NEW YORK—While there is no way for companies to completely eliminate the risk of data breaches and cyber attacks, there are several steps they can take to reduce their potential financial and reputational losses.

“The fact is that you're going to be attacked. That's the reality,” said Alan Brill, senior managing director of secure information services for New York-based Kroll Inc. A well-crafted cyber risk management program need not be wildly expensive or complex, Mr. Brill said, but should at least strive for “commercially reasonable levels” based on company size and industry.

He was speaking as part of a panel of experts at the third annual Business Insurance Risk Management Summit® held Feb. 29-March 1 in New York.

“There are things you can do that aren't terribly expensive or terribly difficult that can raise the bar in terms of your security,” Mr. Brill said. “It's not going to amount to a 100% perfect security, but you won't be the weakest firm on the block—and that's a good start.”

Above all, cyber liability cannot be addressed in a vacuum. When contemplating any significant actions or policy implementations, a company would be well-advised to involve leaders from all of its major administrative divisions to assess any potential impacts to its data holdings.

Discussions should include the department heads in information technology, risk management, legal, finance, human resources, marketing or public relations, procurement, operational units and, when possible, third-party business partners and vendors, experts said.

“When you have companies that involve leadership from various departments within the company in decisions regarding cyber liability issues, the results are so much better,” said Lori Nugent, a Chicago-based partner with Wilson Elser Moskowitz Edelman & Dicker L.L.P.

“All of those different stakeholders will have valuable input that can help you minimize your risk,” said Richard Santalesa, New York-based senior counsel at the Information Law Group.

The level of care with which a company has organized and regularly updated a comprehensive data breach response plan—including a clearly delineated set of individual and team responsibilities—will not only play a deciding role in the overall effectiveness of any mitigation efforts in the event of a breach, it will likely factor significantly in an insurer's appraisal of a policyholder, experts said.

“A critical part of our evaluation of a potential insured is that preparedness of your teams to respond quickly,” said Daniel Riordan, New York-based president of specialty products for Zurich North America Commercial.

“A data breach can't be an ad-hoc event. It has to be something you're prepared for ahead of time,” he said.

In terms of pre-emptive risk management, Mr. Brill said companies can go a long way toward reducing their exposure to significant losses resulting from a security breach by putting themselves on a “data diet.”

“Ask yourself if you actually need to collect the information you're collecting,” Mr. Brill said. “There is an enormous amount of information that we never use but we never get rid of. It's 100% risk and 0% value. As a risk manager, that's the scariest equation you're ever going to hear.”

One key element to successfully navigating a cyber attack or data breach that experts say many companies overlook is the establishment of a clear breach management plan and a breach response team designated to execute that plan.

“The thing that we see most often are companies that are unclear as to what the firm's management and the board of directors expect of them, who's responsible for what specific tasks and who has the authority to do what,” Ms. Nugent said.

When crafting a response plan, panelists said companies should place particular emphasis on public relations, as reputational harm often can prove more costly over time than any direct financial losses.

“There are few things that can impact your brand more than a data breach,” Ms. Nugent said, adding that a well-prepared company could enhance its brand depending on its response to a security breach.

“Folks expect attacks to happen, and they know that security is not perfect,” Ms. Nugent said. “What they learn when you respond to a breach tells them a lot about what kind of company you are and whether they want to do business with you.”