The “cyber insurance” checklist before signing – 12 questions to ask your insurer/broker

The “cyber insurance” checklist before signing – 12 questions to ask your insurer/broker

Introduction

For an SME in French-speaking Switzerland, taking out cyber insurance is more than just accepting a sales proposal: it's a strategic decision that impacts business continuity, cost control, and digital risk management. A policy may seem comprehensive on paper, but without targeted questions, you could discover areas of uncertainty (high deductibles, poorly understood exclusions, imposed providers) precisely when you need them most. This checklist aims to clarify what you need to document, understand, and discuss with your insurer or broker before signing.

The main keyword "cyber insurance checklist" guides this content. You will find clear questions to ask, methodological guidelines for evaluating answers, common mistakes to avoid, and an approach focused on management and decision-making.

1. Understanding the coverage offered

1.1 What guarantees are actually included?

Cyber insurance typically covers the costs associated with a cyberattack: data recovery, business interruption losses, third-party liability, and legal fees. Coverage varies depending on the insurer and the policy. For example, some policies explicitly mention these elements: data recovery, business interruption losses, and liability claims from customers or partners.

To be documented: explicit list of guarantees with references to the clauses of the General Conditions of Insurance (GCI).

1.2 What is not covered (exclusions)?

Exclusions can transform an attractive policy into a protection with gaps : intentional acts, failure to comply with security prerequisites, certain forms of ransomware, legal fines, etc.

Specific questions:

• List of main exclusions with exact references in the General Terms and Conditions.

• Specific exclusion in case of non-compliance with required security measures (MFA, regular backups, intervention plan).

2. Evaluate the financial parameters

2.1 What are the deductibles for each type of guarantee?

Deductibles (the portion that the company pays before the insurance comes into play) can vary depending on the nature of the claim (ransomware, business interruption, civil liability).

Specific questions:

• Deductible applied for a ransomware attack.

• Deductible for computer business interruption.

• Is there a different franchise depending on the type of services provided (legal vs. data recovery)?

2.2 Are there any coverage limits per claim or per year?

A significant cap can limit coverage for serious incidents.

Specific questions:

• Ceilings by type of guarantee.

• Overall annual ceiling.

• Procedures for reinstating limits after a disaster.

3. Service providers and claims management

3.1 Mandatory service providers or free choice?

Some insurance companies require working with approved service providers (forensic experts, lawyers, negotiators). This is an important point to clarify in order to plan the response to a claim.

Specific questions:

• List of approved service providers.

• Conditions for using service providers outside the list.

• Impact on coverage if an unauthorized provider is used.

3.2 What is the claims management process?

Claims management is crucial for the speed of business recovery. Check response times, key contacts, 24/7 hotline availability, and SLAs (Service Level Agreements).

Specific questions:

• Time frame for processing after notification.

• Contact details and availability of 24/7 support.

• Formalized steps between declaration, expertise, intervention and compensation.

4. Specific deadlines and conditions

4.1 Waiting periods or deferral periods

Some contracts stipulate waiting periods before coverage takes effect.

Specific questions:

• Is there a waiting period for certain guarantees?

• Are events that occurred just before the signing excluded?

4.2 Conditions for renewal and review of premiums

With the evolving cyber risk profile, insurers can adjust premiums or renewal conditions.

Specific questions:

• Frequency of premium review.

• Criteria that may justify a change in the terms of renewal.

5. Coverage Specifics

5.1 Ransomware and cyber-extortion

Coverage for ransoms and negotiation interventions is a key point: some policies cover these costs under strict conditions.

Specific questions:

• Is the payment of ransoms covered?

• Prerequisites (e.g., forensic intervention) for paying a ransom.

5.2 Business interruption due to a cyberattack

Business interruption insurance related to an IT incident is often one of the most strategic guarantees, but it relies on prior documentation of the company's revenues.

Specific questions:

• Method for calculating operating loss.

• Documents required to justify the losses (revenue, historical margins).

6. Documentation and compliance

Box – What you need to document before signing

• Extract from the General Insurance Conditions (GIC) for each clause answered.

• History of previous cyber incidents.

• List of IT service providers, backups and continuity plans.

• Security measures in place (MFA, response plan).

Practical scenarios

Case study 1: SMEs without an internal IT team

A small service company discovers a vulnerability exploited by ransomware. Lacking an in-house service provider, it is entirely dependent on experts listed by its insurer. Clarifying approved providers and response times beforehand helps minimize business interruption and optimize the use of the insurance coverage.

Case study 2: Incident with third-party liability

Following a customer data breach, an SME is facing claims. Before signing, the issue of the coverage limit for cyber liability and the associated legal assistance (including attorney fees) must be resolved.

Guidelines and actionable checklist

| Key area | Typical question | Documents to request |

| Coverage | Included Guarantees | CGA Extract |

| Exclusions | Detailed exclusions | List of exclusion clauses |

| Financial | Franchises | Franchise Table |

| Ceilings | Limits per claim/year | Limit conditions |

| Service Providers | Choice/Forcing | List of Approved Service Providers |

| Claim | Process & deadlines | SLA, hotline |

| Conditions | Deficiencies & Renewal | Term Schedule |

| Specifics | Ransom, IT | Dedicated clauses |

Common mistakes and how to avoid them

Mistake 1: Signing without checking the detailed exclusions

Coverage that appears comprehensive may exclude critical cases. Request a copy of the exclusion clauses.

Mistake 2: Neglecting mandated service providers

If the insurer imposes specific service providers, this can delay the response. Clarify this beforehand.

Mistake 3: Forgetting the renewal conditions

Bonuses and limits may change upon renewal: document these conditions.

Error 4: Failure to prepare the required documentation

Without clear data on your income or backups, a claim may be rejected.

Questions to ask your insurer/broker

1. What specific guarantees are included in the policy?

2. What is the complete list of exclusions ?

3. What deductibles apply for each type of claim?

4. What are the coverage limits per claim and per year?

5. Are there any mandatory service providers for the intervention?

6. What is the claims handling process and the associated timeframes?

7. Are there any waiting periods before certain guarantees take effect?

8. How is cyber business interruption loss calculated?

9. Does the policy include legal assistance and defense costs?

10. What conditions apply to the renewal and revision of premiums?

11. (Bonus) What internal security measures must be documented to validate coverage?

12. (Bonus) How does insurance help with regulatory requests or mandatory notifications after an incident?

Conclusion

A structured cyber insurance checklist helps you guide the decision-making phase with rigor and clarity. By asking these specific questions to your insurer or broker, you transform the underwriting process into a risk governance initiative. Document the answers, integrate them into your risk management plan, and align them with your internal controls. The next step is to incorporate these elements into your portfolio audit to address any identified gaps.