Today's cyber risks come in all shapes and sizes, fromdisclosure of protected information due to hacking or employee negligence throughnetwork shutdown or impairment, regulatory violations, andeverything in between.

Painfully aware that 100% cybersecurity is an impossibility, smartcompanies no longer focus exclusively on building cyber defenses.Instead, they are taking an enterprise approach to managing cyberrisks, which includes development of a cybersecurity program thatplaces attention on a number of issues, including network security, employee training andthird-party risk. Even then, however, some cyber risks willremain.

Instead of simply living with those residual risks, morecompanies are taking a holistic approach to cyber risk management,which includes transferring residual cyber risk through insurance.Although it is no substitute for appropriate policies andpractices, cyberinsurance that is appropriately tailored to acompany's unique risk profile can be a key component of aneffective cyber risk management program.

What is cyberinsurance?

Cyberinsurance can provide much-needed tactical andfinancial support for companies confronted with a cyber incident.Generally speaking, the cyber policy's first-party coverage appliesto costs incurred by the insured when responding to a covered cyberevent, while third-party coverage responds to claims and demandsagainst the insured arising from a covered incident.

First-party coverage usually can be triggered by a variety ofevents, including the malicious destruction of data, accidentaldamage to data, power surges, IT system failure, cyber extortion,viruses and malware. Generally available first-party coveragesinclude legal and forensic services to determine whether a breachoccurred and, if so, to assist with regulatory compliance, costs tonotify affected employees and/or third parties, network andbusiness interruption costs, damage to digital data, repair of theinsured's reputation, and payment of ransom costs.

Third-party coverage can be implicated in a variety of ways,including by claims for breach of privacy, misuse of personal data,defamation/slander, or the transmission of malicious content.Coverage is available for legal defense costs, settlements ordamages the insured must pay after a breach, and electronic medialiability, including infringement of copyright, domain name andtrade names on an internet site, regulatory fines andpenalties.

Cyberinsurance typically provides for the retention of anattorney, a so-called breach coach, to coordinate the insured'sresponse to a cyber incident. An experienced coach can build aneffective team of specialists and efficiently guide the companythrough the forensic, regulatory, public relations and legal issuesthat arise from a security incident. Given the complexities of thevarious federal and state laws pertaining to databreach notification, the increasing demands of regulators, andthe scrutiny of the media and the class action bar, coverage forthe retention of a skilled breach coach is perhaps the greatestbenefit of cyberinsurance.

Obtaining cyber coverage

Although there is no standard application for cyberinsurance,insurers usually ask for similar types of information from theprospective insured, including customary financial data about thecompany, such as assets and revenues, number of employees, andplanned merger and acquisition activity. In addition,cyberinsurance applications typically inquire as to the volumes andtypes of data the company handles, the existence of updated writtenpolicies and procedures approved by a qualified attorney,compliance with security standards and regulations, existingnetwork security, prior breaches, security incidents and claims,information management practices, and a variety of relatedissues.

Care should be taken to accurately complete the application,which will become part of the policy if one is issued. Applicationsmay require the signature of the company's president, CEO, and/orCIO, who must attest to the accuracy of the company's responses.Inaccurate information provided in the application may jeopardizecoverage if a claim is later tendered under the policy.

Choosing the right cyberinsurance policy

Unlike more traditional forms of insurance, there currently areno standardized policy forms for cyberinsurance, and policies oftencontain “manuscripted” provisions agreed to by the insurer and theinsured during the negotiation of the policy. Policy terms,including grants of coverage, exclusions and conditions, vary amongthe 60 or so carriers that currently issue cyber policies, andnumerous coverage options are offered by cyberinsurers.

Given this reality, companies need to ensure that the cyberpolicy they purchase is appropriate for their specific cyber riskprofile. For example, if a company entrusts its data to thirdparties, it will want coverage for third-party risks. If itmaintains an active social media presence, it will want medialiability coverage. And as more regulations are enacted aroundcybersecurity and data-handling practices, coverage for regulatoryfines is increasing in importance for many entities.

In addition to the coverages provided by cyberinsurance after acyber event, some cyberinsurers offer free or discountedprophylactic or “loss control” benefits to improve their insured'scyber risk profile. Loss control services can include informationgovernance tools, information management counseling, employeetraining, risk assessments, and review of vendorcontracts.

Because of the variety and complexity of the cyber policies onthe market, companies are urged to consult with knowledgeable andexperienced professionals to help negotiate the most favorablepolicy terms and limits to fit the company's needs. Care should betaken to ensure that the policy adequately addresses the company'scyber risks and appropriately dovetails with the other coverages inthe insured's comprehensive insurance program. And instead ofsimply putting a completed cyberinsurance policy on the shelf withhopes that it will never have to be used, insureds should make surethat they fully understand the representations they made in theirpolicy application, as well as any continuing obligations they haveunder the policy, so that they can fulfill their responsibilitiesand maintain coverage in the event of a claim.

For most companies, though, it should be a matter of finding theright cyber coverage, not whether to obtain cyber insurance at all.Companies will continue to be under threat, and new cyber dangersare emerging every day. Having a policy in place that is suited toyour company's particular risks and exposures is a very smart steptoward implementing an effective and holistic cyber risk managementprogram.

Judy Selby is a managing director, technology advisoryservices for BDOConsulting, focusing on cyberinsurance, cybersecurity, privacyand insurance issues. She can be reachedat [email protected].