Many times, you're asked what is the actual application process for cyber liability insurance. Today, we're going to go over a typical application. Now, this is a paper version of it, but it gives you an example of what the questions are, what information you will need to come up with in advance of that, and also what are the types of things that a typical cyber liability insurance policy underwriting is going to ask. Now, every insurance company is different; this is just an example, so you may find that there may be other information data needed. But this will give you a good idea of a cyber liability application process for an insurance policy.
First of all, it's going to ask you who is the named insurer. So what is the name, typically, of a company? You want to use the official formal company name—XYZ Corp, LLC—whatever is on your corporate documents. That's the name you want to use. If you have a website, which presumably you would if you're getting cyber insurance, put your website names here. Notice it says "website domains" with a plural "s." If you have more than one website, you want to include all of them because you want to cover all of your digital assets. So, if you have XYZ Corp LLC, XYZCorpSalesLLC.com, XYZCorpMail.com, you want to make sure you have all of your domains listed. Sometimes companies will use multiple domains for customer-facing, internal, VPN, or mail. Make sure you list all your domains because that's what's going into the underwriting.
Your physical address, city, and state—that's pretty standard. The reason why you want to put all your digital assets is because part of underwriting for most insure-tech modern insurance companies is going to be pinging and looking at your digital assets to see what your risk profile is. If you have all your assets there, they can give you an idea of what your risk factors are to mitigate them and also to see how that's going to fit into your policy.
Next is what your industry is. Are you in the publishing industry? Are you in manufacturing? Are you in the legal industry? If you have an NIC code, you can put that there, or just the name of the industry. How many employees? That's important. What's your revenue expected over the next 12 months? You're going to put projected gross profit on that revenue. So if you have, let's say, a two-million-dollar revenue and a 20% profit margin, you would put in $400,000 into the gross profit.
Then, it's going to ask you a lot of yes-and-no questions. Within the last three years, has the named insured suffered any cyber incidents resulting in a claim in excess of $25,000? Yes or no? In any of the questions that are answered yes or that are dispositive or negative, you're going to have to put an explanation. Explain the cyber incidents and/or claims. Is the named insured aware of any circumstances that could give rise to a claim? Yes or no? That's important. If the reason you're looking for cyber insurance is because you've had a hacking event or you've had a data loss, you want to put that down there. This ensures that, first of all, you're not going to be excluded from coverage for all events because you didn't put that down, but also, you may get some mitigation suggestions to keep any exclusions from merging into other areas of your business.
For example, question three asks: Does the named insured implement encryption on laptops, desktops, and other portable media? Yes or no? Sometimes, you may see "sometimes." They're asking you if you use encryption on your devices. This is going to affect, first of all, your eligibility, but also probably your rate.
Does the insured collect, process, store, transmit, or have access to payment card information? Meaning, do you process credit cards? PCI (Payment Card Information) is credit cards. Personally Identifiable Information (PII) means you collect driver’s licenses. Do you collect other customer data or PHI, which is private health information about people's medical records, other than employees? This applies to customers, vendors, or clients—anyone other than employees. Yes or no? If yes, what is the estimated volume of payment card transactions? If you take credit cards and you process them, what is your volume? No records, less than 100,000, up to over a million? What about personal or health information? How many records do you have access to? The same scale applies: less than 100,000, over a million, and anywhere in between.
It's important to have those volume numbers because they will change your eligibility and rate. They will also determine what mitigation or prevention measures the insurance company will likely suggest or even require to ensure that you are following their standards.
Next question: Does the named insured maintain at least weekly backups of all sensitive or otherwise critical data and all business systems offline or on a separate network? This is a long-winded way of asking: Do you have a backup copy of important data, software, and programs on a separate network, off-site, or in the cloud? Yes or no, or N/A?
Does the named insured require a secondary means of communication to validate transfers in excess of $25,000? This means if you're moving money, paying a bill, an invoice, uploading payroll, doing a wire transfer—any type of money transfer exceeding $25,000—do you require two parallel confirmations? If your CEO calls the bank and says, "Hey, send $25,000 to XYZ Corp," does it require secondary validation? This question is a clue—it tells you this is an important factor in getting insurance. If you say no, they may sell you insurance, but they might require you to implement this protocol first. These questions serve as guidelines for best practices.
Next question changes gears: Within the last three years, has the named insured been subject to any complaints concerning website content, advertising, social media, or other publications? This relates to copyright infringement, ADA compliance, or other legal issues. Has a regulatory agency, consumer, or any other party flagged problematic content?
Does the named insured enforce procedures to remove content that may infringe or violate intellectual property or privacy rights? If someone claims you are copying their content or violating privacy rights, do you have a policy to review and take action if necessary? Again, this is a clue to what insurers expect from you.
Now, we move to the next page. All questions on page one must be completed for both standalone cyber insurance and Technology Errors & Omissions (E&O) coverage. The following questions are required only for technology E&O coverage.
Please describe the company's use of technology in delivering its product or services. This is an open-ended question—provide as much information as you can.
Within the last three years, has the named insured been subject to a dispute or claim arising from a technology error in excess of $25,000? Did a program, system, or computer error cause financial damage exceeding $25,000?
Next, a series of questions about high-risk industries: Are you operating as a managed service provider, or does the named insured participate in or sell technology designed for cryptocurrency, cannabis, IoT, financial services, healthcare, blockchain, automotive, aviation, military, gambling, payment processing, adult entertainment, point-of-sale software, or professional services? These industries have higher risks of hacking, fraud, or loss, so insurers want to know if you are involved.
How often are the named insured's services provided by written agreement or contract? Do you provide services via verbal agreement, online transactions, or written contracts? It asks for a percentage—100%, 50%, or 0%.
Finally, identify the standard risk-mitigating clauses or methods contained within your contracts. Common clauses include customer acceptance, sign-off, and disclaimer of warranties. If you check any "I agree to terms and conditions" boxes when purchasing online, you are engaging with similar legal protections.