By Kevin McPoyle, CIC, president and co-founder, KMRD Partners Inc.

It started out as a typically busy day. Susan, the HR manager of a medium-sized firm, packed her briefcase at 10 a.m. to travel to a branch office to make sure it was in compliance with all the new rules coming out of Washington. She hailed a cab and planned to grab a ride back with a colleague who was already at the branch office.

Then came the call every parent dreads: the coordinator of the day care center her 2-year old daughter Hayden attended. As the cab driver pulled up to the office, everything else suddenly seemed unimportant. It turned out the issue was only a cold and earache that had been going around, not uncommon during this winter that will not end.

But after the cab driver collected his fare and pulled away, Susan realized the thumb drive she needed to conduct her compliance check was missing. And what was on the thumb drive? Everything she needed to manage the company's HR process: employee files and payroll details includingSSNs, bank account numbers, and home addresses. The day care center's call had distracted her long enough to divert her attention from the ticking time bomb now set to go off in the back seat of the cab. 

Susan's company, which had no cyber liability coverage, lost most of its momentum and annual profit in paying for and correcting issues resulting from the lost thumb drive. Susan, a single mother of two, was dismissed for the security breach.

This is a compilation of stories of cyber liability we have personally experienced. Is this nightmare too far-fetched, too unrealistic?  Is it any more unlikely than a Fortune 500 retailer being hacked through passwords and usernames used by an HVAC contractor who remotely monitored energy consumption and temperatures at various stores? It's never going to happen, right? Does anyone think Target, having been told it would suffer a data breach through an HVAC contractor, would respond with incredulity? The result was a massive and expensive hit to the retailer's reputation, earnings (down 46% in Q4) and a host of D&O claims. There is a high likelihood that Target will burn through a $100 million cyber limit along with whatever multi-million- dollar retention risk management selected. 

As brokers and risk management professionals, we are assigned the task of protecting each client's cyber blind side. By sharing "real" events like Target with our clients, we can help move them beyond complacency and apathy. These stories torn from the news are catalysts to help our clients, who trust our advice, to make better business decisions. In failing to convey the immediacy and potential magnitude of the cyber liability issue we fail them by not creating an environment where the purchasing decision is clear and unequivocal—a "no brainer" like E&O, workers' comp and liability. How can we do a better job of protecting our clients from a calamitous cyber event that can threaten the very survival of their businesses? 

In our agency we have adopted these "5 Ways of Cyber Knowing":

  1. Don't sell fear. Leave fear mongering to news anchors and investigative reporters. Your clients, particularly privately held businesses, are full of risk takers who have squared off against significant risks in their careers and won. Although you may be able to scare someone into a decision, typically it will not stick. Let the media fulfill the role of bogeyman.
  2. Use facts to convey issues. Every day, more information comes to the forefront on this issue and its impact on businesses. Do your homework. Subscribe to a newsletter to get familiar with the details. Provide your customers with information rooted in facts, not hyperbole.
  3. Understand the policy offering. Get acquainted with the coverage terms and conditions in the cyber policy from more than one carrier. Ask your underwriters questions. Read through an application so you can accurately convey the value your clients receive by going through the underwriting process.
  4. Position the policy correctly. As a value-based provider, focus on the response team assembled by the carrier to respond to a data breach. This is similar to a D&O policy and the value gained when an experienced SEC attorney is in support rather than a Main Street litigator who doesn't understand the nuances of the issues. Let the carrier's response team make you look good.
  5. Do risk management work. Wouldn't you rather your clients not have a claim? Help them build an infrastructure and process to preclude the more common causes of cyber loss. Internal procedures which eliminate the use of thumb drives, locks on server room doors limiting access, IT audits and testing data systems and firewalls will provide your clients a better sense of what they need to do and what they can control before a loss. It may assist them in getting a reduced premium.

We can't prevent the underemployed 13-year-old living in the Ukraine from working as a hacking subcontractor for organized crime. But by helping our clients control many other areas of cyber exposure, we can make a significant impact on their cost of risk. Unless we return to an all-cash economy and revert to using the U.S. mail as a primary means of communication and transaction, cyber theft and the liability associated with it is not going away. Use your time with your clients and the current events of this past year to do the good, hard work your clients expect from you.

NOT FOR REPRINT

© Touchpoint Markets, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to TMSalesOperations@arc-network.com. For more information visit Asset & Logo Licensing.