Step 1: Understand Your Own Risk Profile
Before comparing policies, you need a clear picture of what you’re actually protecting. The right coverage depends entirely on your specific business. Work through these questions:
- Do any of my clients require me to carry cyber insurance as a contract condition?
- What types of data does my business collect and store?
- How many customer or employee records do I hold?
- What technology do I depend on — and what happens to revenue if it goes down for a week?
- Do I use third-party vendors or cloud platforms that could introduce vulnerability?
- What industry am I in, and what data regulations apply to me?
Your answers will shape which coverage types matter most and what coverage limits you actually need.
Step 2: Verify the Key Coverage Areas — and the Watch-Outs
Not all cyber policies include the same protections. Here is a checklist of the core areas to confirm — and what to look out for in each:
| Coverage Area | What to Confirm | Watch Out For |
|---|---|---|
| Ransomware / Extortion | Ransom payment + negotiation | Exclusions requiring law enforcement approval first |
| Data Breach Response | Notification, forensics, monitoring | Sub-limits that cap coverage far below policy max |
| Business Interruption | Lost revenue while systems are down | Waiting periods (often 8–12 hrs) before coverage starts |
| Legal Defense | Attorney fees and court costs | Policies that exclude regulatory investigations |
| Regulatory Fines | HIPAA, GLBA, Texas penalties | Fines excluded in some states — verify explicitly |
| Social Engineering / Fraud | Phishing and wire transfer losses | Often optional — confirm it is included, not assumed |
| Third-Party Liability | Claims from affected customers | Per-claim limits much lower than aggregate policy limit |
Step 3: Set Coverage Limits That Reflect Your Real Exposure
Many businesses choose the lowest limits to save on premiums — only to find coverage maxed out well short of their actual losses after an incident. As a starting point:
- Most small businesses: minimum $1 million in coverage
- Regulated industries or high data volume: consider $2–5 million
- Any business with contractual vendor requirements: confirm the required minimum with clients
Also review sub-limits carefully. A policy with a $1 million overall limit may only allow $100,000 for a specific incident type. If your ransomware response costs $400,000 and the ransomware sub-limit is $100,000, you pay the difference.
Step 4: Read the Exclusions
Exclusions are where many businesses get caught off-guard. Common ones to look for:
- Prior acts exclusions — breaches that began before your policy start date
- Failure to maintain security — if basic precautions were not in place, coverage may be voided
- War and nation-state exclusions — attacks attributed to foreign governments may not be covered
- Employee criminal acts — intentional fraud may require a separate fidelity bond
If an exclusion concerns you, ask whether it can be modified or removed with a policy rider.
Step 5: Evaluate the Insurer’s Response Capabilities
The best policies don’t just pay claims — they help you manage the incident in real time. Ask potential insurers:
- Do you have a 24/7 breach response hotline?
- What IT forensics, legal, and PR firms are in your response network?
- How quickly can your team mobilize after we report an incident?
- Do you offer proactive resources like security assessments or training tools?
A responsive insurer can reduce a two-month recovery to two weeks. That difference has real dollar value.
Step 6: Work with an Independent Insurance Advisor
The cyber insurance market has dozens of carriers with dramatically different policy terms, exclusions, and pricing. An independent advisor — one who is not tied to a single carrier — shops the market on your behalf, compares policies side by side, and explains the fine print in plain language.
At Worthen Insurance Group, that is exactly how we work. We are independent, which means our job is to find the best fit for your business — not push a product from one company.
Coming Up Next in This Series
The next 11 posts cover industry-specific cyber risks and coverage — starting with E-Commerce, Energy, SCADA Systems, Property Management, Real Estate, Professional Services, Financial Institutions, Healthcare, Education, Nonprofits, and Technology E&O. Each post is tailored to the specific threats and regulatory landscape of that industry.
Ready to Compare Policies? Let’s Talk.
Worthen Insurance Group has served Texas businesses for over 20 years. We are an independent agency, which means we work for you — not for any single insurance carrier. We will find the right cyber policy, explain exactly what you’re getting, and make sure you’re covered before something goes wrong.
Up next in this series: Cyber Insurance for E-Commerce Businesses