A Complete Guide to Business Cybersecurity Insurance Questionnaires

With the average cost of a data breach at an all-time high — $4.88 million — it makes sense that more organizations are purchasing cybersecurity insurance policies to reduce their risk. 

But cybersecurity insurance is not as simple as it has been in the past. Policy providers have run the numbers, and compared to even five years ago, the bar has been significantly raised. Due to previous policy payouts, today’s treacherous threat landscape, and the high financial costs associated with incidents, the cybersecurity expectations companies are required to meet in order to be covered have increased.  Before they agree to cover you, they’ll want to know that you’re taking reasonable precautions to avoid potentially catastrophic (and costly) incidents. 

In this blog, I’ll explain what insurers look for and why, provide tips on preparing your business, and explain how to complete cybersecurity insurance questionnaires. 

What Businesses Need Cybersecurity Insurance? 

Organizations handling a large volume of sensitive data are very often good candidates for cybersecurity insurance, also known as cyber liability insurance. Make no mistake, this is not limited to only big businesses. On the contrary — a lot of small businesses, and even nonprofit organizations, should consider this type of insurance coverage if they’re not equipped to absorb the kinds of financial losses that are associated with common cyber attacks. 

Here is a list of the types of businesses that should strongly consider getting a cyber liability policy, if they don’t already have one: 

• Healthcare organizations
• Financial services
• Retail businesses that process transactions online 
• Technology companies
• Educational institutions
• Legal services
• Energy and utility companies
• Manufacturing
• Government agencies
• Real estate firms
• Telecommunications companies 
• Hospitality providers

When Should You Get Ready To Apply or Prep for the Insurance Renewal Process?

If your organization falls into any of the categories above, or your small business’s very existence would be threatened by a serious cybersecurity attack, you should consider getting cyber insurance as soon as possible. 

However, keep in mind that filling out an insurer’s questionnaire and providing additional documentation may take some time. You also may need to prepare your business to meet certain policy requirements. Here’s what a realistic timeline looks like. 

Management Tip: Make sure that you have the policy renewal date marked on your calendar, along with a reminder at least 30 days prior to renewal. This will give you adequate time to review the policy renewal questionnaire for the upcoming year. The list of questions and requirements cyber insurance providers will be asking for rarely gets smaller. Without having these met, you may experience higher premiums, reduced coverage, or both.

What’s Usually Covered Under a Cyber Liability Policy?

The best time to carefully review your coverage is before you sign the contract. The second best time is right after you sign. The worst time is after you have a cybersecurity incident. 

Here’s what’s typically covered — and not covered — by a business cyber insurance policy. Each policy will vary, so make sure to have a good understanding what is included in yours.

Typically Covered Expenses

• Investigative services
• Data recovery
• Identity recovery
• Legal fees
• Customer notification costs
• Settlement costs
• Threat mitigation services
• Lost revenue
• PR services
• Regulatory fines
• Ransomware payments

Not Typically Covered

• Disruptions due to a third-party system  
• Criminal suits, including business fraud
• Cyber incidents that you knew about prior to your policy’s start date
• Cyberattacks that affect you, but were launched against a subsidiary that you don’t own or directly manage

What Does a Business Cyber Insurance Questionnaire Usually Ask?

In addition to basic questions about your business’s size, revenue, industry, and data-collection needs, be prepared to field these common questions: 

1. Do You Require Multi-Factor Authentication (MFA)? 

Multi-factor authentication is going to be on any cybersecurity insurer’s list of questions because it can prevent 99.9% of cyberattacks. 

Requiring the use of MFA to access your critical business systems and data isn’t going to be everyone’s favorite topic of discussion. However, configured properly, most modern applications make it quick and easy for users to authenticate themselves without too much disruption. 

Risk Warning: Many cyber insurance questionnaires will ask generalized questions, such as, “Are all of your systems and applications secured with MFA?” Many companies will answer this “YES” when only their core services are covered with this safeguard, like Microsoft 365 accounts, VPN accounts, and server logins. But what about all of those other systems and SaaS applications you use to run your business? If a future incident involves your SaaS hosted ERP or CRM system, that didn’t have sufficient MFA controls enabled in some fashion, you may be scrutinized by your insurance provider during the incident review and payout. 

2. What Security Awareness Training Do You Provide? 

Believe it or not, most cybercriminals aren’t actually masterminds. They don’t need to be. Just like many offline criminals, they tend to look for easy opportunities to make a quick score. 

Even the strongest passwords in the world don’t do much good if your staff is prone to giving them away. And unless you provide robust security awareness training, that’s probably happening more often than you’d like to think. Without engaging, ongoing training, 61% of Americans are highly vulnerable to phishing emails. However, high-quality training programs are extremely effective in reducing those numbers — transforming a significant security vulnerability (your staff) into your greatest security asset.

