“Cyber” (network security and privacy) insurance applications are particularly challenging for agents and brokers to complete because the coverage touches on so many aspects of an enterprise and requires multiple individuals to complete various sections. These include:

• Risk managers and financial officers: general information, limits and retention options
• Information technology officers: Technical safeguards to the network such as firewalls, intrusion detection, back-up procedures, patch management and data encryption
• Privacy officers: Data encryption on mobile devices, procedures regarding paper files containing confidential information, policies and procedures regarding privacy training
• Marketing officers: Because most cyber policies offer a website media option, questions about content acquisition and clearance
• General counsel: Networks typically use third-party providers for some data backup, hosting or security; general counsel needs to review the contracts with these providers
• Human resources: May be responsible for disaster recovery or incident response.

Given this complexity, it's no wonder that many cyber applications come back incomplete or with contradictory information.

One of the problems with cyber applications is endemic to the rating methodology itself. The largest share of the loss dollars paid by carriers has been to satisfy the state notification laws. These require companies to notify people whose personal identifiable information (PII) may have been compromised. Therefore, the insurers should be rating off the real exposure–the amount of PII an insured maintains. Instead, insurance carriers typically use revenues as a rating basis. This may or may not relate to the actual loss exposure, which differs dramatically between a hospital and a manufacturer with the same revenue.

Insurance underwriters are now trying to ferret out the true amount of PII maintained by the prospects and rate the account based on the real exposure. Some applications are now specifically asking this question. This is a difficult number to obtain for most organizations but one that will go a long way to reducing the cost of cyber insurance, even if it is only an estimate.