Free CAIB 3 Practice Questions: Cyber Insurance

Use this page to isolate Cyber Insurance before returning to mixed CAIB 3 practice.

Topic snapshot

Sample questions

These are original Finance Prep practice questions aligned to this topic area. They are not official CAIB exam questions, copied live-exam content, or exam dumps. Use them for self-assessment, scope review, and deciding what to drill next.

Question 1

Topic: Cyber Insurance

A specialty food distributor asks why a cyber insurer is requesting details about customer payment data, daily online order volume, the cloud inventory platform, remote access for warehouse staff, backup testing, vendor contracts, and multifactor authentication before quoting. Which CAIB 3 cyber concept best matches the insurer’s request?

• A. Cyber underwriting risk profile
• B. Marine cargo accumulation exposure
• C. Crime policy discovery period
• D. Directors and officers continuity date

Best answer: A

What this tests: Cyber Insurance

Explanation: Cyber underwriting focuses on the client’s exposure profile and control environment. The type of data handled, transaction volume, remote access, backup quality, outsourced platforms, vendor dependence, and security controls all affect how likely a cyber incident is and how severe it could be. Outsourcing IT or using cloud systems does not remove the exposure; it changes the facts the underwriter needs to evaluate. Strong controls such as multifactor authentication, tested backups, vendor oversight, patching, and incident-response planning can improve the risk presentation, while high-volume transactions, sensitive data, weak remote access, or untested backups can make the account harder to place or affect pricing, limits, retentions, and conditions.

• A crime policy discovery period concerns when a crime loss is discovered, not how cyber exposures are evaluated before quoting.
• Marine cargo accumulation exposure relates to goods in transit or concentrated cargo values, not network and data risks.
• A directors and officers continuity date concerns claims-made management liability coverage, not cyber underwriting controls.

These details help the insurer assess the likelihood and severity of cyber loss and the strength of the client’s controls before offering terms.

Question 2

Topic: Cyber Insurance

A broker is arranging cyber renewal for a manufacturer. The cyber application asks whether multifactor authentication (MFA) is enabled for remote access and administrator accounts. The client has MFA on email, but not on its VPN or administrator logins. The insurer’s quote states: “Binding is subject to confirmation that MFA is active for all remote access and privileged accounts.” The policy form also contains a separate exclusion for losses involving unsupported software, but no specific MFA exclusion.

What is the broker’s best advice to the client?

• A. Advise that any future cyber claim will automatically be denied because MFA is not enabled on every account.
• B. Treat MFA as an underwriting eligibility requirement for this quote, disclose the gap, and seek revised insurer terms or approval before binding.
• C. Advise that MFA is only a voluntary risk-reduction control because it reduces the chance of a cyber loss.
• D. Bind the policy as quoted because the policy form does not contain an MFA exclusion.

Best answer: B

What this tests: Cyber Insurance

Explanation: A cyber control can be both a practical way to reduce risk and a material underwriting requirement, depending on how the insurer uses it. Here, MFA lowers the likelihood of unauthorized access, but the decisive fact is the quote wording: binding is subject to confirmation that MFA is active for specified access points. The broker should verify the client’s actual controls, correct any inaccurate application response, disclose the gap, and obtain the insurer’s instructions before binding. The absence of a specific MFA exclusion in the policy form does not remove the quote condition. At the same time, the broker should avoid promising that every claim would automatically be denied; coverage consequences depend on the policy wording, representations, conditions, and facts of a loss.

• Relying only on the absence of an MFA exclusion ignores the insurer’s binding requirement in the quote.
• Calling MFA merely voluntary misses that the underwriter has made it a condition of placing this particular coverage.
• Predicting automatic denial overstates the broker’s role and skips the need to review wording, representations, and insurer position.

The quote makes MFA a binding requirement, so the broker must not treat the incomplete MFA setup as only a general risk-control recommendation.

Question 3

Topic: Cyber Insurance

A retail client calls after staff discover that the point-of-sale server is locked by ransomware. The attacker claims to have copied customer payment information and demands cryptocurrency. The client wants to restore from backups, hire its usual IT contractor, and email affected customers before the weekend. The business carries a cyber policy with first-party incident response coverage, but the client has not yet reported the incident to the insurer.

What is the best next step for the broker?

• A. Suggest that the client handle the restoration internally because backups are available and no third-party claim has been made yet.
• B. Treat the matter primarily as a commercial crime loss because the demand involves cryptocurrency and possible financial theft.
• C. Tell the client to notify the cyber insurer immediately and use the insurer’s incident response process before engaging vendors or sending customer notices.
• D. Advise the client to pay the ransom first so operations can resume, then submit the payment as a cyber extortion claim.

