Although I knew it was just a demo, it was still an unsettling thing to watch.
At a panel presentation/discussion titled "Hacked: The Implications of a Cyber Breach," hosted by Travelers in New York City, Kurt Oestreicher, digital forensics specialist/cyber fraud, and Chris Hauser, 2nd vice president/cyber risk, both with the carrier's Investigative Services division and experts on cyber security, demonstrated for a captive audience how an unwelcome visitor can take control of—or "own," in hacker-speak—a fictitious retailer's web site.
Their digital infiltration took all of 10 minutes—and that was with Hauser and Oestreicher explaining to attendees exactly what they were doing, each keystroke of the way. Without having to provide that exposition, the same task could be accomplished in all of four minutes.
Through the use of open-source tools and created specifically to perpetrate cybercrime (and all too easily available on the Internet), it was made plain just how easy it is for those with ill intent to sneak in and explore the "back end" of a web site (where valuable information including customers' credit applications and the site's controls are kept), shut it down, and hold it for ransom.
Small to mid-sized businesses, explained fellow panelist Mark Greisiger, president of cyber risk assessment and data breach services firm NetDiligence, are those at the greatest risk for such threats. Their level of preparation is low for such an attack, in which customer data can be stolen and the business can face state fines, sizable costs of notification for its customers and the requisite fees for forensic experts to come in and remove the threat—to say nothing of the reputational damage that can result, especially for a local business. These costs can spell the end of these businesses, especially those with no insurance protections in place when the attack comes.
We tend to think of cyber threats as being a bit nebulous. It can't happen to us, is the all-too-common sentiment. In the digital age, that's a dangerous way of thinking. It's no longer a question of if, but rather, when an attack on your web site will be attempted, said Tim Francis, Travelers' enterprise cyber lead. It's simply a question of odds. Of those parties that do suffer a breach, he added, one-third of them, at best, will have insurance.
Granted, Cyber policies are not an easy sell at the moment, but that will change in time as the threats and coverages continue to evolve. As Francis noted, it's still an emerging insurance product, relative to insurance products that have been around for ages.
"There are far too many companies that need this protection that do not have it," added John Mullen, managing partner of the Philadelphia office for Lewis, Brisbois, Bisgaard & Smith LLP and chair of the U.S. Data Privacy & Network Security Group. Mullen's firm consults at least one new breach victim each day.
My colleague Rosalie Donlon also raised the point that a good number of insurance agencies and brokerages in the U.S. fall into the category of small to mid-sized businesses that retain information in their systems that would be of value on the Internet's black market, or "Dark Web," as it is known among experts. Let that sink in for a minute.
So what does this mean for producers, aside from having to take stock of their own cyber exposures? It means that there's an enormous amount of opportunity for agents and brokers to sell Cyber policies to small and medium-sized businesses, if they are able to accomplish two things: become well-versed in the complexities of what a cyber attack entails and what it can do to a client or prospect's business, and convey that very real level of threat to the customer in making the sale.
These businesses are the highest at risk, they suffer the most breaches (62% of all those reported, in fact) and in terms of scale, can be the most crippling. In short, these prospects need a Cyber policy more than anyone. As in every other P&C insurance sale, it's a matter of schooling up on the risks, explaining the exposure and making a convincing case.
So what are the selling points for a Cyber policy? Depending the carrier, your mileage may vary—but ideally, the policy will provide the client a professional assessment of the client's risks by forensics experts, including vulnerability testing; consultation with a breach coach prior to any attacks on your business, to shore up defenses; risk-management consulting, for higher-end clients; access to PR and call-center professionals who will be deployed if necessary, and other protections.
One stark statistic that's worth conveying to the customer: A small to mid-sized business that gets hacked that does not have a Cyber policy in place will pay up to three times as much for the three core things it will need if customer information is compromised (the forensics experts, the PR squad and the call center personnel), and even then, it will be doing so by using professionals who haven't been vetted by a major insurer—whose best interest is to do serious due diligence in selecting those vendors.
As a producer, the case for Cyber is yours to make—and if you can, the opportunities gained could be well worth the investment of time and education, both for yourself and the client.
© Arc, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to TMSalesOperations@arc-network.com. For more information visit Asset & Logo Licensing.