Cyber Insurance Renewal Checklist

July 28, 2022 | By IANS Faculty
The insurance market is correcting itself after high payouts related to ransomware and similar large-scale incidents. In response, there’s more scrutiny on cyber. The bottom line: Insurers want orgs to demonstrate resilience, possess a culture of security and be vetted by objective parties. If you want to nail your renewal, you can’t just prep for a questionnaire a month ahead of time. Insurers are looking at your whole security program.   

This checklist provides a rundown of steps to take throughout the year to put yourself in the right position prior to cyber insurance renewal season. 

Key Considerations for Cyber Insurance Renewal 

Year-round cyber insurance considerations 

  • Pick a cybersecurity framework and stick with it to demonstrate progress year-over-year 
  • Engage with key stakeholders across the organization to gain buy-in, insights and perspective. 
    • Work closely with compliance, legal, risk, finance and business units to perform risk and business impact assessments 
    • Partner with management to identify, measure, and report on cyber risk associated with business expansion plans and insure accordingly 
  • Ensure you're covering the basics  
  • Work with senior leadership to make cyber visible as a priority inside the company 
    • Train executives on specific ways attackers may target them to build awareness of personal risks that may impact the business 
    • Create an ongoing security awareness program that tracks user engagement and progress to demonstrate a culture of security across lines of business 
    • Establish a consistent reporting cadence with business risk stakeholders, senior management and, if possible, the board to gain consensus on the organization’s risk posture and update on program maturity 
  • Focus on resilience; insurers want to see a company is not just secure, but resilient as well 
    • Have a response and recovery capability 
    • Show you’ve tested your systems; you’re doing tabletop exercises and you’re working your business continuity plans 
    • Use air gaps, network segmentation and zero trust to limit what attackers can do once they’re in your network 
  • Establish baseline policies and procedure in line with mitigation strategies you've communicated with insurers 
    • Use continuous auditing to ensure compliance 
    • Review your logging, documentation and reporting capabilities to ensure you can demonstrate internal compliance 

 

Ahead of cyber insurance renewal season 

  • Complete a third-party audit to verify compliance to internal and external policy requirements 
    • Alternately, set up a third-party audit to verify compliance to internal and external policy requirements 
  • Collaborate with business stakeholders to determine risk posture 
    • Categorize risks to determine which are best mitigated through technology/process investments and which should be mitigated via insurance 
    • Consider whether the costs of a ransomware policy could be better spent improving your program 
  • Shop around, different underwriters take different approaches 
  • Make initial contact with your broker at least 90 days ahead of your renewal date 
    • Know what changes were made the previous year and speak to the remediations done to address them 
    • Learn what coverage is out there so you can determine what would be most valuable to your organization 
    • Find out what information the broker needs to advocate into the market for you 
    • Engage your underwriter to go over your company’s mitigations

During the cyber insurance renewal 

  • Work with your broker to determine the best way to pass on information 
    • Some will want reports and questionnaires, while others will prefer cross-functional meetings involving the CISO and other key stakeholders 
  • Be proactive 
    • Provide information in the questionnaire about remediations done in the past year, even if not specifically asked about them 
    • Be on the lookout for underwriters changing coverage 
    • Work with a broker who has expertise in evaluating and analyzing the language used in contracts (many different policies exist and there is no standardization of wording, especially within a blended policy) 
    • Be clear on notification requirements 
    • Modify the policy to delineate what kind of event requires notice, or whether a periodic notice of nominal events (known as a bordereau report) would better suit your organization 
    • Make sure incident response teams are aware of notification requirements and retained vendors, services and rates are approved by the insurer 
  • Consider paying for a legal review of the contract before signing 
    • Have a trained eye check all contract terms, conditions and exclusions are spelled out and understood 
    • Be careful of any “clarification endorsements:” What a carrier calls a clarification endorsement is really an exclusion of coverage

Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice. 


Access time-saving tools and helpful guides from our Faculty.


IANS + Artico Search

2022 CISO Compensation Benchmark Study

Get New IANS Blog Content
Delivered to Your Inbox

Please provide a business email.