Although I knew it was just a demo, it wasstill unsettling to watch.

At a panel presentation titled “Hacked: The Implications of aCyber Breach,” hosted by Travelers in New York City, KurtOestreicher, digital forensics specialist/cyber fraud, and ChrisHauser, 2nd vice president/cyber risk, both with the carrier'sInvestigative Services division and experts on cyber security,demonstrated for a captive audience how an unwelcome visitor cantake control of—or “own,” in hacker-speak—a fictitious retailer'swebsite.

Their digital infiltration took all of 10 minutes—and that waswith Hauser and Oestreicher explaining to attendees exactly whatthey were doing, each keystroke of the way. Without having toprovide that exposition, the same task could be accomplished inless than four minutes.

Through the use of open-source tools created specifically toperpetrate cybercrime, it was made plain just how easy it is tosneak in and explore the “back end” of a website (where customers'credit applications and the site's controls are kept), shut itdown, and hold it for ransom.

Small to mid-sized businesses, explained fellow panelist MarkGreisiger, president of cyber risk assessment and data breachservices firm NetDiligence, are those at the greatest risk for suchthreats. Their level of preparation is low for such an attack, inwhich customer data can be stolen and the business can face statefines; sizable costs of notification for its customers; and thefees for forensic experts to come in and remove the threat, to saynothing of the reputational damage that can result. These costs canspell the end of these businesses, particularly those with noinsurance when the attack comes.

It's no longer a question of if, but when an attack onyour website will be attempted, said Tim Francis, Travelers'enterprise cyber lead. Of those parties that do suffer a breach, headded, one-third of them, at best, will have insurance.

“There are far too many companies that need this protection thatdon't have it,” added John Mullen, managing partner of thePhiladelphia office for Lewis, Brisbois, Bisgaard & Smith LLPand chair of the U.S. Data Privacy & Network Security Group.Mullen's firm consults with at least one new breach victim eachday.

What does this mean for producers, aside from having to takestock of their own cyber exposures? It means that there's anenormous opportunity to sell Cyber policies to small andmedium-sized businesses, if agents and brokers can do two things:Become well-versed in the complexities of what a cyber attackentails and what it can do to a client or prospect's business, andconvey that very real level of threat to the customer in making thesale.

Small to medium-sized businesses are the highest at risk, theysuffer the most breaches (62% of all those reported) and could beput out of business by one good-sized breach. These prospects needa Cyber policy more than anyone.

So what are the selling points for a Cyber policy? Ideally, thepolicy will provide a professional assessment of the client's risksby forensics experts, including vulnerability testing; consultationwith a breach coach prior to any attacks, to shore updefenses; access to PR and call center professionals who will bedeployed if necessary; as well as other protections.

One stark, bite-sized statistic that's worth conveying: A smallto mid-sized business that gets hacked that doesn't have a Cyberpolicy in place will pay up to three times as much for thethree things it will need if customer information is compromised(the forensics experts, the PR squad and the call centerpersonnel), and it will be forced to use vendors who haven't beenvetted by a major insurer.

As a producer, the case for Cyber is yours to make—and if youcan, the opportunity gained could be well worth the investment oftime and education, both for yourself and the client.