Small Business Cyber Insurance – Will You Even Qualify?
You cannot turn on the TV or social media without noticing that cybercrime is big business these days.
Especially during the pandemic, we have seen a massive rise in ransomware specifically. There are some cybersecurity experts that see a trend towards cyber insurance actually being part of the problem, because nowadays many companies just opt to pay the ransom instead of just restoring their data and moving on. This fuels the bad guys even more.
Ransomware Keeps Evolving
Additionally, ransomware has evolved in the past few years. Some ransomware does more than just lock up your data. They actually steal it and will publish your database if you don’t pay them.
This has sparked a surge in companies wanting to enhance their insurance policies with cyber breach insurance. For many years it was hard for insurance companies to know how to rate small businesses for cyber breach insurance because cybercrime had not been around for that long.
Increased risk - insurance companies need customers to do more
However, it is becoming really clear that we have a big problem with data theft, ransomware, and business email compromise scams and obviously insurance companies want to make sure that their customers are doing the proper things to protect data so that they do not have to payout claims.
I guess you can liken it to when cars were first built and then they understood that there was going to need to be standards for the rules of the road. Next there came a need for insurance to make sure that everyone was going to be able to be repaid should an accident occur.
When you look at the business world and the use of computers, it is very similar. We all have computers. We use them in every corner of our lives. We need to know how to protect them, and we need to know how to prevent cybercrime. But we also need the safety net of insurance.
But what is this going to look like going forward? I have been consulting with a number of companies and healthcare providers. When their policies have come up for renewal, or when they have been seeking cyber insurance for the first time, it’s been eye-opening lately. And boy, oh boy, what a list of questions they have nowadays compared to even just a few years ago.
New screening questions outline higher expectations for protective measures
Below is a sample of the types of questions that will be asked and an indicator of the type of cyber security protections you are expected to have in place. This sets the new standard for cybersecurity prevention.
The expectations are the same for small businesses and larger organizations alike. The problem still remains that small businesses often do not have the resources to facilitate all of the items on this list. Many people won’t even understand it. Heck, I’ve even had 2 IT companies call me to ask about half the stuff on the list!
You're going to need formal policies
Network Security and Privacy & Breach Coverages Sample Questions
- Does the Applicant have a Chief Privacy Officer, or Chief Information Officer who has responsibility for meeting worldwide obligations under privacy/data protection laws? Yes / No If No, provide details on who is responsible for security and privacy:
- Do these policies and procedures comply with laws governing the handling and/or disclosure of such information? Yes / No
When was your last security audit?
4. Does the Applicant perform security audits to ensure compliance with the security policy? Yes / No
If Yes: (i) who performs the audits?
- Frequency of audits:
- Are recommendations always followed? Yes/No
- If Yes: Who performs the audits?
Frequency of audits:
5. Are recommendations always followed? Yes / No
Anyone touching data needs training to understand how to protect it
6. Are all employees trained in security & privacy policies with documentation of training? Yes / No
7. Does the Applicant employ electronic information gathering techniques ( cookies)? Yes / No
8. Does the Applicant’s website display a privacy disclosure statement? Yes / No
9. Does the Applicant collect, process, or maintain personal information as part of business activities including collecting over a website? Yes / No
10. Does the Applicant’s website display a privacy disclosure statement? Yes / No
11. Indicate the types of private and sensitive information that the Applicant receives, stores, uses or processes:
- Financial account payment information:
- Credit card or debit account number: Yes / No
- Chequing, banking or automated clearing house information: Yes / No
- Financial data: Yes / No
- Government issued identification information: Yes / No
- Name, address, contact information: Yes / No
- Medical or health related information: Yes / No
- Information on children who use the Applicants website: Yes / No
If yes, are there controls in place to obtain parental permission: Yes / No
- Trade secrets or intellectual property information: Yes / No
- Third party corporate information: Yes / No
12. Provide the number of records maintained by the Applicant containing the information noted in (c) above:
0-5,000 5,000-10,000 10,000-25,000 25,000-50,000
50,000-100,000 If above 100,000, provide amount:
13. What percentage of these individuals live in the Canada?
14. Is any personal or private information gathered from customers or users, sold, disclosed, or distributed to any third party? Yes / No
15. If yes, is prior permission obtained from the customers or clients? Yes / No
16. Is employee access to personally identifiable or sensitive information:
- On a business need to know basis. Yes / No
- Terminated immediately when an employee exits the company? Yes / No
17. Are third party vendors provided private or sensitive information? Yes / No
If yes, is there a review completed of the third-party vendor’s information security plan? Yes / No
18. Describe the technology used by the Applicant for the following:
19. If the Applicant accepts credit or payment card transactions for the payment of goods or services, is the Applicant compliant with applicable data transaction compliance standards (i.e., Payment Card Industry Data Security Standard compliance)? Yes / No
20. Does the Applicant have access control procedures and hard drive encryption to prevent unauthorized exposure of data on all laptops, PDAs, smartphones (e.g., BlackBerry) and home-based personal computers? Yes / No
21. Does the Applicant encrypt all sensitive and confidential information:
- That is physically removed from the premises by tape, disk hard drive or other means? Yes / No
- That is stored on the Applicants databases, servers, or individual files? Yes / No
- That is transmitted within and from your organization? Yes / No
22. Does the Applicant ensure that all wireless networks have protected access? Yes / No
23. Does the Applicant have a document / e-mail retention and destruction policy? Yes / No
24. Does the Applicant enforce a software update process, including patches and anti-virus software? Yes / No
25. How frequently are computer systems and data backups performed?
26. Are backups stored off-site in a secure location? Yes / No
27. Describe all security breaches and privacy complaints or violations that have occurred in the last 5 years:
28. Describe preventive measures taken to avoid future security breaches or privacy violations:
29. Are any of the following network system functions outsourced to a third party?
- Hosting Facility Yes / No
- Co-location Facility Yes / No
- Management Security Services Provided Yes / No
- Data Storage Facility Yes / No
- Other (provide details):
If yes, provide details:
When you go through this cyber insurance checklist you will likely feel overwhelmed. Most people are. I think that it is helpful regardless as it helps people see, plan, and budget for what the standards of data safeguarding should be.
I’m in the business of protecting people just like you from cyber crime, scams and data loss. Reach out to me so we can discuss how to get you some peace of mind for your business.