TL;DR
Buying cyber insurance without understanding your needs can leave you with inadequate coverage or unnecessary costs. This checklist helps you evaluate your risks, understand coverage options, and ask the right questions before purchasing a policy.
Before You Start Shopping
Know Your Risk Profile
Data Inventory
- What sensitive data do you collect? (PII, PHI, payment cards)
- How many customer records do you store?
- Where is data stored? (Cloud, on-premises, third-party)
- How long do you retain data?
Technology Assessment
- What systems process sensitive data?
- Do you use cloud services? Which ones?
- Do employees access systems remotely?
- What security controls are in place?
Third-Party Exposure
- Which vendors have access to your data?
- Do you have business associate agreements?
- What happens if a vendor is breached?
Document Current Security
Insurers will ask about:
- Multi-factor authentication
- Data encryption (at rest and in transit)
- Backup procedures and testing
- Security awareness training
- Incident response plan
- Vulnerability management
- Email security controls
Coverage Types to Evaluate
First-Party Coverage
Breach Response Costs
- Forensic investigation costs
- Legal counsel fees
- Notification costs (mail, email, call center)
- Credit monitoring services
- Public relations expenses
Business Interruption
- Waiting period before coverage applies
- How lost income is calculated
- Coverage duration limits
- Extra expense coverage
Cyber Extortion
- Ransom payment coverage
- Negotiation services
- Forensic investigation of attack
- System restoration costs
Digital Asset Restoration
- Data recovery costs
- System restoration
- Improved security post-incident
Third-Party Coverage
Liability Claims
- Customer lawsuits
- Class action defense
- Settlement coverage
- Attorney fees
Regulatory Actions
- Investigation defense costs
- Regulatory fines (where permitted)
- Compliance monitoring costs
Contractual Liability
- Vendor contractual obligations
- Customer contractual requirements
- PCI DSS obligations
Questions to Ask Your Broker
Coverage Scope
- What specific incidents are covered?
- What is explicitly excluded?
- Are there sub-limits for specific coverage types?
- Does the policy cover social engineering fraud?
- Is ransomware covered separately, and what’s the limit?
Policy Terms
- What’s the policy period and renewal process?
- What’s the deductible/retention?
- Are there coinsurance requirements?
- What security requirements must we maintain?
- What happens if we don’t meet security requirements?
Claims Process
- What’s the claim notification timeline?
- Do we need pre-approval for vendors?
- What documentation is required for a claim?
- How long does claim resolution typically take?
- What’s the claims history for this policy?
Limits and Pricing
- Is the limit per-incident or aggregate?
- What would increase our premium at renewal?
- Are there any retroactive dates?
- Is there coverage for prior acts?
- How does pricing compare to similar policies?
Red Flags to Watch For
Coverage Gaps
Broad Exclusions Avoid policies with:
- Vague “failure to maintain security” exclusions
- Broad war/nation-state exclusions
- Exclusions for unpatched systems without reasonable timeframes
- Exclusions for acts of employees (insider threats should be covered)
Sub-Limits Watch for:
- Low ransomware sub-limits (under $250K)
- Social engineering caps under $100K
- Regulatory investigation limits that won’t cover defense
- Business interruption limits that don’t match potential loss
Policy Structure Issues
Claims-Made vs. Occurrence
- Claims-made: Coverage only if claim made during policy period
- Occurrence: Coverage for incidents that occurred during policy period
- Know which you’re buying and implications
Retroactive Dates
- Claims arising before this date aren’t covered
- Ensure coverage for prior acts if switching carriers
Coverage Amount Guidelines
By Business Size
| Annual Revenue | Records Stored | Recommended Limit |
|---|---|---|
| Under $1M | <10,000 | $500K - $1M |
| $1M - $5M | 10,000-50,000 | $1M - $2M |
| $5M - $25M | 50,000-500,000 | $2M - $5M |
| $25M - $100M | 500,000+ | $5M - $10M |
By Industry Risk
Increase limits for:
- Healthcare (2x base recommendation)
- Financial services (2x base)
- Legal services (1.5x)
- Technology companies (1.5x)
Pre-Purchase Checklist
Information to Gather
- Annual revenue and employee count
- Number of sensitive records
- List of systems and data locations
- Current security controls documentation
- Third-party vendor list
- Previous claims or incidents
- Industry compliance requirements
Documents to Request
- Full policy language (not just summary)
- Policy exclusions list
- Definitions section
- Claims reporting procedures
- Security requirement addendum
- Premium calculation breakdown
Comparing Quotes
Apples-to-Apples Comparison
Create a comparison matrix:
- Total premium
- Deductible/retention
- Limits (per-incident and aggregate)
- Sub-limits by coverage type
- Key exclusions
- Security requirements
- Claims process differences
Beyond Price
Consider:
- Carrier financial strength (AM Best rating)
- Claims handling reputation
- Policyholder service quality
- Risk management resources included
- Broker expertise and support
Working with Your Broker
What to Tell Them
- Complete and accurate security information
- Honest assessment of security gaps
- Business growth plans
- Compliance requirements
- Budget constraints
What to Ask Them to Do
- Get quotes from multiple carriers
- Explain coverage differences clearly
- Identify gaps between quotes
- Recommend coverage improvements
- Help with application accuracy
Next Steps
Use our cyber insurance calculator to estimate appropriate coverage levels for your business. Then use this checklist to evaluate your options and ensure you’re getting the right coverage.