Cyber insurance is a crucial tool housing organizations should consider leveraging to hedge against increasing cyber-related risks such as ransomware, business email compromise, and data breaches.
However, when applying for cyber insurance, it's important to be aware of certain red flags that may raise concerns for insurers. In this article, we’ll walk you through the red flags to watch out for when filling out a cybersecurity insurance application. Before we do that, here’s a brief introduction to cyber insurance and why it’s so critical in today's technology-first world.
You might ask yourself why your agency needs cyber insurance if it invests in robust cybersecurity features. Cyber insurance is necessary because there’s no way to mitigate cyber risk completely—even the most hardened cybersecurity defenses can fall victim to human error. Organizations that don’t take proactive cybersecurity measures are even more vulnerable to a cyberattack.
Cybercriminals specialize in social engineering, a method of manipulating people into divulging sensitive information or performing an action not in their best interest. Cyberattacks often start with an unsuspecting employee who clicks on an email attachment or link that contains malware, a type of software that cybercriminals use to exploit computer systems and networks, said Angel Fear, a regional manager with HAI Group’s Account Services team
“In the event of a cyberattack, a cyber insurance policy can do more than cover first- and third-party financial losses stemming from the incident,” Fear said. “Most policies include access to timely services to help investigate and repair vulnerabilities, manage public relations efforts, and provide legally required notifications to individuals impacted by a data breach.”
HAI Group no longer offers a master cyber liability policy to its members and doesn't sell cyber insurance directly, but can assist members in finding a standalone policy through a network of vetted partners.
"We offer a single cyber insurance application that we can send to multiple cyber carrier partners on your behalf," Fear said.
While reviewing applications with members, Fear said that she encounters many of the same red flags that, if not remedied, can lead to limited or declined cyber insurance coverage.
Here are some common red flags to watch out for when filling out a cybersecurity insurance application. Note that screenshots of actual questions are included below to provide context. Fear said some questions could appear technical to those who don't work in information technology.
"Always consult your IT department when completing a cyber application," she added. "Some questions can be confusing, and if your answer is misstated, it could lead to your application being declined."
1. Data encryptionEncrypted data is coded into an unreadable format that can only be deciphered by someone with the correct key or password to unlock it. Encryption is considered a best practice to protect sensitive information.
Cyber insurance applications may refer to data "at rest," a technical term for data stored or saved in a particular location or medium, such as a hard drive or in a server database. At rest data isn't being actively transmitted or processed, but rather is being stored for future uses. For example, personal resident data that your housing organization maintains and stores in a server. This data type is vulnerable to theft, loss, or unauthorized access and should always be encrypted.
2. Multi-factor authentication
Multi-factor authentication (MFA) is a security measure that requires two or more forms of authentication to verify a user's identity, making it more difficult for attackers to gain unauthorized access to systems. Fear said that most cyber insurance carriers require that MFA be in place before a policy can even be seriously considered.
Before you apply for cyber insurance, consider implementing MFA on all of your organization's critical systems.
3. Vendor/supplier bank account verification
A common phishing scheme involves cybercriminals posing as vendors and sending fake invoices to a housing organization.
"Without verification, you might not have the right address or bank account information for the vendor," Fear said. "It could be phishing."
Verifying vendor and supplier bank accounts before they're adding to the organization's accounts payable system ensures there are checks and balances in the event an employee is tricked into submitting a fake invoice.
4. Backup and failover testing
A backup system creates and stores copies of data to protect against loss or corruption. Backing up data is an essential component of data management and disaster recovery planning.
The second question above refers to a "full failover," which is a process in which a system automatically switches to a backup or redundant system in the event of a failure or disruption. Failover systems are designed to provide continuous availability of critical applications and services.
Testing backup and failover systems is critical to ensure data integrity and recoverability and helps identify potential issues. Fear said that insurers view the lack of testing as a liability because if a backup fails when needed, the organization may have no choice but to cave to the demands of cybercriminals or face the costly financial and reputational repercussions of a data leak.
5. Incident response plan
Insurers are likely to be wary of businesses that don't have a formal incident response plan in place. This may indicate a lack of preparedness for a cyberattack or data breach, which could make the business more vulnerable to attacks, Fear said.
If your organization doesn't have an incident response plan, consider developing one before applying for cyber insurance.
6. Recovery time objective
Business interruption costs can add up quickly if critical systems remain down for an elongated period. Fear said organizations should strive to recover critical systems, applications, and processes in less than three days.
Any recovery timeline beyond three days could put your organization's cyber insurance application at risk.
If your organization has experienced previous cyber incidents or data breaches, this may raise concerns for insurers.
It's important to be transparent about any previous incidents, but also to show that steps have been taken to address the issues and prevent them from happening again, Fear explained.
8. Incomplete or inaccurate information
As one might expect, providing incomplete or inaccurate information on a cyber insurance application can raise red flags for insurers. It's important to be as thorough and accurate as possible when filling out the application, and to ensure that all information is up-to-date.
If it comes to light that information provided in an application is false, it could lead to the claim being denied, Fear said.
9. Lack of employee training
Insurers may also be concerned about businesses that don't provide regular cybersecurity training for their employees. Without proper training, employees may be more susceptible to phishing scams and other cyberattacks, which could put the organization at risk.
10. Use of outdated software
Using outdated software or failing to apply software patches in a timely manner can also be a red flag for insurers. Outdated software may have vulnerabilities that hackers can exploit, which could lead to a data breach or other cyber incident.
11. Poor password management
Finally, poor password management can also be a red flag for insurers. Using weak or easily guessable passwords, sharing passwords, or failing to change passwords regularly can all increase the risk of a cyber incident.
When applying for cyber insurance, it's important to be aware of these red flags and to take steps to address any concerns that may arise.
"By demonstrating a strong commitment to cybersecurity and taking proactive steps to prevent cyber incidents, organizations can increase their chances of being approved for cyber insurance and minimize their risk of financial losses and reputational damage in the event of a cyber incident," Fear said.
Interested in a cyber insurance policy? Contact your HAI Group account executive and include your organization's executive director and IT team member in the meeting. Your HAI Group account executive can talk through the application process and coverage scenarios and answer any questions you might have.
This article is for general information only. HAI Group makes no representation or warranty about the accuracy or applicability of this information for any particular use or circumstance. Your use of this information is at your own discretion and risk. HAI Group and any author or contributor identified herein assume no responsibility for your use of this information. You should consult with your attorney or subject matter advisor before adopting any risk management strategy or policy.