Best answer: C

What this tests: Cyber Insurance

Explanation: A ransomware incident with suspected data access should be treated as an active cyber incident requiring immediate reporting and coordinated response. First-party cyber coverage may include breach response, forensic investigation, data restoration, cyber extortion support, business interruption, notification, and crisis management costs. The broker should not direct ransom payment, authorize vendors, or approve customer notices. Those steps can affect coverage, evidence preservation, privacy obligations, and the insurer’s ability to manage approved response resources. The practical next step is to help the client give prompt notice to the cyber insurer and follow the policy’s incident response procedure, while documenting the client’s instructions and avoiding any promise that costs or ransom will be covered.

• Paying a ransom before insurer involvement may breach policy conditions, legal controls, or response protocols.
• Restoring internally may destroy evidence and does not address suspected unauthorized access to customer information.
• Commercial crime coverage may be relevant to some financial fraud losses, but ransomware and suspected data compromise are cyber incident response concerns.

Cyber incident response coverage commonly depends on prompt notice and coordinated use of approved breach counsel, forensics, and response vendors.

Question 4

Topic: Cyber Insurance

A broker is completing a cyber insurance renewal application for a mid-sized Canadian wholesaler. The client contact has answered Yes to multifactor authentication for remote access, but later mentions that MFA is only enabled for managers and not for warehouse supervisors who access the system remotely. The expiring insurer’s renewal quote is conditional on the application answers, and the client wants the policy bound before the weekend. What is the best action for the broker?

• A. Bind the renewal as quoted because some employees use MFA and the client intends to expand it later.
• B. Pause binding, correct the application answer with the client, disclose the accurate MFA details to the underwriter, and document the discussion.
• C. Leave the application answer unchanged but add a note in the brokerage file that MFA is only partially implemented.
• D. Bind the policy and advise the client to explain the MFA gap only if a cyber claim occurs.

Best answer: B

What this tests: Cyber Insurance

Explanation: Cyber applications often ask about specific controls such as MFA, backups, patching, endpoint protection, and incident-response planning. These answers are not casual background information; they may affect eligibility, pricing, terms, exclusions, sublimits, and the insurer’s willingness to bind. If an answer is inaccurate or incomplete, the client could face placement problems, coverage disputes, claim denial, or allegations of misrepresentation. The broker could also face professional-service concerns if the inaccurate answer was known or should have been clarified. Here, MFA is not implemented as broadly as the application answer suggests. The broker should correct the answer, disclose the true facts to the underwriter before binding, explain the possible consequences to the client, and keep a clear record.

• Binding based on a future intention ignores the current underwriting fact the insurer asked about.
• A brokerage file note does not correct the representation made to the insurer.
• Waiting until a claim to explain the gap increases the risk of a coverage dispute and poor client service.

Accurate application information is needed because underwriting terms, coverage limitations, and claim handling may depend on the stated cyber controls.

Question 5

Topic: Cyber Insurance

A Canadian specialty retailer reports that its online ordering system was unavailable for 22 hours after its payment-processing vendor detected unauthorized access and shut down the connection. The retailer lost online sales and may have had customer names, email addresses, and partial payment information exposed. The client asks whether its cyber policy may respond for both the interruption loss and privacy response costs.

Which missing fact should the broker treat as the most important next inquiry?

• A. A regulator’s written direction confirming that customer notification is legally required
• B. A forensic incident summary showing the cause of the outage, affected systems, outage period, and whether personal information was accessed or exfiltrated
• C. A sales report showing the retailer’s total annual online revenue before the outage
• D. Confirmation that the client’s commercial general liability policy includes personal and advertising injury coverage

Best answer: B

What this tests: Cyber Insurance

Explanation: When a cyber event combines operational downtime with possible privacy exposure, the broker needs facts that support both coverage paths. Cyber business interruption usually depends on the cause of the outage, the affected systems, and the measurable interruption period. Privacy response and notification costs depend on what data was involved, whether personal information was accessed, acquired, or exfiltrated, and the scope of affected individuals. A forensic incident summary is therefore the key missing information because it helps determine whether the event fits the cyber policy’s interruption and privacy response insuring agreements. The broker should avoid promising coverage or legal notification outcomes and should encourage prompt reporting to the insurer and use of approved incident-response resources where required by the policy.

