IT Due Diligence Guide

Make an informed technology company investment.

  • Home
  • Free Checklist
  • Webinar
  • Purchase the Book
  • Blog
  • Contact

Feb 27 2018

The Value of Insurance Applications in IT Due Diligence

Most business maintain some form of general liability insurance. Increasingly, companies are purchasing specialty policies related to cyber liability and Health Insurance Portability and Accountability Act (HIPAA) insurance. These policies can protect companies against the potentially high cost or mitigating a data breach or other hacking incident.

For several reasons, the applications for such policies can be extraordinarily helpful when performing IT due diligence on a target company. Any application for insurance that has been completed in the past three years should be requested, regardless of whether it was ultimately submitted for coverage or not, and whether the coverage was approved or denied.

First, the answers on the applications themselves are often enlightening in terms of identifying potential risks. After all, the purpose of the policy is to protect against risks, so insurance companies do their best to identify them via the applications.

Companies applying for insurance will typically need to disclose and discuss:

  • High-risk data being stored (medical records, credit card information, etc.)
  • How many such records are stored, and how and where they are stored
  • Whether they are in compliance with industry standards such as PCI and HIPAA
  • Security risks related to staffing (hiring practices, background checks, access controls, etc.)
  • Whether any security audits have been performed on the company and the results of such audits
  • Details on backup and recovery plans
  • The presence of written policies and procedures related to security
  • Network security protections in place
  • History of any data breaches or cyber attacks

Obviously, these answers are useful in IT due diligence. These can be used as the jumping-off point for further conversations and investigation. One should also compare the answers received on the IT due diligence checklist to the answers on the insurance application. If they are different, it’s necessary to understand whether something has changed since the application was completed or if the IT due diligence response was inaccurate or incomplete.

Next, whether the policy was ultimately approved or denied is an informative data point. If the policy was denied, it’s imperative to understand why. If there was a risk deemed to be so substantial as to make the target company uninsurable from a cyber liability standpoint, you must be confident that any related deficiencies have since been remedied. You should also check with the acquiring company’s cyber insurance carrier to understand their application process. Will a recent coverage denial impact the ability to cover the target company if it’s acquired?

Finally, the answers on the insurance application any cyber liability coverage in place for the target company should be compared to the information uncovered during IT due diligence. Many insurance carriers write the policy on the condition that the information on the application is accurate and that the insured is following industry best practices related to IT security. If IT due diligence determines that either of these conditions is untrue, then the coverage should be considered questionable and the legal due diligence team should be alerted and consulted.

Many aspects of technology due diligence described in the IT Due Diligence Guide lend themselves to a "belt and suspenders" approach – gather information from various sources and look for discrepancies that help to identify and mitigate IT risks. Reviewing cyber liability insurance policy applications can be a great resource for comparative information in this process.

Written by Jim Hoffman · Categorized: Blog

Learn More About the IT Due Diligence Guide

Learn how to properly conduct an IT due diligence project with the IT Due Diligence Guide.

The book provides a detailed explanation of each question on the IT due diligence checklist – why it’s important and what the potential answers can tell you about your acquisition target.

Even more importantly, it explains the right follow-up questions to ask to get the detailed information you need. It also includes questions not on the checklist that should be asked only in person – these can be vital.

It also includes an IT due diligence report template to help you create a due diligence report in a format that will be useful to financial executives, and an IT implementation plan template to get you started on the post-due diligence phase of the deal.

You can see a sample chapter and other supporting content, or click here to purchase the IT Due Diligence Guide.

Learn More About the Book
  • Home
  • Buy the Book
  • Checklist
  • Webinar
  • Blog
  • Author

© Copyright 2012-2020 Alzhan Development LLC. All rights reserved.
Privacy Policy     Terms of Service