Most agents and brokers have had someopportunity to sell or speak to clients and prospects about networksecurity and privacy coverage (cyber insurance). Over a decade ofselling this coverage shows a surprising similarity of obstacles tosale.

Here are the main "stops"—actually, myths—that keep clients frombuying cyber insurance:

• A breach won't happen to us.
• Isn't this already covered?
• We are 100% secure.
• I can't talk to the tech people.
• Applications are too difficult to complete.

Cyber coverage should now be a part of any property and casualtyinsurance discussion. Although the coverage is not new, it is nowbeing purchased more frequently. Marsh reports the number of itsU.S. clients buying cyber insurance increased 33% from 2011 to2012.

Armed with the knowledge and understanding of the five mostcommon obstacles to the sale of a cyber policy, an agent or brokerhas a better chance of explaining and convincing the insurancebuyer to consider the necessity of purchasing cyber riskprotection.

Click on the following pages to find out how you can countereach of these arguments and increase cyber insurance sales for youragency.

Myth: A breach won't happen to us.

Fact: No one is immune.

Security breaches happen every day. The most notable is themassive Target and Niemen Marcus security breach losses whichoccurred last December, with more than 110 million recordscompromised.

More recently, a February breach of St. Joseph Health System in Georgia andTexas potentially compromised more than 405,000 records.Information was accessed through a single server by hackers fromChina and other locations. This server stored information fornumerous facilities.

And data breaches are not just happening at big companies. Morethan 600 million personal records are known to have beencompromised since 2005, according to PrivacyRights Clearinghouse.This is nearly twice the population of the entire U.S. Although thelarge companies receive media coverage, breaches are occurring withregularity in small and medium sized companies also.

To counter the "it can't happen to me" myth, point yourcustomers to these sites, which contain detailed information aboutbreaches:

• Privacy RightsClearinghouse has every reported breach since 2005 and issortable by industry and by type of breach
• Data Loss Open SecurityFoundation is a research project aimed at documenting known andreported data loss incidents world-wide.
• Verizon's2013 Data Breach Report combines the expertise of 19organizations from around the globe.

Most information security specialists say that it isn't aquestion of "if" a breach will occur, but "when." You can use thesewebsites to show the client or prospect similar businesses thathave had compromised information and highlight the potentialfinancial impact.

Myth: Isn't this already covered?

Fact: Read the words in the policies

The existing property, casualty and professional liabilitypolicy wording has evolved to make the policies' intent clear thatsecurity breaches are not covered. Below are sample wordings fromeach of these policies.

PROPERTY: ISO BUILDING AND PERSONALPROPERTY   POLICY CP-00-10 04 02 – Page 2 of 14,Section A. Coverage, 2. Property Page 2   of 14,Section A. Coverage, 2. Property Not Covered:

Covered property does not include:

n. Electronic data, except as provided underAdditional Coverages – (See Page 5 of 14 – limit $2,500 –due to the low limit this acts more as an exclusion thanenhanced coverage)…

GENERAL   LIABILITY:ISO   COMMERCIAL LIABILITY POLICY CG 00 01 10 01– Page 15 of 16, Section V.   DEFINITIONS, 17."Property damage" means:

a. Physical injury to tangible property…(underline added foremphasis)

Further in the definition:

For   the purposes of this insurance,electronic data is not tangibleproperty.  

Note: "Property damage" limits coverage to tangibleproperty. Specific wording that electronic data is nottangible property.

PROFESSIONAL LIABILITY:SAMPLE   HOSPITAL PROFESSIONAL LIBILITY WORDING(Used as an example):

Any administrative, disciplinary, D. ExclusionsApplicable To All Insuring Agreements…any misuseor improper release of confidential, private orproprietary information,…licensing orregulatory claim asserted by or on behalf of a governmententity

(Most cyber policies will cover fines and penalties.Also, many Professional Liability policies willspecifically exclude Network Security andPrivacy losses).

It is clear that standard insurance forms are specificallyexcluding coverage. Note that some forms are adding back smallslices of Cyber coverage with low limits. These additional smalllimits are typically highly inadequate but are added by carriers tomore clearly restrict coverage by reducing ambiguity about whatcoverage offered.

Myth: We are 100% secure.

Fact: There is always an incremental risk.

This objection typically comes from the chief informationofficer or information security specialist (IT). One of the mainjob functions of IT is information security. Many IT professionalsconsider the purchase of cyber insurance an admission that theyhave not done their job fully. They want to think of theircompanies as immune from risk because of their efforts. Becausethey're integral to completion of the application, this attitude isa major obstacle to the sale. 

There are ways to help make the purchase of cyber insurance lessthreatening to IT professionals. Cyber policies now cover not onlythreats to the IT system, but also privacy exposures such as paperfiles and other vulnerabilities outside IT's scope of duties.

To illustrate the need for cyber insurance, compare networksecurity to fire prevention: "The conference room we are sitting inhas sprinkler heads. The architect who designed the building tookspecial care to make sure there were enough sprinkler heads andwater available in case of fire. They also carefully chosenon-combustible materials for the building. Everything was done toeliminate the possibility of a devastating fire. However, even withall the precautions, you still purchase insurance to cover thebuilding because on occasion, despite everyone's best efforts,fires occur."

Myth: I can't talk to the techpeople.

Fact: There are ways to find common ground.

Many insurance buyers (CFOs, COOs, finance professionals andothers) are reluctant to engage the IT department in cyber riskdiscussions because they don't understand IT jargon. Insurancebuyers typically do not communicate with IT unless there is acomputer problem.

Here is a layman's illustration of oneemployee's connections to the network. (Click to enlarge.) Her interactions couldinclude all of the following outlined in the illustration below.Each of these communication lines and each photo represent apotential vulnerability. This illustration is the potentialcommunication connections of just one individual. Imagine what theillustration would look like with many, even thousands, ofindividuals communicating. The complexity of this "simple"illustration makes it obvious why insurance buyers are reluctant todelve into the intricacies of network risks.

Showing your client this image illustrates the magnitude ofvulnerabilities presented by cyber exposures.

To use the automatic fire suppression sprinkler system analogyagain, while the insurance buyer may not fully understand theintricacies of a "combined dry pipe-preaction system," they canstill discuss knowledgably what would happen if that sprinklersystem failed. The same is true of the exposures presented by thiscomplex network. The exposures just need to be organized into astructure for discussion.

Below is a representation of the realms of risk presented.(Click to enlarge.) If each of these realms isaddressed, it keeps the conversation at a level appropriate to areasonable discussion between the IT department and the insurancebuyer. See below for a breakdown of the realms which can each betaken separately.

Myth: Applications are too difficult tocomplete.

Fact: You can reverse the sales cycle.

Since the network affects every individual and function in anorganization, many different departments are involved in networksecurity and privacy. Therefore, the completion an application forcyber coverage can involve multiple disciplines and can becumbersome to complete. Also, in the past applications were verylong and involved.

Fortunately with experience and familiarity with the risks,insurance carrier applications are now much more streamlined. Butwhat has assisted in the sale is the reversal of the typicalinsurance sale.

In a typical insurance sale, an application is completed, quotesare received, options analyzed and a buying decision is made.However, in light of the reluctance of insureds to complete cyberapplications, a seasoned, experienced underwriter can often offer avery good estimate of the terms and costs with little moreinformation than just the revenues and a review of the insured'swebsite. With the potential costs and terms in mind, an educatedbusiness decision can then be made by the prospect prior tocompletion of a detailed application. Ultimately, an applicationwill need to be completed to obtain coverage. However, withestimated cost and terms, discussions about purchasing cybercoverage can continue.