Jenny Soubra, US head of cyber for Alliance Global Corporate & Specialty spoke with TechRepublic’s Dan Patterson about what companies should look for when shopping for a cyberinsurance policy. Here’s their conversation:

Patterson: When I shop for an insurance policy, some types of policies are almost like a retail experience, where if I have a car, I could go to a car website and say, “Well, this is the make, this is the model, this is how much it’s going to cost?” Do a little price comparison. End up with a policy at the end of my click through.

Health insurance is obviously vastly different and more complicated. What is the process in terms of purchasing cyber insurance and how do I know that the things in my business that need to be covered are?

Soubra: Generally speaking, when an organization is looking to purchase cyber insurance in the US, they need to have an insurance broker. That broker acts as the intermediary between the client and the insurance company, and the broker’s duty is to the client to make sure that they are getting the best terms and conditions, not just in terms of pricing, but in terms of coverage. The broker can also help negotiate what might be best, coverage-wise, for different industry verticals, for different size companies. There is a chain to get to the insurance company itself, from the client to the carrier. Generally speaking, the client and the carrier are not dealing directly with each other. It’s always through a broker.

Patterson: What about the cybersecurity insurance as a service industry? We see almost every industry being serviced as a SaaS model. What does this landscape look like? Are there a lot of different vendors out there? What I’m getting to is, how do I choose the right insurance company for my business?

SEE: Ransomware: A cheat sheet for professionals (TechRepublic)

Soubra: That’s a difficult question. One of the issues in the cyber market itself is just that there’s not consistency across the board from policy to policy, especially in terms of policy language. So different carriers will call the same thing by different names. Somebody might call the bucket of money to deal with a privacy event, a data-breach fund. Somebody else might call it event management. Somebody else might call it something else. And so when the consumer is comparing the different policies, it is hard to figure out what’s the same and what is different, which is, of course, where the broker comes in.

In terms of the service piece of it, that’s where the vendor panel comes in, using vendor in a slightly different sense than what we already talked about, providing pre-loss mitigation services. It’s a suite of services that the client can choose from, anywhere from phishing training for their employees within the organization, sandboxing services where they’re identifying some sort of a ransomware or malware that’s come in. They take it. They put it in a virtual sandbox to figure out what it is. We’ve got the pre-loss assessments, both from an external perspective, and then also the assessments that actually go into the network to identify the vulnerabilities.

When we’re looking at services around cybersecurity, there are the two sides. There’s the pre-loss and then there’s the post-breach response, which includes some of the categories that we mentioned earlier around forensics and notification, public relations, and that sort of thing.