Cyber risks for organizations of every size and in everyindustry are on the rise.

Today, the FBI ranks cybercrime as one of its top lawenforcement activities, and large organizations including Target,Primera Blue Cross, Anthem, JPMorgan Chase, Home Depot, and manyother smaller and mid-size businesses have been compromised bycyber breaches.

Despite the significant risk to organizations of every size inevery industry, insurance providers often encounter resistance whenintroducing the topic of Cyber risk coverage for the first time.Potential buyers, unaware of the true cost of a breach, reject thecoverage with responses such as, "Legal or IT says we don't needit," or "It's our point-of sale-vendor's liability" or "It'sunaffordable."

But it's in the client's best interest for you to break throughthat resistance and ensure they understand and recognize the risksthey face. Developing a strategy that goes beyond presenting aCyber quote along with other coverages will help you succeed. Hereare best practices to follow when selling Cyber coverage that willeliminate sales friction and ensure their clients recognize therisks they face.

1. Make cyber the main event

Cyber liability is complex with many moving parts entailingthird party and media liability; regulatory and contractual risk;and first-party expenses, such as notification, credit monitoring,data restoration, business income, reputational loss and extortionmitigation. Uncoupling cyber risk from other exposures can help tosimplify, ensuring the client understands the real risk. Most oftenCyber proposals are discussed at the end of a presentation, whenthe client's attention begins to wane. Approach the client solelywith a cyber agenda ensuring it gets the focus it deserves.

Related: Front lines of cyber risk: What's a company's bestdefense?

(Photo: Shutterstock)

2. Do your homework

Before meeting with the client, gather background information.The client's Cyber risk profile can change considerably based onindustry, the types of data collected and managed, and a range ofother factors. Be able to identify unique Cyber exposures, matchcoverage to the risk, and be able to explain the multiple Cybercoverage parts in a cogent way.

The primary exposure for retail risks is credit card informationtheft. Large card breaches trigger significant notification costsinvolving customers and also potential contractual damages arisingout of Payment Card Industry fines, penalties or cost assessments.For healthcare, clients may need assistance assessing various Cyberexposures including risk of patient health information when in thepossession of Business Associates, HIPAA Privacy and Security rulescompliance and potential regulatory fines or penalties for breachesas a result of non-compliance. 

For some organizations, the primary loss concern is notfirst-party expenses but the fallout of an unauthorized disclosureof corporate confidential information. If a law firm disclosed aclient's case file, it could cause irreparable harm, resulting in asuit by the client or a third party. For a contractor, entrustedwith confidential bid proposals, financials, engineering plans,environmental reports and other sensitive construction documents,an unauthorized disclosure could cause a significant setback to aproject leading to financial loss. For other entities, the primaryexposure may arise from a disruption caused by a hacker orextortionist. An e-commerce company whose network has been hackedmay incur a significant loss of business income while technicianswork to restore the network. All of these examples highlight theneed to take time to discuss the risks unique to the client and itsindustry.

Related: Small, mid-sized businesses hit by 62% of all cyberattacks

(Photo: Shutterstock)

3. Simplify the pricing

It's best to have a general discussion about pricing after therisk exposures and coverages are discussed.

Generating a simple ballpark indication, from carriers' Cyberraters, can help put it in perspective for the client. Formal termscan be generated later using single-pagequestionnaires. 

It's important not to overwhelm the client with too many optionsat this initial stage. The client should focus on the need forcoverage; without getting bogged down in analyzing limits orcoverage forms. Remember, cyber is a new coverage. Make sure toexplain that once a decision has been made to buy, carefulattention will then be given to the issue of limits, coverages anddifferences in policy forms prior to binding coverage.

Related: 6 things agents need to know about basic securityfor Cyber coverage

(Photo: Thinkstock)

4. Provide real-world examples

Researching and presenting actual breach examples within theclient's industry helps illustrate the need for coverage in a realand tangible way.

Various websites list breaches by industry: for example, theDepartment of Health and Human Services documents all healthcarebreaches involving 500 records or more at hhs.gov. Insurancecarriers, IT security companies, privacy organizations andwholesale brokers may also be a source. You also can detail anexample of the Cyber claims process and show what a good responseplan looks like, which can include examples of how manycarriers provide a network of breach response vendors to handle anincident.

Related: 50% of small businesses have been the target of acyber attack

(Photo: Shutterstock)

5. Correct misconceptions

Know who will be involved in the decision process so that youcan anticipate objectives and correct their misconceptions.

If IT professionals are involved in the purchasing decision,remember they may be concerned that the need for coverage mayreflect poorly on the quality of their work, or they mayfeel that money spent on insurance would be better spent onstronger security. This stems from a common misconception thatbreaches are solely an IT problem and can be prevented by betternetwork security.

In its 2014 Cost of Breach Study, the Ponemon Institute reportedthat 31% of data breaches arose from human errors, such as errante-mails, lost laptops and un-shredded documents. Recently, phishingattacks have become a sizeable cause of breaches, as employees aredeceived into opening bogus emails and attachments. Disgruntledemployees can also be a source of breaches by either stealing datafor profit or maliciously disclosing records. Lastly, many breachesare caused by third-party vendors, which is often out of theclients' control. By communicating all the facts and scenarios thatare relevant to the client, it's possible to overcome the majorityof buying objections.

Related: Cyber security award winner shares risk managementstrategies

(Photo: Thinkstock)

6. 'No' doesn't mean 'never'

Paint a picture for the client by asking, "What would you dotoday if you had a data breach?" This may unsettle a client, butalso provide a potent reason for buying coverage.

If a client isn't ready to buy, make an effort to discover thesource of the resistance, and address the topic again later. Theeducation process takes time, and it may take a few attempts toclarify the issues and ensure your client understands their riskprofile. Ultimately, effectively educating a client shouldspeed the buying process, help them understand the coverage andexposures, and demonstrate that purchasing coverage is a logicaldecision. Cyber risk insurance, like Employment Practices Liabilityin its infancy, requires an investment of time to sell, but willultimately enter the mainstream of insurance products purchased bymost organizations.

Mark Smith is a broker and leader of Swett & Crawford'scyber liability practice.

Related: Cyber insurance 2015: Inside a robust and rapidlychanging market

We're on Facebook, are you?