All policies have a set of exclusions, terms and definitions. Understanding these is important, so here are some additional questions to consider:
- What security controls can you put into place that will reduce the premium?
- Will you have to undertake a security risk review of some sort?
- What is expected of you to reduce or limit the risks?
- Will you get a reduction for each year you do not claim?
- What assistance is provided to improve information governance and information security?
- What and how big a difference to your future premiums will a claim make?
- What support if any will be provided to assist in making the right security decisions for the industry / business you are in?
- The security / protection industry is very fast changing, how can the insurance ensure that your policy is current?
- Do all portable media/computing devices need to be encrypted?
- What about unencrypted media in the care or control of your third-party processors?
- Are malicious acts by employees covered?
- Will you have to provide evidence of compliance to existing Data Protection Principles, in relation to your actual processing, to prove you were not acting disproportionately?
- Although ignorance of the law is no excuse, we are just not able to keep up with all the compliance issues that may affect all the territories our company works in, would you refuse a claim if you were processing data that may contravene laws in one country but not another – because insurance policies often stipulate that you must not be breaking the law?
- What if there is uncertainty around whether the incident took place a day before the cover was in place or on the day?
- Are the limits for expenses grouped together in a way that the maximum limit that is covered is likely to be achieved very quickly, unless you increase the cover?
- Are all and any court attendances to defend claims from others covered?
- Could you claim if you were not able to detect an intrusion until several months or years have elapsed, so you are outside the period of the cover, (as with the Red October malware which was discovered after about five years)?