Top Questions to Ask a Prospective Cyber Insurance Provider

With all of the data that organizations produce, collect, and store, the digital space is rapidly becoming a playground for cyberattackers. PwC reports cyber crime costs the global economy $400 billion annually, and that number keeps rising. To mitigate these risks, business have the option to purchase cyber insurance, sometimes called cyber liability insurance coverage

If you’re thinking about investing in cyber insurance—and you should be—here are ten questions you should ask your prospective cyber insurance provider.


  1. What types of incidents are covered?

There is no underwriting standard for cyber insurance so it’s important to understand exactly what is covered by a prospective policy. Most cover first party damages (that your company incurs directly, like fines or data recovery costs) as well as third party damages (that affect your customers or partners who may hold your company accountable). The information should be reviewed by legal experts to make sure it meets your expectations.

  1. Are there any types of incidents that are specifically excluded from coverage?

Some companies will exclude certain incidents from coverage if they’re deemed risky from the beginning. For example, a breach stemming from an unencrypted smartphone in an office with a bring-your-own-device (BYOD) policy might not be covered. What about coverage if you don’t have a BYOD policy in place? Important considerations to be aware of in today’s world, where BYOD is a reality, no matter what the size of your organization.

  1. Are there any regional restrictions on the policy?

If you have offices in multiple regions and countries, ensure you know if there are any regional restrictions on the policies you’re reviewing. For example, if you conduct business in another country and suffer a breach stemming from that outside location, are you still covered? What about if an employee is traveling in another country using an unencrypted personal device and a breach occurs? Even if your business doesn’t fall into that global category, it’s still important to know the territory limitations placed on your policy and plan accordingly.

  1. How long after a breach occurs do you have to report it without losing coverage?

Many cyber attacks can take a significant amount of time to uncover. Explore the reporting timeframe for the policies you are considering, and perhaps also consider the sometimes-available extended reporting option that’s offered on many policies if you feel late discoveries might present a problem.

  1. After reporting a cyber attack, how quickly does the provider respond?

Just like you have a responsibility to report a breach in a timely manner, your insurer should be contractually obligated to act quickly, as well. Check out each prospective providers’ minimum down time period. If 24 hours or longer, factor that into your decision-making process.

  1. Is the provider knowledgeable about your industry?

Some industries have very specific data compliance rules (healthcare, for instance). Be sure the providers you are considering understand the data handling rules of your particular industry before continuing with them.

  1. What is the cost?

As with any insurance purchase, cost is an important factor, but not the only factor. The old adage that you get what you pay for is also important to keep in mind as you explore potential vendors. Make sure you’re comparing apples to apples and have covered all your bases. It’s also smart to explore whether there are additional data security steps your organization can take internally to reduce your cyber insurance premium and, more importantly, better protect your organization.

  1. If a breach occurs, how does that affect your premium?

If you make a claim, understand the impact a claim will have on future premiums. For example, there might be an instance where making a claim on a small breach might actually not be the best option, so be aware of the premium structure.

  1. How flexible is the provider in terms of modifying coverage to meet evolving threats?

Technology moves quickly, and a good cyber insurance policy should be built around that truth. The business of insuring against data security is still young and evolving, so it’s smart to work with a vendor that is adaptable. As part of your vendor vetting process, ask about the identification of additional risks and whether it’s possible to amend a policy, and the processes involved. Better to know up front than to be stuck with something that doesn’t quite provide all the coverage you need.

  1. Does the provider require you to comply with any specific compliance or audit obligations?

To keep your policy current, most cyber insurance providers require a regular audit or compliance review. Make sure the audit process that a prospective vendor requires isn’t too onerous and, if possible, request an independent expert to perform the audit for maximum transparency.

Operating a business of any size today without having cyber insurance is a risky proposition. Choosing a provider, however, isn’t a process you should take lightly. Make sure you vet prospective insurers by asking the right questions.

It is important to note that MicroAge is not an insurance expert. We highly recommend speaking with an insurance expert to get appropriate advice. MicroAge can help you gather the information and align your technology to get the best cyber insurance for your business. Contact your local MicroAge today.