As companies recognize that cyber risk cannot be eliminated,only managed, they are increasingly looking to transfer residualcyber risks through insurance. Still, many small and midsizebusinesses are going without cyber coverage, perhaps because ofconfusion about how to get the right policy.

Related: Clients considering cyber insurance? Here's whatthey need to know

Despite the undeniable challenges presented by today's cyberinsurance market, businesses of all sizes can cut through theconfusion and obtain the right cyber insurance for their enterpriseby following this five step process:

Step 1: Identify cyber risks

The first step in the process is to assess the entity's exposureto cyber perils. Not every company is the same, and thecybersecurity and privacy risks facing an online retailer, forexample, would be different from those facing a consultingcompany.

Companies should take an enterprise-wide approach to this stepto ensure that the risks facing all divisions within the businessare incorporated into the assessment. Multiple stakeholders withinthe organization, and potentially some from outside of theorganization (technology vendors, for example), should beconsulted.

Step 2: Examine existing coverage

Next, companies should carefully examine their existinginsurance policies to determine how their current coverages matchup with the cyber risks that have identified in Step 1. Traditionalproperty and liability policies, as well as crime and kidnap andransom policies, can contain some protection against cyberrisks.

That said, many insurers have taken steps to excludecyber-related risks under traditional policies and are vigorouslyfighting cyber claims under these non-cyber forms. Although somebusinesses have successfully recovered for cyber claims under suchpolicies, relying on them for comprehensive cyber coverage isrisky.

It's important to note, however, that express cyber coverage maybe included by endorsement to a traditional policy. Becauseredundancies in coverage can create coverage issues in the event ofa claim, companies should take steps to identify any such coveragesbefore buying a cyber policy and reconcile their existing coveragewith the cyber form.

Step 3: Applying for cyber coverage

Although there is no standard application for cyber insurance,insurers usually ask for similar types of information from theprospective insured. Insurers will inquire as to the company'spolicies and practices around cybersecurity, data handling, usage,and storage, vendor management and privacy. Companies likely willhave to involve a number of stakeholders, including outside serviceproviders, when responding to application questions.

Related: Getting cyber insurance is a complex process,experts warn

Care should be taken to accurately complete the application,which will become part of the policy if one is issued. It'scritically important to seek clarification before responding to anyambiguous or unclear questions.

Applications may require the signature of the company'spresident, CEO and/or CIO, who must attest to the accuracy of thecompany's responses. Inaccurate information provided in theapplication may jeopardize coverage if a claim is later tenderedunder the policy.

Step 4: Finding the right cover in today's dynamiccyber insurance market

Next, companies should find a policy that covers the risksidentified in Step 1. But because there is no standard cyberinsurance policy form — and all policies are not created equal —care must be taken to carefully review the terms of any prospectivepolicy to make sure it's a good fit for the company's needs.

Additional factors to consider include the insurer's reputationfor handling and paying claims and whether it provides free ordiscounted cyber risk mitigation services (such as riskassessments, training, and incident response training). Purchasingdecisions made strictly on price may ultimately prove to be muchmore costly.

Although today's dynamic cyber insurance market createschallenges for insurance buyers, it also provides an opportunity tonegotiate for better policy terms and coverage tailored to thecompany's unique cyber needs. Companies should exercise theirleverage during the insurance buying process to get the bestpossible coverage.

Step 5: Post-coverage considerations

Once coverage is in place, the insured should take steps tounderstand and operationalize the various requirements and policyconditions with which it must comply. For example, the policy mayrequire the insured to get the insurer's prior written consentbefore paying a ransomware demand or hiring a consultant after adata breach. The processes mandated by the policy in the event of aclaim also must be understood.

In addition, it's a good practice to periodically monitor andevaluate coverage in light of evolving business needs, such asmerger and acquisition activity. The insured also should keep aneye on the changing cyber threat landscape to ensure that itscoverage remains adequate. New coverages offered by insurers alsoshould be monitored.

Related: Navigating the cyber insurance maze: Inside theobligations and caveats

Judy Selby, JD, is a principal of Judy Selby Consulting LLCand a senior advisor at Hanover Stone Partners LLC. She can bereached at [email protected].