More companies are starting to purchase cyber liability insurance in the wake of a string of high-profile data breaches. But it's a relatively new type of insurance, and policies can vary from carrier to carrier, so it behooves companies to ask plenty of questions and make sure they understand what they're buying.

Certainly the breaches that occurred over the last 18 months were big enough to capture executives' attention. In late 2013, a breach at Target exposed the credit and debit card data of 40 million customers, as well as information such as addresses and emails for another 70 million. In 2014, companies hit by data breaches included Home Depot, which had 56 million card records compromised, and JPMorgan, where the names, addresses, and phone numbers of 76 million households and 8 million small businesses were exposed.

“There's no doubt that on the back of what happened in 2014, particularly in the retail sector, the sale of cyber insurance has really accelerated,” said Ben Beeson, vice president for cyber security and privacy at brokerage Lockton Cos. The amount of premium spent on cyber coverage is estimated to total about $2 billion now, he said, almost double the level 18 months ago.

“We've seen not only new buyers, but buyers of increased limits,” said Catherine Mulligan, senior vice president and national underwriting manager for specialty E&O at insurer Zurich. “Companies that were buying, say, a $20 [million] or $30 million tower are [now] buying limits higher than that. We're also seeing that the sales cycle has shortened—companies are making the decision quicker than they were four or five years ago.”

Joe DePaul, senior vice president of the FINEX North America cyber and E&O team at brokerage Willis, said most inquiries these days involve privacy liability, which deals with the costs stemming from a data breach, such as the cost of notifying consumers or providing credit monitoring, forensic services, legal, and public relations expenses. Policies also can cover a company's loss of income because its system is down or expenses related to lawsuits from third parties that were affected by the company's breach.

DePaul said that although cyber policies tend to look similar, “when you get into looking at specific carriers that are offering coverage, forms do vary greatly.”

Companies shopping for cyber insurance should find a broker with expertise in this area, and they also need to have a good handle on their own IT processes and any gaps in their IT security, Mulligan said.

Heidi Lawson, a partner in the law firm Mintz Levin Cohn Ferris Glovsky and Popeo who's also a former insurance broker, said companies should be sure they know what their cyber policy covers, and how it fits together with other insurance policies, since there are gaps.

“A cyber policy is not a silver bullet,” Lawson said. “It's part of an overall solution that has many different pieces. It covers an aspect of a cyber breach, but not all of it.”

For example, cyber policies won't cover officers and directors if they're sued in the wake of a data breach, she said, and D&O policies often won't cover that either because they have a privacy exclusion. If a data breach subsequently leads to theft, the cyber policy won't cover that either, Lawson said.

“You have to look over your exposures, look at where the coverages need to come,” she said. “If you need more, you need to work with an insurer who has the ability to amend the form to actually fit your business.”

Meanwhile, in a couple of recent incidents, hackers have gone after more than just data. The Sony breach late last year not only exposed personally identifiable information, it destroyed the company's network and damaged its reputation. Also late last year, the German government reported that a German steel manufacturer had suffered physical damage to its plant after hackers attacked the plant's operating system.

While perpetrators of data breaches generally go after information they can sell on the black market, “what we're seeing now is more hacktivism,” said DePaul, pictured at left. “What we're seeing is organizations and individuals really wanting to get into an organization to cause harm, to cause trouble—not because they're looking for a financial gain but because they have a message and they want to be heard.”

Cyber policies would cover the restoration of Sony's network and data, but not physical damage like that suffered by the steel manufacturer. That may change, though. DePaul said some carriers were considering providing coverage that would cover physical damage to facilities caused by a hacker or malware.

Beeson said the cyber insurance market needs to expand so that individual companies are able to obtain bigger amounts of insurance.

Individual insurers are wary of offering more than $10 million in cyber coverage, Beeson said, so arranging $100 million of coverage requires 10 to 15 insurance companies.

“Some of these financial institutions, they're big, they're not going to get out of bed if all that's available is $100 million,” he said. “The market has to get to $1 billion, and we've got a long ways to go to get there.”

The growing popularity of cyber liability coverage hasn't had much effect on prices so far. DePaul said that while retailers are seeing increased pricing and a hardening in terms and conditions in the wake of the data breaches in that industry, overall pricing for cyber coverage is mostly flat. He attributed that to the “tremendous amount of capacity,” with an estimated 60 to 75 carriers offering the coverage.