Cyber liability insurance is growing by leaps andbounds—as fast as EPLI by some comparisons but in a fraction of thetime. According to online information securityprovider Symantec, businesses of all size were a potentialtarget for attackers in 2012.

The largest growth area for targeted attacks—comprising 31percent of all attacks last year—was with businesses having fewerthan 250 employees. This represensts a huge opportunity for agentsand brokers to sell cyber protection to small and midsizedbusinesses.

Yet cyber insurance is still a relatively new concept thatsuffers from a lack of standardization in language, coverage andendorsements, along with the confusing nature of the productitself. So as you approach customers in these markets regardingcyber coverage, keep in mind the following four points.

1. Make It Simple and Relevant

If you ran across a potential customer on MainStreet and stumbled into a conversation about insurance, he'dprobably look at you sideways when asked if he was concerned abouta data breach. The very mention of anything cyber these days oftenleads people down an uncomfortable and unfamiliar slippery path.Relying on industry jargon makes cyber coverage feel even moreremoved and seem like it's only for high-tech companies or verylarge firms, which couldn't be further from the truth.

Use simple terms and scenarios to describe data breach/privacyinsurance. For example, if you start by asking clients whether theyhave any personally identifiable information (PII) on theircustomers or employees and if they have concerns about what wouldhappen if it got out—not because of some hacker from China butrather a disgruntled employee, a frequent occurrence thesedays—you'll likely get their attention. If you talk about theproblems caused if sensitive company data was made public—fromfinancials to salaries—they'll probably lean in even closer.

Most businesses with any employees have PII in some form oranother, making it an excellent starting point for discussing cyberprotection. All firms with payroll or 401(k) plans have SocialSecurity numbers. If they offer health insurance and medicalbenefits, even more sensitive information is on hand that needs tobe protected.

2. Remind That Coverage Extends to MediaLiability

Data breach/privacy policies typically include media liabilitycoverage, a huge plus for many businesses. Virtually anything acompany or its employee does gathering and distributing informationto the public via a website or other communication (email, socialmedia, desktop publishing, etc.) is covered against claims,including defamation, libel, invasion of privacy, copyright andtrademark infringement, unfair competition, piracy, andplagiarism.

Virtually every business in America now uses these methods ofcommunication and thus has media exposure. In recent years, withmore companies actively dialoguing with consumers online, this typeof coverage is proving even more valuable. For example, when acustomer posts something to a firm's social media page that causesinjury to a third party, the company can be liable.

3. Understand the Gray Areas

Customers are frequently confused when it comes to understandingcyber protection compared with other insurances. Cyber coveragescan combine third-party liability coverages with first-partycoverages. Take the case of a breach: The policy will cover theliability incurred as a result of damages to the breached parties,as well as the business interruption from the downtime the firmsuffers as a result of the breach. Some cyber products incorporateE&O; others do not. As the agent or broker, it's important toclearly understand the differences, determine the appropriateexposures and needed coverages, and educate yourcustomers. 

For example, a software developer needs a technology E&Opolicy to cover liabilities that arise from providing softwareproducts and services. On the other hand, local retailers, or eveninsurance agencies, do not have a technology E&O exposure, butexposures related to acquiring, storing, and transmitting customerdata, typically credit card information and other PII. So the localretailer or insurance agency needs a data breach/privacy policy.The differences are clear.

But the line between the two blurs when a technology companythat creates tech products or services also stores and transmitscustomer data. In this case, the business needs both technologyE&O and data breach/privacy coverage, which it can purchase viatwo separate policies or with a technology E&O policy withbuilt-in data breach/privacy coverage.

Businesses that use a third party or cloud vendor that storesthe data are still responsible in the case of a data breach. Somebusinesses mistakenly believe that their property policy's businessinterruption coverage will kick in as a result of a data breach,but those policies typically exclude outages caused by computerhackers. If you're comfortable talking to your customers aboutbusiness interruption in the context of property loss, databreach/privacy insurance is essentially business interruption inthe context of an IT issue.

4. Make the Case For Benefits Beyond InsuranceCoverage

People think of insurance as repayment after the fact: If yourhome burns down, you'll get the funds to cover the damages andrebuild. Data breach/privacy insurance obviously has the componentof paying a company's liability following a breach, but the rightpolicy will also cover other essentials for the small to middlemarket customer who might not have the time or resources tounderstand proper risk control. Although every step taken isimportant, simple efforts such as firewalls will provide littleprotection in the face of an employee error, rogue employee, orlost laptops, tablets, and smartphones.

Imagine the recovery of a firm that makes one call to the firstresponder to coordinate risk mitigation and crisis managementversus a firm that after a breach has to begin the process ofidentifying and retaining the legal, technology and publicrelations experts needed to manage the crisis. Weeks of valuabletime would be lost in the second scenario.

So cyber coverage is not as simple as, “Here's $600,000 becauseyour house burned down.” It addresses what happened, where thehacker went, how to avoid being sued, and how to mitigate the tideof damage to your overall reputation. And if you are sued, inaddition to paying for that liability, the coverage will minimizethe impact of the lawsuit and damages to third parties.

Explain to potential customers that having the right databreach/privacy policy could effectively provide them with a team ofworld-class consultants on retainer.