RealTime Information Technology

View Original

Cyber Insurance Sample Questions

EXAMPLES OF QUESTIONS ON A CYBER INSURANCE APPLICATION

By Todd Swartzman, RealTime CISO

The questionnaire(s) you fill-out may have some definitive questions that want Yes or No answer. Not all applications will have the same questions as each insurer and even many insurance brokers have their own questionnaires that they use as part of the application process. 

You can ask the broker to help you better understand what these questions are really asking, and you can even add an addendum to better explain the answer to any questions that aren’t really a Yes or No given the question.  

That policy questionnaire is an excellent (free) way to measure how your business is positioned as far as your basic cybersecurity, your controls, policies, your compliance status, etc. If you find yourself answering “No” to many of the questions, this is your opportunity to improve your security to better protect your business, and maybe help you get better cyber insurance premiums. 

The questions being asked are proven steps businesses should already be taking to reduce their risks of a breach or ransomware event. 

Here I’ve listed some sample questions that insurers may use to help them qualify your business (aka, how risky are YOU to the insurer) for cyber coverage; having these things in place will  make it less likely you’ll need to use that shiny new cyber insurance policy: 

Email Security 

  1. Do you filter emails for malicious attachments or links? 

  2. Do you strictly enforce SPF on incoming emails? 

  3. Do you train your email users to recognize phishing and other email based threats? 

  4. Do you use Office 365 in your organization 

  5. If yes, do you enforce MultiFactor Authentication for all Office 365 accounts? 

Internal Security 

  1. Do you use Endpoint protection products across your enterprise? There may be choices or a listing of common products to help answer. 

  2. Do you use multi factor authentication? 

  3. For remote access? 

  4. Do you have a process to apply critical security patches rapidly? 

  5. Do you use web content filters to block potentially malicious content? 

  6. Do you use protective DNS services (Open DNS, Quad9, etc.?) 

  7. Do you provide your users with a password manager software? 

  8. Do you have a firewall with active security services such as Intrusion Prevention Services, malware scanning, or similar? 

Backup and Recovery Policies 

  1. Are your backups kept separate from your network (offline) or in a cloud service designed for this purpose? 

  2. Do you use a cloud syncing service (e.g. Dropbox, OneDrive, Sharepoint, Google Drive) for backups? 

  3. Have you tested the successful restoration and recovery of key server configurations and data from backup in the last 6 months? 

Other Ransomware Preventative Measures 

  1. Please describe any additional steps that your org takes to detect and prevent ransomware attacks. 

Once you purchase a policy, you still have some work to do in order to get the most out of the policy and further reduce your business risks. Every reputable underwriter has resources that their policy holders can use to shore up defenses, create policies, and help train staff. Use them, after all, you are paying for it. Many have resources like policy samples, virtual CISO services, Incident Response Planning guides, courses on HIPAA and PCI, awareness training content, just to name a few.