Filed Under:Carrier Innovations, Information Security

6 steps to growing your Cyber insurance base

How to build the case for your client's protection

Insurance providers often encounter resistance when introducing the topic of Cyber risk coverage. (Photo: Shutterstock)
Insurance providers often encounter resistance when introducing the topic of Cyber risk coverage. (Photo: Shutterstock)

Cyber risks for organizations of every size and in every industry are on the rise.

Today, the FBI ranks cybercrime as one of its top law enforcement activities, and large organizations including Target, Primera Blue Cross, Anthem, JPMorgan Chase, Home Depot, and many other smaller and mid-size businesses have been compromised by cyber breaches.

Despite the significant risk to organizations of every size in every industry, insurance providers often encounter resistance when introducing the topic of Cyber risk coverage for the first time. Potential buyers, unaware of the true cost of a breach, reject the coverage with responses such as, “Legal or IT says we don't need it,” or “It's our point-of sale-vendor's liability” or “It's unaffordable.”

But it's in the client's best interest for you to break through that resistance and ensure they understand and recognize the risks they face. Developing a strategy that goes beyond presenting a Cyber quote along with other coverages will help you succeed. Here are best practices to follow when selling Cyber coverage that will eliminate sales friction and ensure their clients recognize the risks they face.

1. Make cyber the main event

Cyber liability is complex with many moving parts entailing third party and media liability; regulatory and contractual risk; and first-party expenses, such as notification, credit monitoring, data restoration, business income, reputational loss and extortion mitigation. Uncoupling cyber risk from other exposures can help to simplify, ensuring the client understands the real risk. Most often Cyber proposals are discussed at the end of a presentation, when the client’s attention begins to wane. Approach the client solely with a cyber agenda ensuring it gets the focus it deserves.

Related: Front lines of cyber risk: What's a company's best defense?

Cyber insurance

(Photo: Shutterstock)

2. Do your homework

Before meeting with the client, gather background information. The client's Cyber risk profile can change considerably based on industry, the types of data collected and managed, and a range of other factors. Be able to identify unique Cyber exposures, match coverage to the risk, and be able to explain the multiple Cyber coverage parts in a cogent way.

The primary exposure for retail risks is credit card information theft. Large card breaches trigger significant notification costs involving customers and also potential contractual damages arising out of Payment Card Industry fines, penalties or cost assessments. For healthcare, clients may need assistance assessing various Cyber exposures including risk of patient health information when in the possession of Business Associates, HIPAA Privacy and Security rules compliance and potential regulatory fines or penalties for breaches as a result of non-compliance. 

For some organizations, the primary loss concern is not first-party expenses but the fallout of an unauthorized disclosure of corporate confidential information. If a law firm disclosed a client’s case file, it could cause irreparable harm, resulting in a suit by the client or a third party. For a contractor, entrusted with confidential bid proposals, financials, engineering plans, environmental reports and other sensitive construction documents, an unauthorized disclosure could cause a significant setback to a project leading to financial loss. For other entities, the primary exposure may arise from a disruption caused by a hacker or extortionist. An e-commerce company whose network has been hacked may incur a significant loss of business income while technicians work to restore the network. All of these examples highlight the need to take time to discuss the risks unique to the client and its industry.

Related: Small, mid-sized businesses hit by 62% of all cyber attacks

Cyber insurance

(Photo: Shutterstock)

3. Simplify the pricing

It's best to have a general discussion about pricing after the risk exposures and coverages are discussed.

Generating a simple ballpark indication, from carriers’ Cyber raters, can help put it in perspective for the client. Formal terms can be generated later using single-page questionnaires. 

It’s important not to overwhelm the client with too many options at this initial stage. The client should focus on the need for coverage; without getting bogged down in analyzing limits or coverage forms. Remember, cyber is a new coverage. Make sure to explain that once a decision has been made to buy, careful attention will then be given to the issue of limits, coverages and differences in policy forms prior to binding coverage.

Related: 6 things agents need to know about basic security for Cyber coverage

Cyber insurance

(Photo: Thinkstock)

4. Provide real-world examples

Researching and presenting actual breach examples within the client's industry helps illustrate the need for coverage in a real and tangible way.

Various websites list breaches by industry: for example, the Department of Health and Human Services documents all healthcare breaches involving 500 records or more at hhs.gov. Insurance carriers, IT security companies, privacy organizations and wholesale brokers may also be a source. You also can detail an example of the Cyber claims process and show what a good response plan looks like, which can include examples of how many carriers provide a network of breach response vendors to handle an incident.

Related: 50% of small businesses have been the target of a cyber attack

Cyber insurance

(Photo: Shutterstock)

5. Correct misconceptions

Know who will be involved in the decision process so that you can anticipate objectives and correct their misconceptions.

If IT professionals are involved in the purchasing decision, remember they may be concerned that the need for coverage may reflect poorly on the quality of their work, or they may feel that money spent on insurance would be better spent on stronger security. This stems from a common misconception that breaches are solely an IT problem and can be prevented by better network security.

In its 2014 Cost of Breach Study, the Ponemon Institute reported that 31% of data breaches arose from human errors, such as errant e-mails, lost laptops and un-shredded documents. Recently, phishing attacks have become a sizeable cause of breaches, as employees are deceived into opening bogus emails and attachments. Disgruntled employees can also be a source of breaches by either stealing data for profit or maliciously disclosing records. Lastly, many breaches are caused by third-party vendors, which is often out of the clients’ control. By communicating all the facts and scenarios that are relevant to the client, it’s possible to overcome the majority of buying objections.

Related: Cyber security award winner shares risk management strategies

Cyber insurance

(Photo: Thinkstock)

6. ‘No’ doesn't mean ‘never’

Paint a picture for the client by asking, “What would you do today if you had a data breach?” This may unsettle a client, but also provide a potent reason for buying coverage.

If a client isn't ready to buy, make an effort to discover the source of the resistance, and address the topic again later. The education process takes time, and it may take a few attempts to clarify the issues and ensure your client understands their risk profile. Ultimately, effectively educating a client should speed the buying process, help them understand the coverage and exposures, and demonstrate that purchasing coverage is a logical decision. Cyber risk insurance, like Employment Practices Liability in its infancy, requires an investment of time to sell, but will ultimately enter the mainstream of insurance products purchased by most organizations.

Mark Smith is a broker and leader of Swett & Crawford’s cyber liability practice.

Related: Cyber insurance 2015: Inside a robust and rapidly changing market

We’re on Facebook, are you?

Featured Video

Most Recent Videos

Video Library ››

Top Story

Destructive California wildfires continue to ravage the West Coast [photos]

The level of destruction from California wildfires is so bad that officials don't yet have a total count of destroyed homes.

Top Story

17 P&C insurance companies make the 2016 Fortune Global 500 list

This past year, the world’s largest companies, including 17 property and casualty insurance companies, saw cumulative sales decline for the first time since 2010.

More Resources

Comments

eNewsletter Sign Up

Carrier Innovations eNewsletter

Critical news on the latest tech solutions, information security, analytics and data tools and regulatory changes to help decision-makers at insurance carriers keep their business thriving – FREE. Sign Up Now!

Mobile Phone

Advertisement. Closing in 15 seconds.