Cyber Security Red Flags For Insurance

November 22, 2009 by ADMIN

Share |

By Laton McCartney, Editor at CIOZone

Companies that offer cyber and technology risk and liability insurance typically require potential customers to fill out extensive questionnaires that measure their vulnerably.

They start with basic questions: Are you a public company? Have you been in any actual or attempted merger, acquisition or divestment within the past two years? How many employees? What percentage of your revenue is international?

From there they hone in on the specific controls and safeguards you have in place to secure your data and IT infrastructure.

Here are seven areas that the insurance carriers are looking at:

The Big Picture

For starters, insurers want an overview of your Internet and electronic network ecosystem.

Here they’re gauging what percentage of your IT operations are outsourced or performed by third parties and what those specific operations (storage, hosting, back-up, business operations, analytics, CRM, HR, finance and ERP) are.

Other factors that have weight here include the amount of business you transact over the Internet or over electronic networks; the approximate number of identifiable names (customers, partners, suppliers) within your databases; and the approximate number of customers that rely on your network to do business with you.

Intellectual Property

Intellectual property likely constitutes one of you organization’s most valuable assets.

Insurers want to know if you use software to help manage your intellectual property applications and monitor your IP applications.

Also, they’ll check to see if your organization helps secure IP protection within employee agreements and non-disclosure agreements, and with all third parties.

If any of the above measures aren’t in place, you may be subjecting your intellectual property to potential risk.

Actual or Potential Liability Claims

Another key factor in risk assessment is your organization’s track record regarding liability claims.

Insurers will ask if you’ve had liability claims filed against your organization in the past. Also they want to know if you’re aware of any fact or circumstance which could give rise to a future claim.

Finally, they’ll ask if within the past three years any insurer has cancelled or refused to renew any cyber risk insurance, data privacy or network security insurance policy your company has had.

Network Business Interruption

Obviously a network outage can present any organization with a major headache. I

f you’re applying for business interruption coverage, the insurer will want information on how long it takes for you to restore your operations after a computer attack or an unplanned system outage; and the amount of sales you transact online during business hours.

They’ll also check to see if you have point of sale systems that are centrally connected and ask about your average sales per hour generated from those networked point of sale systems.

One last key point: Having an alternative means of transacting business in the event of a network or Web site outage is naturally a plus.

What’s in Your Database?

“The nature of the data has an impact on the potential liability,” says Drew Bartkiewicz, vice president of cyber and new media risk at The Hartford.

In other words, the more valuable or proprietary the data, the greater your liability if there’s a data breach.

Red flags include: data of high net worth individuals; personal - or what insurers call reputational - data about consumer customers; health data of patients; and financial data of customers, subscribers and members.

Privacy

Assuming you have a privacy policy in place, insurers will want to know if you require users to actively acknowledge and accept the terms of the policy.

They’ll also inquire if the policy has been reviewed by an attorney and if you annually assess your compliance processes and employees’ practices against any regulatory data protection standards such as HIPPA.

Network Security

Having a third party audit of your network security process and practices is a key factor in the insurers reviewing your qualifications for network coverage.

They’ll ask you for the name of the audit firm, the date of the last assessment and the full results.

They’ll also want to know if you have network security measures and procedures in place including database monitoring and alert technologies such as automatic shutdown when irregular access is detected.

Finally, they’ll ask if you encrypt all company confidential and personally sensitive data and require that you name the encryption technologies used by your organization.

One red flag here: Recent improper network security breaches by an internal employee or by a hacker.

* * *

Stay Informed With ISR News Alerts:

* * *

Laton McCartney is a former editor-in-chief of InformationWeek. He has also been a top editor at several Ziff Davis publications, including Smart Partner. Laton has written for The Washington Post, Fortune and other national publications. He also the author of a number of books, including the best-seller “Friends in High Places: The Bechtel Story.” His latest, “The Teapot Dome Scandal: How Big Oil Bought the Harding White House and Tried to Steal the Country“, will be published in February by Random House.

CIOZone.com is the first of its kind online meeting place for CIOs. It is built upon the foundation of social networking and combines user generated content and expert editorial together around an open source platform.

The Publisher gives permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author and to Information-Security-Resources.com

These icons link to social bookmarking sites where readers can share and discover new web pages.