BUSINESS | INSURANCE | CYBER SECURITY

Cyber Security Questionnaires: “This Makes No Sense”

Your insurance carrier just sent you a cyber–security questionnaire to fill out. You may feel stressed out, and wonder if you are going to have to hire a cyber–security specialist to help you; and if your insurance premiums are going to go up. While it is possible that you may need help filling out the questionnaire, it is unlikely for the answers you give to cause your rates to increase.

Cyber Security Questionnaire – Who Answers What?

Some of the questions asked can be long and difficult to understand for a layperson. Below are some questions commonly seen on cyber security questionnaires. We’ve divided them up depending on who is the most appropriate person to answer them.

Questions for the IT provider:

• How often do you update your software?
• What firewall do you have in place?
• Do you have intrusion detection/prevention in place?
• What measures do you have in place to protect against phishing attacks? malware?
• Do you have an incident response plan in place?
• How often do you change your passwords?
• What measures do you have in place to detect, prevent, and respond to data breaches?
• Do you have an incident response team in place?
• Do you have a Chief Information Security Officer?

Questions for the business stakeholder:

• Do you have a cyber insurance policy in place?
• How often do you train your employees on cyber security?

How Can I Prepare to Fill Out the Questionnaire?

You can start by taking inventory of what cyber-security protocols and tools you have in place at your business. If you have a cyber-security specialist on staff, or have contracted with an outside firm, they will be able to help you fill out the questionnaire. If you don’t have a specialist, you can still take inventory of the tools and protocols you have in place. The inventory should contain a list of:

• The software you use (it helps to have a Software Bill of Materials)
• The hardware you use
• The people who have access to your systems
• The training you and your staff have received
• The policies and procedures you have in place

This will give you a good starting point for filling out the questionnaire. You should also take some time to familiarize yourself with the questions. The questionnaire is designed to assess your business’s cyber-security posture and identify areas where you may be vulnerable. By taking some time to prepare, you can ensure that you are providing accurate and complete information.

What Should I Do if I Need Help Filling Out the Questionnaire?

If you need help filling out the questionnaire, your best bet is to ask your insurance carrier for help. Many insurance carriers have staff who are trained to help policyholders fill out the questionnaire. If you don’t feel comfortable asking your insurance carrier for help, you can hire a cyber-security specialist. There are many cyber-security specialists who offer their services online. You can also use an online resource, such as the Cybersecurity and Infrastructure Security Agency’s Cybersecurity Self-Assessment Tool.

It is also possible that you need the help of a software developer if the questions relate to how the software works or if there are data classification policies in place. Are you running ASP.NET software? We can help with cyber security questionnaires related to custom software developed in ASP.NET.