Applying for any kind of insurance coverage requires answeringthe carrier’s questions or filling out an application form.

Generally, for something like auto or homeowners’ insurance, theform is fairly simple, asking about the number of miles your driveor how close your home is to a fire hydrant.

Filling out an application for cyber insurance is much morecomplicated, said Judy Selby, managing director of BDO Consulting,as she moderated the panel titled “You Finally Bought the Cyberinsurance Policy. Now What?” as part of ALM’s cyberSecureconference on Sept. 27.

Related: Panel looks at the role of insurance in the age ofcyber threats

Panelist Scott N. Godes, partner with Barnes & ThornburgLLP, noted that filling out the application correctly, to the bestof a company’s ability, is critical. In some cases, the carrier’slawyers could advise the carrier to rescind the policy if any ofthe answers turn out to be wrong.

Dan Twersky, assistant vice president at Willis Towers Watson,also on the panel, explained that for cyber insurance, whether arenewal or a new purchase, in-person interviews are part of theunderwriting process. It’s important to be prepared for theinterview, he said, and to understand the information included inthe applications. That may mean having the chief informationofficer or chief information security officer participate infilling out the application and in the interview.

The questions in the applications vary, Selby noted, but mostwant to know the level of network security, whether you have goodfirewall in place, and whether you use intrusion detectionsoftware. The applications also address the issue of training ondata security and procedures, as well as whether a redundantnetwork is available for backup.

Vendor management issues

“You need to have a program, policy and process in place forvendor management across all vendors,” said panelist Lee Tenny,vice president and global head of vendor risk management at FirstData Corp. The program has to include all possible points of risk,including back-door entry points, he added. Tenny’s company has aprocess in place to vet all vendors, which recently included thevendor installing new toilets in their office building.Surprisingly, the toilets turned out to be WiFi-enabled, requiringTenny to initiate his risk management process in regard to thisvendor.

The panel agreed that vendor contracts should spell out who isresponsible for the consequences of a breach involving data thatthe vendor holds. Godes noted that in his experience, large-scalepolicy holders generally work with their insurers to coverthird-party vendors.

Selby pointed out that the New York State Department ofFinancial Services recently proposed regulations on cybersecuritythat include strict rules on vendor management that banks,insurance companies and other financial services firms will have tocomply with.

Business interruption concerns

Drew T. Olson, a director at BDO Consulting, said that he hearsa lot of complaints from clients about the terms and conditions forbusiness interruption coverage in cases of data breaches or cyberattacks. “The business thinks in terms of three- to five-minuteincrements,” he said, “while the policy says that your system hasto be out for 12 hours before coverage begins.” For somebusinesses, that 12 hours can ruin the company.

Olson said he believes the industry has to come up with betterwaiting-period language to reflect the reality of internet-basedbusinesses. He suggested that the focus be similar towaiting-period language in property insurance policies.

The panel agreed that there is room for compromise andnegotiation with cyber policies. More than 65 companies offer thecoverage, and their forms vary. It’s clear that companies that wantcyber coverage will be able to find it, with varying premium costsand coverage limits.

As a member of the audience commented, “It’s incumbent on thebroker to negotiate the terms and conditions that best fits theclient’s needs.”

Related: Navigating the cyberinsurance maze: Inside theobligations and caveats