• CGL personal and advertising injury coverage is not the primary inquiry for a network outage and possible data breach under a cyber policy.
• Annual online revenue may help quantify a business interruption claim, but it does not establish the cyber trigger or privacy exposure.
• Waiting for a regulator can delay insurer notice and incident response; notification analysis usually begins before any regulator direction is received.

This inquiry connects the potential cyber business interruption trigger with the facts needed to assess privacy response and notification obligations.

Question 6

Topic: Cyber Insurance

A wholesaler applying for cyber insurance allows staff to access email and accounting systems remotely. The underwriter asks whether users must confirm their identity with a second factor, such as an authenticator app prompt or temporary code, in addition to a password. Which cyber underwriting control is being described?

• A. Vendor control review
• B. Multifactor authentication
• C. Patch management
• D. Endpoint protection

Best answer: B

What this tests: Cyber Insurance

Explanation: Cyber underwriters often look for controls that reduce the likelihood or severity of a loss. Multifactor authentication strengthens access security by requiring more than a password before a user can enter a system. This is especially important for remote access, email, cloud applications, and administrator accounts because stolen passwords are a common route into business systems. Patch management deals with keeping software updated, endpoint protection helps secure devices such as laptops and servers, and vendor controls address risks created by outsourced service providers. In this case, the clue is the required second factor for user identity confirmation.

• Patch management is about applying software and security updates, not confirming a user with a second factor.
• Endpoint protection focuses on device-level security tools such as anti-malware or detection software.
• Vendor control review assesses third-party service provider risk, not direct user login authentication.

Requiring a second proof of identity beyond a password is multifactor authentication, a common cyber underwriting control for remote and privileged access.

Question 7

Topic: Cyber Insurance

A retailer applying for cyber coverage has no multifactor authentication for remote access, stores backups on the same network, and cannot show recent patching records. The underwriter responds with a higher ransomware retention, a lower cyber extortion sublimit, and a premium increase unless controls are improved. Which CAIB 3 concept is illustrated?

• A. Business interruption ordinary payroll limitation
• B. Facultative reinsurance capacity sharing
• C. Control weaknesses affecting cyber underwriting terms
• D. Crime coverage discovery trigger

Best answer: C

What this tests: Cyber Insurance

Explanation: Cyber underwriters use client controls to judge the likelihood and severity of events such as ransomware, unauthorized access, and data loss. Missing multifactor authentication, weak backup practices, and poor patch documentation suggest a higher probability of loss and more difficult recovery. A broker should recognize that these deficiencies can affect whether coverage is offered, how broad the terms are, what exclusions or sublimits apply, the retention level, and the premium. The practical service response is to explain the underwriting impact, document the insurer’s requirements, and help the client prioritize control improvements without promising that coverage or pricing will change automatically.

• Crime discovery relates to when a crime loss is found, not how cyber controls influence underwriting terms.
• Ordinary payroll is a business interruption valuation issue, not a cyber control concern.
• Facultative reinsurance may help an insurer manage capacity on a specific risk, but the facts focus on client control deficiencies and resulting cyber terms.

Weak cyber controls can make the account less acceptable and lead to restricted terms, exclusions or sublimits, higher retentions, and higher pricing.

Question 8

Topic: Cyber Insurance

A broker is preparing a cyber insurance submission for a Canadian online retailer. The client stores customer names, addresses, and payment-card tokens in a cloud order platform, processes about 8,000 transactions per month, allows staff to connect remotely to the platform, relies on the cloud vendor for order fulfilment data, and has backups that have not been tested. The insurer asks for more detail before quoting. What is the broker’s best next action?

• A. Recommend removing cyber business interruption coverage, because the order platform is operated by an outsourced vendor.
• B. Obtain details on the data handled, transaction volume, remote-access controls, backup testing, cloud-vendor dependence, and key security controls before asking the insurer to quote.
• C. Tell the client that payment-card tokens eliminate the need to disclose payment-related data handling.
• D. Ask the insurer to quote using sales revenue only, because cyber premiums are mainly driven by gross receipts.

Best answer: B

What this tests: Cyber Insurance

Explanation: Cyber underwriting depends on both the nature of the data and how the business uses technology. Customer personal information, payment-related processing, transaction volume, outsourced platforms, remote access, backup reliability, and security controls all help an insurer assess frequency and severity. In this scenario, the cloud order platform is central to revenue generation, so vendor dependence and business interruption exposure are important. Untested backups and remote access also raise underwriting concerns because they affect ransomware resilience and unauthorized-access risk. A broker should gather complete, accurate details and present them to the insurer rather than minimizing exposures or assuming a vendor removes the client’s risk.

