“I’d be careful who you buy from,” says Betterley, adding that it could be worthwhile to find a provider that’s been “in the [cyber insurance] market for a while.” Or perhaps, one that’s a “household name.” But others say that, due to the widely varying nature of policies, organizations should avoid limiting their options. It could be good to review a provider’s “financials,” however, says Paray.
Companies might consider working with a trusted broker who can help explain policies and, in some cases, identify fine print that could eventually limit possible payouts.
Experts also advise choosing a comprehensive policy, particularly packages covering third-party liabilities, because regulators are holding first-party companies more accountable for third-party losses. More organizations want their business partners to hold cyber insurance, says Paray. But it might help to insure against those partners’ missteps as well.
In some cases, policies termed “privacy insurance” will have more extensive coverage than their cyber counterparts, according to the Forrester report. While there isn’t always a clear distinction between the two types of policies, many privacy products will likely cover losses of sensitive information as opposed to focusing on a set of events that may have caused the loss.
It can also be important to find policies that cover incidents involving both electronic and nonelectronic data, such as information stored on paper documents, says Betterley. A growing number of policies also cover data loss and privacy incidents related to social media, he says. Such coverage could be worthwhile for companies active in social media.
Companies might also seek policies covering lawsuits stemming from excessive data collection, according to Larry Racioppo, head of the executive liability practice at the professional services firm Towers Watson. A growing number of lawsuits have stemmed from those types of incidents.
The cyber insurance market remains relatively small: just 2 percent of organizations that hold business insurance also hold cyber insurance, Forrester estimates.
But for some organizations—especially those handling large amounts of sensitive information—a policy could be worthwhile. If an incident does occur, says Betterley, it helps if you “can go to the board and say ‘we have a policy to cover this.’”