Cyber risks for organizations of every size and in every industry are on the rise.
Today, the FBI ranks cybercrime as one of its top law enforcement activities, and large organizations including Target, Primera Blue Cross, Anthem, JPMorgan Chase, Home Depot, and many other smaller and mid-size businesses have been compromised by cyber breaches.
Despite the significant risk to organizations of every size in every industry, insurance providers often encounter resistance when introducing the topic of Cyber risk coverage for the first time. Potential buyers, unaware of the true cost of a breach, reject the coverage with responses such as, “Legal or IT says we don't need it,” or “It's our point-of sale-vendor's liability” or “It's unaffordable.”
But it's in the client's best interest for you to break through that resistance and ensure they understand and recognize the risks they face. Developing a strategy that goes beyond presenting a Cyber quote along with other coverages will help you succeed. Here are best practices to follow when selling Cyber coverage that will eliminate sales friction and ensure their clients recognize the risks they face.
1. Make cyber the main event
Cyber liability is complex with many moving parts entailing third party and media liability; regulatory and contractual risk; and first-party expenses, such as notification, credit monitoring, data restoration, business income, reputational loss and extortion mitigation. Uncoupling cyber risk from other exposures can help to simplify, ensuring the client understands the real risk. Most often Cyber proposals are discussed at the end of a presentation, when the client’s attention begins to wane. Approach the client solely with a cyber agenda ensuring it gets the focus it deserves.
2. Do your homework
Before meeting with the client, gather background information. The client's Cyber risk profile can change considerably based on industry, the types of data collected and managed, and a range of other factors. Be able to identify unique Cyber exposures, match coverage to the risk, and be able to explain the multiple Cyber coverage parts in a cogent way.
The primary exposure for retail risks is credit card information theft. Large card breaches trigger significant notification costs involving customers and also potential contractual damages arising out of Payment Card Industry fines, penalties or cost assessments. For healthcare, clients may need assistance assessing various Cyber exposures including risk of patient health information when in the possession of Business Associates, HIPAA Privacy and Security rules compliance and potential regulatory fines or penalties for breaches as a result of non-compliance.
For some organizations, the primary loss concern is not first-party expenses but the fallout of an unauthorized disclosure of corporate confidential information. If a law firm disclosed a client’s case file, it could cause irreparable harm, resulting in a suit by the client or a third party. For a contractor, entrusted with confidential bid proposals, financials, engineering plans, environmental reports and other sensitive construction documents, an unauthorized disclosure could cause a significant setback to a project leading to financial loss. For other entities, the primary exposure may arise from a disruption caused by a hacker or extortionist. An e-commerce company whose network has been hacked may incur a significant loss of business income while technicians work to restore the network. All of these examples highlight the need to take time to discuss the risks unique to the client and its industry.
3. Simplify the pricing
It's best to have a general discussion about pricing after the risk exposures and coverages are discussed.
Generating a simple ballpark indication, from carriers’ Cyber raters, can help put it in perspective for the client. Formal terms can be generated later using single-page questionnaires.
It’s important not to overwhelm the client with too many options at this initial stage. The client should focus on the need for coverage; without getting bogged down in analyzing limits or coverage forms. Remember, cyber is a new coverage. Make sure to explain that once a decision has been made to buy, careful attention will then be given to the issue of limits, coverages and differences in policy forms prior to binding coverage.
4. Provide real-world examples
Researching and presenting actual breach examples within the client's industry helps illustrate the need for coverage in a real and tangible way.
Various websites list breaches by industry: for example, the Department of Health and Human Services documents all healthcare breaches involving 500 records or more at hhs.gov. Insurance carriers, IT security companies, privacy organizations and wholesale brokers may also be a source. You also can detail an example of the Cyber claims process and show what a good response plan looks like, which can include examples of how many carriers provide a network of breach response vendors to handle an incident.
5. Correct misconceptions
Know who will be involved in the decision process so that you can anticipate objectives and correct their misconceptions.
If IT professionals are involved in the purchasing decision, remember they may be concerned that the need for coverage may reflect poorly on the quality of their work, or they may feel that money spent on insurance would be better spent on stronger security. This stems from a common misconception that breaches are solely an IT problem and can be prevented by better network security.
In its 2014 Cost of Breach Study, the Ponemon Institute reported that 31% of data breaches arose from human errors, such as errant e-mails, lost laptops and un-shredded documents. Recently, phishing attacks have become a sizeable cause of breaches, as employees are deceived into opening bogus emails and attachments. Disgruntled employees can also be a source of breaches by either stealing data for profit or maliciously disclosing records. Lastly, many breaches are caused by third-party vendors, which is often out of the clients’ control. By communicating all the facts and scenarios that are relevant to the client, it’s possible to overcome the majority of buying objections.
6. ‘No’ doesn't mean ‘never’
Paint a picture for the client by asking, “What would you do today if you had a data breach?” This may unsettle a client, but also provide a potent reason for buying coverage.
If a client isn't ready to buy, make an effort to discover the source of the resistance, and address the topic again later. The education process takes time, and it may take a few attempts to clarify the issues and ensure your client understands their risk profile. Ultimately, effectively educating a client should speed the buying process, help them understand the coverage and exposures, and demonstrate that purchasing coverage is a logical decision. Cyber risk insurance, like Employment Practices Liability in its infancy, requires an investment of time to sell, but will ultimately enter the mainstream of insurance products purchased by most organizations.
Mark Smith is a broker and leader of Swett & Crawford’s cyber liability practice.
We’re on Facebook, are you?