Data breaches and security incidents have become commonplace, with thousands occurring each year and some costing hundreds of millions of dollars. Consequently, the market for insuring against these losses (aka cyber insurance) has grown rapidly in the past decade. However, very little is known about these policies and the mechanisms behind the risk assessments. While there exists much theoretical literature about cyber insurance, very little practical information is publicly available. For example, what losses are actually covered by cyber insurance policies, and what are the exclusions? What factors are used to compute the premiums, and how do existing underwriting approaches reflect the technical rate of risk? In this research, we collect and analyze over 100 cyber insurance policies filed with state insurance commissioners. By analyzing these policies, we provide the first-ever analysis of the underwriting process for cyber insurance and uncover how insurance companies understand and price cyber risks.