When determining a prospect's level of risk, it may be helpful to think of the exposure in terms of “realms”:

Network: the information digitally contained within the system

Remote access: how employees not working within the network access the system's functionality and how it is protected. Since access is typically through laptops, the protection of laptops is critical. Encryption may be the best “bang for your buck” risk management investment available.

Wireless: This is now normally well controlled. The lessons of DSW loss have tightened these controlled in nearly all instances.

Vendors: Some of the network's functionality lies with third-party vendors who are responsible data storage, hosting, managed security, backup tape storage, etc. Contracts with these providers should be included with the application if possible and should contain hold harmless and indemnity clauses.

Although there is no universal application, most carriers are willing to work with another carrier's application and offer a bindable quote. Although all different in format, they all have similar sections:

1. General information: This section is the same as for any insurance application: name, address, years in business, etc. (One quick note on international companies: networks do not have national boundaries and trying to insure only a U.S. entity might pose a problem.) Questions may be included in this section requesting a description of services or products provided. This is one area where scrimping on information may be costly since, as mentioned above, insurers determine premium on revenues then discounted based on operations. It is critical that the underwriter has a complete understanding of the business. The more detailed the description, the better the ultimate outcome. A breakdown of sales by method (online, retail, and wholesale) is invaluable, for instance. Underwriters will penalize for uncertainty or ambiguity, so details on clients is critical since much of the pricing is determined by the amount of PII the organization collects and maintains.
2. System controls:This section is typically completed by the IT department. Underwriters look for how the organization's controls stack up against its peers so it isn't an easy target for scammers. Questions will include technical controls (firewalls, intrusion detection and antivirus), network structure (is there a hosting company, how many data centers, how may servers, etc.).
3. General security: This section may include questions regarding corporate orientation regarding digital and privacy risks. Questions such as, “Do you have a formal security and privacy program in place? Is training given to employees with regard to security and privacy?” are examples. The answers will affect the amount of credit given by underwriters because one of the elements that has the most impact on an underwriter's comfort (reflected in the price) is management attitude and willingness to expend resources on security and privacy.
4. Backup tape procedures: Many claims arise from lost or misplaced backup tapes. Networks need regular (usually daily) backup in case something devastating should happen the next day. The enterprise has the assurance that they can quickly restore the network to its previous state with little loss of data. However, by necessity, all the data on the network is now exposed to compromise. Most organizations hire an outside firm to transport and store tapes. These are picked up in a locked box which was left the night before. Another method is to ship tapes via air carrier. However, there was one claim where an airfreight carrier was used and the package with the tapes never arrived. A large loss was paid because the PII may have been compromised. Ideally, backup tapes should be encrypted. State laws, as a rule, consider encrypted data to be similar to shredded documents which do require notification.
5. Website media and extortion: As cyber insurance evolved, insurers added coverages addressing specific loss instances. Cyber extortion and website media are two examples. Cyber extortion primarily occurred in the mid 1990s when thieves would steal data and extort the organization for money. This quickly fell out of vogue since there had to be a physical exchange and law enforcement was able to exploit this and capture perpetrators. Website media is a standard cyber coverage because some general liability policies may not appropriately cover this new form of advertising, particularly if the company can be construed as being in the business of advertising. Therefore, the application asks questions regarding content: Who creates it? If not original, how is the company protecting itself against copyright suits?
6. Claims: When asked if anyone ever tried to break into his system, one CIO checked his watch and said, “There are about a dozen right now; school is out.” If the answer to any of the claim questions is “Yes,” a narrative is mandatory. It may be that privacy losses are a regular occurrence. For instance, hospitals can use an incorrect email and send personal medical information to the wrong person. A short narrative will put the underwriter at ease and also help fix an appropriate deductible amount.