"As a broker who focuses exclusively on cyber insurance, it's mind boggling to me that both Cottage and their insurance broker bypassed that policy exclusion," she said.
"I can't say it enough -- not all policies are the same, and there are many that cover these incidents. Companies clearly must do their due diligence."
That is also the message from Selena Linde, a partner at Perkins Coie LLP. "The exclusion in the Columbia policy for failure to follow minimum required practices is not standard for the industry," she said.
Part of the problem, according to Jared Kaplan, executive vice president and CFO of insureon, is that cyber insurance is relatively new in the industry, unlike auto or home.
Modern vehicles, he notes, have multiple safety systems built in and, "because cars have been around for a while, insurance underwriters have very reliable data for estimating any individual driver's potential to have an accident and at what cost.
"Data breaches, on the other hand, are new territory," he said. "If you watch the news, you know they're happening every day. Nobody's quite sure how to quantify the costs."
Linde agreed, noting that, "although cyber insurance has been around for more than a decade, it is still in its infancy and there are no standard ISO forms.
"Cyber policies are still the Wild West," she said, "so understanding the policy language you are purchasing and how it will respond under potential scenarios for your company is crucial."
Beyond that, Kaplan said a large percentage of organizations aren't practicing basic security. He said one study found that 92 percent of breaches could have been prevented with basic measures like encryption, secure data backup, and data access control.
"This would be like 92 percent of drivers not honoring traffic signals," he said.
Bennett said cyber insurers are, "struggling mightily to find out how to underwrite these policies, to set prices appropriately and specify the limits that they can stand behind.
Another minefield can be exclusions for failure to be in compliance with regulatory frameworks.
As many experts have noted, the ever-evolving cyber ecosystem and changes or updates to frameworks can mean an organization is in compliance one day but not the next, to the point that "compliance fatigue" has become a common term in the security industry.
"Security standards can change at any time," Linde said. "Policyholders cannot be expected to predict the future and should not purchase policies with language that, in essence, requires this."
She said many Fortune 500 companies, upon learning of the new Payment Card Industry (PCI) standards that became mandatory at the beginning of 2015, "implemented procedure to satisfy compliance that will take 12 to 18 months to complete.
Sign up for Computerworld eNewsletters.