First lets be clear, Cyber Insurance IS NOT A DEFENSE! We in the industry continue to heat this at an executive level so lets discuss.
Cyber insurance is still being sold by traditional means, currently it only makes up about 1% of all insurance types. That being said not only are many agents not qualified to address risks but for an industry the data regarding the safeguards are not there (by industry I mean that the insurance industry usually has years/decades/century’s of data to rely on). So data on Cyber Insurance is weak. The Cyber Insurance players are aware of this and at continue to gather information that benefits the insurer and insured However, it also means that they are more savvy to be able to address policies that the insurer put little time into filling out or not following due care or due diligence in delivery of their business. So actions are being investigated more thoroughly and challenged. Another interesting fact form a recent cyber insurance presentation stated that the vendors (people delivering product or services) who stand behind their product from a liability perspective is below 2%! Many do not even have errors and omission coverage.
In very simple terms there is a First Party (Which is your Stuff) and Third Party (Which is either other peoples stuff or people coming after you).
So as you think about the types of coverage and safeguards think about this: Whose Records Were Breached-How Many Individuals-Type of Records-Public Disclosure-Industry-Complexity of Infrastructure-Complexity or Maturity of Security Controls.