Given the ongoing breaches at organizations with best-in-class cybersecurity systems, financial executives and their C-suite counterparts, including audit committees, have accepted that a breach is a question of when, rather than if.

Here are some questions to consider as you review your insurance coverage for cybersecurity breaches.

1. How has our cyberfootprint changed since we obtained the insurance coverage?

With new applications and other cloud solutions enhancing business opportunities on nearly a daily basis, financial executives may need to reconcile the technology profile that was originally underwritten by the insurance company with the actual profile today. New threats may need to be inventoried to ensure that they are covered by the policy. Changes in risk tolerances or appetite should be considered, as well. Technology supporting planned business expansion or consolidation should be assessed against existing coverage and policy requirements.

2. Are we complying with the representations made during the issuance of the policy?

Some insurance policies require companies to comply with established information-related security standards (e.g., ISO, COBIT, PCI, etc.). Unfortunately, some finance functions assume that their technology practices comply with these standards. An honest discussion with the technology team should occur, and a realistic comparison made between current practices and prior representations. Identified gaps should be prioritized and remediated. As appropriate, discussions with counsel and insurance advisers should be considered.

3. Do I have the appropriate amount of insurance?

Too often, companies choose coverage based on the premium. Although this is an important factor, there should also be a financial analysis, to the extent possible, that quantifies loss assumptions and risk. For example, various surveys, such as those conducted by the Ponemon Institute, identify the average cost of a breached record. This can be used to guesstimate a minimal level of required coverage—although a more detailed analysis would be required to get “right size” coverage.

4. Do we understand what risks we are covered for and what we are assuming about them?

Insurance coverage may be needed from both external and internal perspectives. Externally, there may be costs due to lawsuits, regulatory compliance remediation, fines and penalties. Internally, costs may require new technology and security-related investments, personnel recruitment and contracting with consultants to help the company navigate through the incident recovery minefield. Public relations, notification and credit monitoring are other expenses that should be planned for. The need for cyberextortion coverage, a more recent cyber risk, should also be considered.

5. What are my policy’s specific exclusions?

A number of specific exclusions that are not covered by the policy can be buried in a contract’s legal terms. It is important that these be communicated to the risk management team for appropriate consideration and alternative risk mitigation strategy development. For example, cyberevents that occur at vendors and third-party service providers can pose a significant liability and create uncertainty as to who will compensate harmed customers.

6. Is incident response guidance incorporated into our plans?

A number of insurance carriers provide a guide to help their customers minimize the damage from an incident. These guides outline best practices to prevent and manage the incident and the business response. These include security practices and containment strategies. Leveraging these guides can also help facilitate the claims process by helping to ensure that needed evidence and files are appropriately maintained. Some insurance plans require that you use designated attorneys and computer forensic investigators.