Cyber insurance application forms can give companies a “good understanding” of how well prepared they are to deal with an information security-related loss, speakers said Thursday at the International Cyber Risk Management Conference in Toronto.
“We have seen clients stop right in the middle of the application process and say, ‘ You know what? We are not ready to buy cyber insurance yet – we have got to do a few things to make ourselves a better risk,’” said Brian Rosenbaum, Aon Canada Inc.’s senior vice president and national cyber and privacy practice leader.
Rosenbaum was a panelist at an ICRMC session titled Resilience: What’s Insurance Got To Do With It?
“Just filling out the application form and going through the procurement process to buy insurance is a pretty good [information security] health check,” Rosenbaum said. He suggested Aon brokers in Canada get calls from clients saying things like “I don’t know how to answer this question on the application, because [for example] we are partially encrypted, we are doing this, we are doing that.”
So the cyber insurer’s application form is a “wake up call” for clients, added Rosenbaum.
“Because if the underwriter is asking these questions, obviously they are relevant to our risk,” Rosenbaum said.
Also on Thursday’s panel was Ruby Rai, manager, cyber and professional liability for American International Group Inc.’s Canadian branch.
As much as insurance buyers may dislike filling out insurance application forms, they do cause people to learn about their cyber risks by promoting internal communication with members across the insured company, said Rai. For example, to answer a question on the form about how the organization is handling data, a risk manager may need to consult with the chief information officer or chief security officer.
Applications for cyber insurance ask prospective clients about corporate governance, security control, employee training, compliance with regulations, and their understanding of the data environment, Rai noted.
So, by answering questions on a cyber application form, a risk manager is “left with a good understanding” of how well the organization is doing in terms of information security.
The session was moderated by Greg Markell, president and CEO of Ridge Canada Solutions Inc. “What’s scarier?” he said of insurance applications. “Ticking ‘no’ on a box, or not knowing how to answer the question? That should start a wakeup call.”
Produced by MSA Research Inc., the fourth annual ICRMC wrapped up Thursday at the Metro Toronto Convention Centre.