Cyber Insurance As A Service: What It Is, Why You Should Be Selling It, and What You Should Tell Your Customers
As of 2018 a high percentage of cyber losses are, and are projected to be, going uncovered. According to the recently released Geneva Association report, the global cyber protection gap is 90 percent and, “from a macro perspective, insurance-based transfer of cyber risk lacks any real relevance.” While this is largely a function of supply for exposures that are (at least arguably) uninsurable, there is certainly a demand-side deficiency. Businesses, and small businesses in particular, are not seeing the value in the cyber insurance solutions available today. While the blame for that shortcoming may not rest squarely on us as licensed insurance agents and brokers, the charge for addressing the issue does.
And this shouldn’t be a charge for just the cyber specialist brokers. Cyber is not specialty insurance, despite being frequently labelled as such. The exposure inherent in running a business dependent on connected systems is not confined to healthcare providers or retail stores or any other particular class of business. At this point, every business in America has a material cyber exposure. If you are selling any commercial insurance policy, you should be able to credibly present your client with a cyber insurance option.
One of the things that I respect about insurance brokers is their insistence to provide service beyond the transaction. Brokers are counselors, not just salespeople. In the case of small businesses, they serve as risk managers for operations not large enough to designate an employee to that role. Not wanting to sell an insurance policy without providing the risk counseling service to surround it is admirable. Luckily, the path to becoming a legitimate resource in this area is not as complicated as it may seem.
We need to ask ourselves three questions:
What should be included in an adequate cyber insurance program?
This question seems to have gotten more complicated over the years as profitable results have forced carriers to adopt increasingly adventurous terms in order to win market share. What is telecommunications fraud coverage? Might I be negligent in my duty to my client if I sell them a policy without this coverage? It’s not that these ancillary coverage elements are irrelevant; it’s just that we’re missing the point.
Let me put it this way: if a friend came to you expressing a desire to learn to speak Spanish, you would be correct in telling her that the Spanish language is complex and nuanced. It has developed over thousands of years and continues to evolve differently in different parts of the world. You might tell her that, if she wants to learn to truly communicate with someone from Bogota, then only total immersion will do the trick. She should move to Colombia for a year. What you’ve said is undoubtedly true, but it will also almost certainly lead your friend to push her language learning project off until another year. Ten to twenty minutes per day of Duolingo would have been extremely valuable to her. Not as valuable as a year in Colombia, but definitely more valuable than setting the whole goal aside.
All of your clients share this exposure: a breach of their systems could cause privacy issues and system downtime, resulting in significant lost income, lost money, first party restoration costs, defense expenses, fines, and damages. As such, a cyber insurance program should address each of the following:
- Both network security and privacy security triggers.
- Forensic expenses and other system restoration costs.
- A response for extortion/ransomware.
- Notifications, credit monitoring and other services required after a privacy incident.
- Loss of money or financial instruments due to fraudulent instructions enabled by a system breach.
- Defense costs, damages, and fines/penalties for both claims and regulatory proceedings. This should include Payment Card Industry Assessments.
Could a cyber insurance policy provide broader terms than this? Definitely, and at this point, many of them do. But the point is this: the coverage elements above will significantly decrease a small business’s chance of being significantly damaged by their systems being breached and/or used for an unauthorized purpose. All agents and brokers, no matter their experience in cyber, should be earnestly presenting these terms to all of their clients. How much limit is adequate? Absent a contractual obligation, that question is difficult to answer, but I’m absolutely sure the correct response is not $0.
Which brings us to our next question:
Is cyber insurance a good value?
Ask your clients this question: if you had a system breach or a privacy incident, who would you call? Most of them won’t know how to answer that question. With any limit of cyber insurance purchased from a qualified carrier, your client will be given at least the following:
- A reliable phone number, email address, or even a one-button method for asking for help.
- Access to a breach coach/counselor to guide them through the process.
- Access to counsel with relevant expertise and experience.
- Access to forensic firms and other technology service providers.
- Access to credit bureau services to provide necessary privacy notifications and related services.
- 2 through 5 above at rates that no small business could hope to negotiate on its own.
With policies available for pricing less than $1,000, that is a good value even if insurance weren’t included. But it is, of course. Even so, a risk management program should be of service even in the absence of a negative event.
And so our final question:
Can I really do more than just sell a cyber policy?
A quality insurance broker provides comprehensive risk consulting, of which an insurance policy is just one component. Again, this is a respectable reservation, but one that can be easily overcome with some assistance. The threats relevant to cyber risk seem disparate and broad because they are, but know this: the runaway leaders in the cause-of-breach category for small businesses are all related to employee behavior. Find a way to help them implement the following controls:
- Designate an individual or provider to administer the company’s network and privacy security policies and related employee training.
- Provide and enforce regular employee training on phishing recognition and acceptable computer use.
- Implement a process to prevent access to inappropriate content, known phishing websites, and sites running malicious scripts.
- Provide employees with a password manager to encourage strong credentials.
- Employ VPN, SSL Tunnel Proxy, or equivalent enterprise measures to mitigate the risks associated with employees working remotely through unsecured WiFi.
If that still sounds complicated, that’s ok. That’s why Paladin is here. Uninsured and unmanaged cyber exposures are an enormous problem. Having met hundreds of insurance agents and brokers in my fifteen years in the insurance industry, I have no doubt that they are capable of and in the best position to solve this problem. That is why we are so eager to join this community of service providers and start chipping away at this thing.
If you’re up for it, or if you just want to learn more about how we can help, I’d love to hear from you. Feel free to email me at email@example.com.
- Kai Uwe Schanz, Senior Advisor The Geneva Association, “Understanding and Addressing Global Insurance Protection Gaps” April 2018
- Verizon, 2018 Data Breach Investigations Report, 11th Edition, page 11.