• Sales revenue is relevant, but it does not replace underwriting facts about data, systems, vendors, access, backups, and controls.
• Outsourcing a platform may increase vendor-dependence concerns; it does not automatically remove cyber business interruption needs.
• Tokenization may reduce some payment-card risk, but it does not eliminate privacy, transaction, remote-access, or vendor-related underwriting information.

These facts directly affect cyber underwriting because they indicate privacy exposure, business interruption dependence, control maturity, and potential loss severity.

Question 9

Topic: Cyber Insurance

A retailer asks why its cyber proposal lists expenses for forensic investigation, breach notification, credit monitoring, and data restoration, but also refers to defence costs and damages if customers allege their personal information was mishandled. Which CAIB 3 cyber insurance concept best matches this description?

• A. Cyber coverage may combine first-party incident response costs with third-party liability coverage, depending on the policy wording.
• B. Cyber coverage is a form of crime insurance because all cyber losses are treated as theft of money or securities.
• C. Cyber coverage is triggered only by physical damage to computer hardware that interrupts business operations.
• D. Cyber coverage only applies to liability claims by customers and regulators, not to the insured’s own incident response expenses.

Best answer: A

What this tests: Cyber Insurance

Explanation: Cyber insurance commonly blends two coverage ideas. First-party elements respond to the insured organization’s own costs after a cyber incident, such as forensic investigation, breach notification, credit monitoring, data restoration, cyber extortion, or network interruption expenses. Third-party liability elements respond when customers, clients, regulators, or other parties allege that the insured’s acts, errors, or security failures caused them harm, leading to defence costs, settlements, or judgments. The exact result depends on the policy wording, insuring agreements, definitions, exclusions, retentions, and conditions. A broker should not describe cyber as only a liability product or only a response-cost product without checking the actual form.

• Treating cyber as only third-party liability misses common first-party breach response and recovery expenses.
• Treating all cyber losses as crime losses confuses technology and privacy incidents with financial-crime coverages such as employee dishonesty or funds transfer fraud.
• Requiring physical hardware damage confuses cyber coverage with property-triggered interruption concepts.

Cyber policies often address the insured’s own breach response or recovery costs and liability claims made by affected customers or other third parties.

Question 10

Topic: Cyber Insurance

A Canadian dental software provider reports that an employee clicked a phishing link. The attacker used the credentials to encrypt the company’s scheduling and billing servers, demanded cryptocurrency for a decryption key, and claimed to have copied patient email addresses. The client’s hosted service was unavailable to clinics for three days.

Which coverage concept is the best fit for the exposures the broker should identify?

• A. Commercial general liability coverage for bodily injury and property damage caused by business operations
• B. Cyber coverage for ransomware, digital extortion, breach response, privacy liability, and network interruption
• C. Commercial crime coverage for employee dishonesty and theft of money or securities
• D. Marine cargo coverage for loss of goods while in transit

Best answer: B

What this tests: Cyber Insurance

Explanation: A cyber policy is designed to address technology-dependent losses such as ransomware, cyber extortion, breach response costs, privacy liability, and network interruption. Here, the key facts are the phishing compromise, encrypted servers, ransom demand, possible copying of personal information, and interruption of the hosted service. The broker should identify these as cyber exposures and gather details for underwriting and claims handling, such as affected systems, data involved, outage period, backups, incident-response steps, and any notification obligations. Crime coverage may be relevant for some social engineering or funds transfer losses, but the dominant loss described is a cyber incident affecting systems, data, and service availability.

• Employee dishonesty is not the main issue because the loss was caused by an external attacker using compromised credentials.
• Commercial general liability is not the primary fit because the facts centre on digital systems, privacy data, extortion, and network downtime.
• Marine cargo is unrelated because no goods in transit or marine shipment exposure is described.

The facts involve a ransomware attack, extortion demand, possible privacy breach, and service outage caused by a network compromise.

Continue in the web app

Use Finance Prep for interactive CAIB 3 practice with mixed sets, timed mocks, topic drills, explanations, and progress tracking.

Related focused pages

• Free CAIB 3 Full-Length Practice Exam
• CAIB 3: Business Interruption Insurance
• CAIB 3: Crime Insurance
• CAIB 3: Marine Insurance
• CAIB 3: Aviation Insurance
• CAIB 3: Reinsurance
• CAIB 3: Directors and Officers Liability Insurance
• CAIB 3: Surety Bonding
• CAIB 3: Risk Assessment for Advanced Commercial Risks

Practice next step

Use the Finance Prep web app above when you want interactive practice beyond this static page.