Most business maintain some form of general liability insurance. Increasingly, companies are purchasing specialty policies related to cyber liability and Health Insurance Portability and Accountability Act (HIPAA) insurance. These policies can protect companies against the potentially high cost or mitigating a data breach or other hacking incident.
For several reasons, the applications for such policies can be extraordinarily helpful when performing IT due diligence on a target company. Any application for insurance that has been completed in the past three years should be requested, regardless of whether it was ultimately submitted for coverage or not, and whether the coverage was approved or denied.
First, the answers on the applications themselves are often enlightening in terms of identifying potential risks. After all, the purpose of the policy is to protect against risks, so insurance companies do their best to identify them via the applications.
Companies applying for insurance will typically need to disclose and discuss:
- High-risk data being stored (medical records, credit card information, etc.)
- How many such records are stored, and how and where they are stored
- Whether they are in compliance with industry standards such as PCI and HIPAA
- Security risks related to staffing (hiring practices, background checks, access controls, etc.)
- Whether any security audits have been performed on the company and the results of such audits
- Details on backup and recovery plans
- The presence of written policies and procedures related to security
- Network security protections in place
- History of any data breaches or cyber attacks
Obviously, these answers are useful in IT due diligence. These can be used as the jumping-off point for further conversations and investigation. One should also compare the answers received on the IT due diligence checklist to the answers on the insurance application. If they are different, it’s necessary to understand whether something has changed since the application was completed or if the IT due diligence response was inaccurate or incomplete.
Next, whether the policy was ultimately approved or denied is an informative data point. If the policy was denied, it’s imperative to understand why. If there was a risk deemed to be so substantial as to make the target company uninsurable from a cyber liability standpoint, you must be confident that any related deficiencies have since been remedied. You should also check with the acquiring company’s cyber insurance carrier to understand their application process. Will a recent coverage denial impact the ability to cover the target company if it’s acquired?
Finally, the answers on the insurance application any cyber liability coverage in place for the target company should be compared to the information uncovered during IT due diligence. Many insurance carriers write the policy on the condition that the information on the application is accurate and that the insured is following industry best practices related to IT security. If IT due diligence determines that either of these conditions is untrue, then the coverage should be considered questionable and the legal due diligence team should be alerted and consulted.
Many aspects of technology due diligence described in the IT Due Diligence Guide lend themselves to a "belt and suspenders" approach – gather information from various sources and look for discrepancies that help to identify and mitigate IT risks. Reviewing cyber liability insurance policy applications can be a great resource for comparative information in this process.