"And depending on what kind of business you have, you certainly want to make sure that it will cover any response to any investigations by law enforcement and regulatory agencies and any fines that might be imposed," he added. "That's something a lot of companies overlook."
In addition to checking what the policies will cover, companies should also check the other fine print -- what they have to do in order not to void the coverage, said Eric Cole, fellow at SANS Institute.
"For example, many policies state that organizations must apply all patches to all systems within a set period," he said. "Many organizations fall short on a few servers which will allow the insurance company to not have to pay on the policy."
Cyberinsurance is a rapidly-evolving field, experts say, very different from auto insurance or fire insurance. Instead of a hundred years of data, the number of breaches is tiny by comparison, and records only go back a few years. Plus, with technology changing as rapidly as it is, data points from a couple of years ago will be out of date tomorrow.
"Companies should always be re-evaluating cyberinsurance," said Dan Weedin, president at Toro Consulting. "In order to be protecting what they want to protect, it's important to be reviewing this coverage on a minimum of an annual basis, if not more often."
Every business is different in how it uses technology and how much sensitive data is collected and stored, and the situations change quickly if, say, a company decides to start offering its customers a new payment channel.
"This causes an increased exposure that can be missed," he said. "Insurers are getting much better at identifying areas of concern."
The situation is certainly better than it was 10 years ago, he added, with insurance agents becoming more knowledgeable about these policies.
"They are better now, yet not what I would consider cutting edge," Weedin said.
Sign up for Computerworld eNewsletters.