As more and more companies enter the burgeoning cyber insurance marketplace, they often ask policyholder counsel like me how they can choose the best cyber policy when confronted with so many choices.

When the marketplace was still in its infancy just a few years ago, this was a considerably harder question because the policy forms, including the scope of first party and liability coverages being offered by different insurers, varied so drastically. But as the cyber insurance marketplace enters its adolescent stages, there is beginning to be more standardization in available coverages and exclusions, at least at a high level.

Related: 6 categories of questions you'll be asked when applying for cyber coverage

But what has not changed is that many key terms of these policies remain negotiable (considerably more so than for other types of insurance policies), and the courts have been presented with few opportunities to provide guidance on how key provisions in these policies are likely to be interpreted.

The net result is that prospective policyholders can and should continue to negotiate aggressively in the underwriting process, especially when purchasing cyber coverage for the first time. But what provisions should a prospective policyholder be most concerned about? The answer depends largely on the most prevalent risks faced by individual companies, which are unique to them.

However, there are some provisions common to many cyber policies that, in my view, present risk to all policyholders due to imprecise or inappropriately restrictive coverage language. Because these provisions are almost certain to be the basis of numerous denials of coverage, they are likely to be tested in litigation in the next few years and deserve particular focus by prospective policyholders. Some of these looming battleground provisions include:

Retrospective dates

Most cyber policies are subject to a specified retrospective date, which means that liability claims, such as data breaches, arising from events occurring prior to that date are not covered. Often, the insurer will set the retrospective date at the inception date of the first policy the insurer issues to a particular insured. This can be a significant problem, especially for first-time insureds, due to the close temporal proximity between the retroactive date and any potential claims.

Related: Top cyber threats can shift by industry, but risk is universal

To make matters worse, many cyber policies contain language purporting to relate all causative events back in time to the date of the initial causative event. In many cases, this problem will begin to alleviate itself over time if the policyholder renews its cyber policy with the same insurer (i.e., the retroactive date will remain fixed at the initial inception date as successive policies are issued). That said, I still see more cyber claims denied on this ground than any other.

Some cyber insurers will agree to backdate applicable retroactive dates for prospective policyholders and some will not. Particularly with respect to the latter, significant factual disputes regarding the specific events precipitating an otherwise covered claim are entirely foreseeable. The complex technical aspects of data networks and the inherent uncertainties regarding the genesis of many breaches are likely to exacerbate these disputes even further.