Today's cyber risks come in all shapes and sizes, fromdisclosure of protected information due to hacking or employeenegligence through network shutdown or impairment, regulatoryviolations, and everything in between.

Painfully aware that 100 percent cybersecurity is an impossibility,smart companies no longer focus exclusively on building cyberdefenses. Instead, they are taking an enterprise approach tomanaging cyber risks, which includes development of a cybersecurityprogram that places attention on a number of issues, includingnetwork security, employee training and third-party risk. Eventhen, however, some cyber risks will remain. 

Related: 4 pitfalls to avoid in a cyberinsurancepolicy

Instead of simply living with those residual risks, morecompanies are taking a holistic approach to cyber risk management,which includes transferring residual cyber risk through insurance.Although it is no substitute for appropriate policies andpractices, cyberinsurance that is appropriately tailored to acompany's unique risk profile can be a key component of aneffective cyber risk management program.  

What is cyberinsurance?

Cyberinsurance can provide much-neededtactical and financial support for companies confronted with acyber incident. Generally speaking, the cyber policy's first-partycoverage applies to costs incurred by the insured when respondingto a covered cyber event, while third-party coverage responds toclaims and demands against the insured arising from a coveredincident.

First-party coverage usually can be triggered by a variety ofevents, including the malicious destruction of data, accidentaldamage to data, power surges, IT system failure, cyber extortion,viruses and malware. Generally available first-party coveragesinclude legal and forensic services to determine whether a breachoccurred and, if so, to assist with regulatory compliance, costs tonotify affected employees and/or third parties, network andbusiness interruption costs, damage to digital data, repair of theinsured's reputation, and payment of ransom costs.

Third-party coverage can be implicated in a variety of ways,including by claims for breach of privacy, misuse of personal data,defamation/slander, or the transmission of malicious content.Coverage is available for legal defense costs, settlements ordamages the insured must pay after a breach, and electronic medialiability, including infringement of copyright, domain name andtrade names on an internet site, regulatory fines andpenalties.

Related: Getting cyber insurance is a complex process,experts warn

Cyberinsurance typically provides for the retention of anattorney, a so-called breach coach, to coordinate the insured'sresponse to a cyber incident. An experienced coach can build aneffective team of specialists and efficiently guide the companythrough the forensic, regulatory, public relations and legal issuesthat arise from a security incident. Given the complexities of thevarious federal and state laws pertaining to data breach notification, the increasingdemands of regulators, and the scrutiny of the media and the classaction bar, coverage for the retention of a skilled breach coach isperhaps the greatest benefit of cyberinsurance.

Obtaining cyber coverage

Although there is no standard application for cyberinsurance,insurers usually ask for similar types of information from theprospective insured, including customary financial data about thecompany, such as assets and revenues, number of employees, andplanned merger and acquisition activity. In addition,cyberinsurance applications typically inquire as to the volumes andtypes of data the company handles, the existence of updated writtenpolicies and procedures approved by a qualified attorney,compliance with security standards and regulations, existingnetwork security, prior breaches, security incidents and claims,information management practices, and a variety of relatedissues.

Related: How risk modeling propels the cyber insurancemarket forward

Care should be taken to accurately complete the application,which will become part of the policy if one is issued. Applicationsmay require the signature of the company's president, CEO, and/orCIO, who must attest to the accuracy of the company's responses.Inaccurate information provided in the application may jeopardizecoverage if a claim is later tendered under the policy.

Choosing the right cyberinsurance policy

Unlike more traditional forms of insurance, there currently areno standardized policy forms for cyberinsurance, and policies oftencontain "manuscripted" provisions agreed to by the insurer and theinsured during the negotiation of the policy. Policy terms,including grants of coverage, exclusions and conditions, vary amongthe 60 or so carriers that currently issue cyber policies, andnumerous coverage options are offered by cyberinsurers.

Given this reality, companies need to ensure that the cyberpolicy they purchase is appropriate for their specific cyber riskprofile. For example, if a company entrusts its data to thirdparties, it will want coverage for third-party risks. If itmaintains an active social media presence, it will want medialiability coverage. And as more regulations are enacted aroundcybersecurity and data-handling practices, coverage for regulatoryfines is increasing in importance for many entities.

Related: Navigating the cyberinsurance maze: Inside theobligations and caveats

In addition to the coverages provided by cyberinsurance after acyber event, some cyberinsurers offer free or discountedprophylactic or "loss control" benefits to improve their insured'scyber risk profile. Loss control services can include informationgovernance tools, information management counseling, employeetraining, risk assessments, and review of vendorcontracts. 

Because of the variety and complexity of the cyber policies onthe market, companies are urged to consult with knowledgeable andexperienced professionals to help negotiate the most favorablepolicy terms and limits to fit the company's needs. Care should betaken to ensure that the policy adequately addresses the company'scyber risks and appropriately dovetails with the other coverages inthe insured's comprehensive insurance program. And instead ofsimply putting a completed cyberinsurance policy on the shelf withhopes that it will never have to be used, insureds should make surethat they fully understand the representations they made in theirpolicy application, as well as any continuing obligations they haveunder the policy, so that they can fulfill their responsibilitiesand maintain coverage in the event of a claim.

For most companies, though, it should be a matter of finding theright cyber coverage, not whether to obtain cyber insurance at all.Companies will continue to be under threat, and new cyber dangersare emerging every day. Having a policy in place that is suited toyour company's particular risks and exposures is a very smart steptoward implementing an effective and holistic cyber risk managementprogram.

Related: Cyber-breach communications plans: What insuranceprofessionals (and clients) need to know

Judy Selby is a managing director, technology advisoryservices for BDOConsulting, focusing on cyberinsurance, cybersecurity, privacyand insurance issues. She can be reachedat [email protected].