Many experts claim that cyber risks are correlated, but there is not much supporting empirical evidence. We consider 3,327 data breach events from 2005 to 2016 and identify a significant asymmetric dependence of monthly losses in two cross-sectional settings: cross-industry losses in four categories by breach types (hacking, lost electronic device, unintended disclosure and insider breach) and cross-breach type losses in five categories by industries (banking and insurance, government, medical service, retail/other business and educational institution). To identify the method that best fits the dependence structure of the dataset, we implement copula modeling by separating the dependence into pairwise non-zero losses and zero loss arrivals. We model the former by pair copula construction (PCC) allowing for the flexible choice of copula functions, whereas the latter is modeled by Gaussian copula. We illustrate the usefulness of our results in two applications to risk measurement and pricing. Our findings are important for risk managers and actuaries who are designing cyber-insurance policies.