Cyberliability coverage has been around since the late 1990s, Bellingrath said, but sales really took off when states began passing breach notification laws (California was the first in 2002). Federal laws such as HIPAA and the Gramm-Leach-Bliley Act have also put pressure on organizations, leading to more regulatory investigations and class action suits when breaches occur, he noted.

But even though the market has mushroomed, coverage is still somewhat rare: Less than 20% of large enterprises have cyberliability policies, and fewer than 6% of small- and medium-sized enterprises do, according to ABI Research. As more organizations face legal fights over exposed data, that's likely to increase, however, and Bellingrath told CU Times he's seeing larger companies requiring vendors to buy coverage, fueling demand further.

Pricing on cyberliability insurance is largely a factor of how much information an organization holds, he said, and average premiums typically run $7,500 to $25,000.

“We have some financial institutions in the $3,500 to $5,000 range, but then again we also have financial institutions that are in the hundreds of thousands of dollars that they pay depending on size, scope and limit,” Bellingrath said. “For credit unions, you'd probably see premiums start, for the very small ones, probably in that roughly $5,000 range.”

Because cyberliability insurance is a relatively new product, though, there isn't much uniformity among policies – even the language they use varies.

“Breach notification expense will be one carrier's term, while event management will be another carrier's term and breach remediation may be another carrier's term,” he explained.

More important, however, are the vast differences in coverage. A carrier might – or might not – cover third-party liability for class action suits, for example. Regulatory fines, the costs of regulatory investigations, media liability, legal work, forensic services, public relations help, crisis management services, the cost of offering credit monitoring to members, extra call center services or breach notification expenses also may or may not be included. Business interruption, data restoration and even cyberextortion costs might be in or out too, Bellingrath said.

Policies might even dictate where credit unions can obtain those services after a breach.

“Frequently, there is a list of law firms and vendors in the insurance policy,” Scott Godes, a partner at the Washington-based law firm Barnes & Thornburg, who specializes in insurance and technology issues, noted. “Policyholders should understand that if for one reason or another they were to choose somebody not on the list, the insurance company will push back. Be cognizant of that when making selections.”

One of the trickiest areas of cyberliability insurance is the supplements, Godes told CU Times.

“Companies frequently think that they're buying an insurance policy with X dollars in limits, and then it turns out, for various amounts that they are going to pay, various obligations they have, the supplements apply and offer significantly less,” he said.

A $10 million policy may not actually pay $10 million, for example; there might be a $250,000 or $1,000,000 limit on various aspects of a cyberattack or data privacy incident.

“That catches a lot companies by surprise,” he warned.

And that's why it's important to have a lawyer review the policy, Godes said.

“Sometimes there are totally latent ambiguities, which means that the ambiguity doesn't come out until you have a very specific kind of claim,” he explained. “Then, as you're dealing with the claim, all of a sudden, the ambiguity becomes apparent to everybody that's involved. If there are trapdoors that are obvious in the face of the policy, and they are problematic in light of the type of risk that's specific to a credit union, then it's a discussion to be had with the lawyer.”

He added, “Probably the biggest thing to keep in mind is that an insurance carrier almost always is using a lawyer to evaluate coverage. When dealing with a claim, keep in mind that they've already lawyered up before you've even thought about it.”

Waiting to file a claim is also a good way to create headaches with cyberliability carriers, Godes said.

“Insurance companies love to assert that they got notice late and that because they got notice late, there's no coverage,” he warned.

Bob DeLisa, president of the Windsor, Conn.-based Cooperative Systems, which specializes in IT for credit unions, said the biggest misconception credit unions have about cyberliability insurance is that it's too expensive and not worth it. But that's a mistake, he cautioned. Incidents such as browser-based attacks are a real threat to credit unions and often go undetected for a long time, he said, but credit unions often don't have the money or the incentive to invest in cutting-edge technology to ward them off.

“The boards of directors of these credit unions are saying, 'Well geez, we're just throwing good money out here; why don't we just take our chances, save the money? Because we're a small credit union, we're not likely to get attacked,'” he said.

And although a credit union's other insurance policies might seem to cover at least some of the losses from a data breach, for example, carriers are frequently reluctant to agree, Godes added.

Sometimes clients learn the hard way, Bellingrath added.

“We've even quoted stuff in the past and some people have said, 'Ah, you know what? I don't see the need for it.' Then they have a breach six months later and it's much more difficult to get it.”

Credit unions that already have cyberliability coverage have to be careful, too.

“Cyberliability policies seven, eight years ago, they were easy to get,” DeLisa said. “What shocked me was that if you were early on on a policy, you would just renew that policy and renew that rider and feel like you were safe. Now, you really need to relook at those policies and see really what they're all about.”