company questionnaires
  3. Part 4: What happens if your company is denied cyber insurance coverage