3. How Do You Currently Back Up Your Data? 

Backing up your data is great. But a lot of businesses haven’t paid much attention to following best practices, including how often backups should be made, where data is stored, and how quickly they could potentially recover after a significant data loss. 

Before you apply for cyber insurance, look into all of these things, because it may come up! Also, to avoid adding an extra level of chaos during an incident, and make sure your company has a process in place to test your backups on a regular cadence. The last thing in the world you want while you’re recovering from a ransomware attack is to discover too late that the backup system you’ve been relying on was not configured properly, and you’ve lost business critical data.

4. How Do You Control Who Has Access to What? 

 Do you have accounts that are limited in what they can access? Is this based on the user’s current role, or have they been inheriting permissions without any formal documentation over the last ten years and three job titles? Role-based access and the principle of least privilege are common approaches to ensuring that you are limiting your liability. Having this built into your account creation and access review process, and backed up by company policy goes a long way with your cyber insurance application. If you’re ready to take it to the next level, consider adopting zero trust architecture for your environment.

5. How Do You Assess Vendors and Business Partners? 

If this issue hasn’t already come up for your business, it will likely come up when you try to secure a cyber insurance policy. Everyone who has access to your facilities, your data, and your systems represents a potential security risk, so proper vendor due diligence is necessary.

Have a system in place to track your vendors. Formally identify and document accounts, data, and systems that they will have access to, identify the risk impact, and have a process in place to verify that they are meeting a certain level of vendor selection criteria to be considered in the first place. For instance, if a vendor is using outdated and insecure technology, like legacy encryption standards to transfer data in their applications, then why would you give them access to your company data? 

Ask questions like, “Are they required to notify you if they have a data breach? How long? Do they have a service-level agreement (SLA) that meets your business continuity needs? What is the consequence if this fails?” These are just some of the many vendor evaluations to consider. 

6. How Do You Protect Endpoints? 

Every vendor that can access your systems and data is a potential security risk, and so is every device — including tablets and smartphones. Proper endpoint protection (including patch management) can reduce your overall attack surface. And that’s exactly why insurers will be very interested in your answer. Make sure that you’re not using an outdated antivirus tool to identify endpoint threats. Cyber insurance companies looking for modern antivirus tools are not uncommon. Evaluate modern options like endpoint detection and response (EDR) and extended detection and response (XDR). Not only can this help you get a cyber insurance policy, but it will significantly reduce your risk and increase your cybersecurity posture.

7. Have You Previously Had a Serious Cybersecurity Incident? 

This might sting a bit, but insurers will want to know the answer to this question because past incidents might reveal current vulnerabilities, and how you responded in the past gives an insurer some sense of how you might respond to a future incident. It’s also sad, but true, that cybercriminals will sometimes attack the same organizations repeatedly if a past attack was easy and profitable. 

8. Do You Have Current Incident Response, Disaster Recovery, and Business Continuity Plans? 

Downtime is expensive! If an insurer believes you can minimize downtime, you might pay less for cyber coverage! In addition, make sure that if you are working with a cyber insurance provider you understand who they will want you to work with during an incident. Many times they will have a list of pre-approved incident response firms (IR firms). You can build these options into your incident response plan (IRP). If you already have an incident response firm that you are working with, make sure you’ve discussed this with your cyber insurance company as well.

9. Do You Encrypt Your Data? 

Data breaches are some of the most costly attacks for insurers. Without a solution in place to encrypt your devices, something as simple as a laptop with sensitive information on it being stolen from a car while you’re grabbing your morning latte can turn into a major incident If you encrypt your data, this can be the difference between a loss of a laptop and a reportable incident. You’ll also want to understand what protections are in place for encrypting your data in transit (moving place to place) and data at rest (such as storage and backup locations). 

Additional Cybersecurity Insurance Application Tips

We often help our clients answer vendor due diligence and cyber insurance questionnaires because they can be, quite frankly, a lot of work, requiring a bit of technical expertise. But the reality is that we can’t blame insurers, they are just trying to make sure the companies they provide policies for have the cybersecurity basics in place. The items mentioned in this blog post are not a full list of what cyber insurance companies will be looking for, but it’s a good start. All of these items should be considered for your environment regardless, as a best practice to reduce your risk. 

There are a few items in the list that are more difficult to add than others, especially for small to midsize businesses that don’t have a chief information officer (CIO) or a chief information security officer (CISO). If you need to add a few cybersecurity best practices quickly, we offer IT consulting services to make it easier for SMBs to access advanced IT skills. 

Click the link below to learn more!