Not a day goes by without a story about a data breach, hacking incident or theft of personally identifiable information. The latest organization to have its data compromised is the U.S. Office of Personnel Management (OPM), the human resources department for several federal agencies. An estimated four million records of former and current federal employees may have been affected. A more disturbing statement from OPM is that it receives approximately 2.5 billion attacks in an average month.

As the Travelers Business Risk Index—Cyber discovered, small businesses are often the targets of hackers, however, 20% of small businesses (those with fewer than 250 employees) were targeted with attacks in 2013, but as a group, they worry the least about cyber-related risks versus 70% of business risk managers at large companies and 60% for midsized companies. Even though small businesses are the most vulnerable, they are also the least prepared and least likely to be able to recover from a data breach. For some small businesses, one cyber attack can put them out of business.

At a panel presentation titled "Hacked: The Implications of a Cyber Breach," hosted by Travelers in New York City, Timothy Francis, Enterprise Lead for Cyber Insurance, pointed out that having the right insurance helps an organization stay in business. A company can do all the right things to protect itself, but no system is fool-proof.

Doctors-looking-at-files-paper-computer-SS_256322455-wavebreakmedia

(Photo: Shutterstock/wavebreakmedia)

"Cyber insurance is still an emerging product," Francis said, noting that there are differences in carriers and in coverage as well as support services. Cyber insurance is more than words on a page, he said. You should look for a partnership with the carrier and risk management services before, during and after an incident.

John F. Mullen, a partner with the law firm of Lewis Brisbois Bisgaard & Smith LLP and the chair of its U.S. Data Privacy and Network Security Group, based in Philadelphia, said that he sees one claim per day and so few small to mid-sized businesses manage a cyber attack effectively. This presents many sales opportunities for agents and brokers, he said, as many more companies are buying cyber insurance.

Mark C. Greisiger, president of NetDiligence, which provides cyber risk assessment and data breach crisis services for cyber liability insurance carriers, explained that healthcare and financial services are the two most vulnerable businesses, and most fall into the small to mid-sized range. These businesses—think of your primary care physician's office or your independent financial advisor—are often spending their time on seeing patients or growing the business, not the security behind their websites.

Many insurance agents and brokers, who also fit the small business model, don't have cyber insurance, Mullen said. He also noted that other professional services firms, such as law firms and accounting firms, often don't consider cyber insurance.

Cyber insurance presents a growth opportunity for agents and brokers, starting with current clients then branching out to new prospects. Here are 6 tips to help you sell cyber insurance to clients and consider a policy for yourself if you don't already have one.

cyber-security-screen-password-protected-ss-solars-crop-600x338

(Photo: Shutterstock/solars)

1. Review the company's vulnerability.

Conduct a risk assessment of your client's business to determine how and where it's vulnerable to a cyber attack. Francis recommends reviewing the data the client collects and why it's collected, as one step in the assessment.

  • Do you need to continue to collect this data?
  • If so, how and where should it be stored?

Many of your small business clients may believe they don't have data that can be compromised. It's up to you to point out to the dry cleaner, for example, that he keeps credit card data on file for his delivery customers, along with addresses and phone numbers. A determined hacker could infiltrate the dry cleaner's computer system and obtain information on hundreds of customers, leaving the business at risk.

Agents and brokers need to think about the personally identifiable information that they maintain on their clients and on their own employees. Anything can be compromised and you don't really want to be responsible for identity theft, among other things.

Commercial insurance policy

(Photo: Shutterstock)

2. Review existing policies.

When you review your client's existing insurance policies, point out any exclusions that could deny or limit coverage for cyber attacks. For example, most commercial general liability policies include an exclusion for access to or disclosure of confidential or personal information and the resulting liability.

Remember to discuss the disruption to the client's business as well as harm to reputation. If the client already has business interruption insurance, estimate how much coverage is available and how much would be needed.

Data-in-cloud-shape-SS_186958328-Ismagilov

(Photo: Shutterstock/Ismagilov)

3. Explain that storing data in the cloud isn't insurance.

Many people who store data with a cloud vendor assume that the vendor takes responsibility for data security. But most cloud storage agreements usually put the burden on the data owner to protect against a cyber incident. Depending on the kind of cyber attack, your client may find itself in the position of having to defend the cloud storage company.

Greisiger pointed out that when you use cloud storage, you don't really know where the data resides. Your vendor may outsource some of its storage needs to another vendor, which is not as secure as the one your client contracted with. He noted that you can contractually restrict where the data goes, but you're still ultimately responsible for its security.

Court/gavel-with-$100-bills-SS

 

(Photo: Shutterstock)

4. Show them the money.

The average per-breach cost is about $733,000, according to NetDiligence's research, Greisiger said. When you discuss cyber insurance with your client, start by estimating the cost to the business of the components of a breach without insurance. These costs include legal counsel, notification costs, public relations consultants, forensics experts, a call center and credit monitoring services among others.

The Cyber policy should provide all these services from vendors that have been vetted by the carrier, and they're generally at a lower cost than the client would incur in obtaining the services on its own. Without a Cyber policy in place, a small to mid-sized business could pay up to three times as much for the services it needs to combat an incident. For some companies, the expenses of a breach, plus legal fees, plus any damages or fines could amount to enough to put the company out of business.

White-businessman-and-black-businessman-in-meeting-using-tablet-SS_179549198_Pressmaster

(Photo: Shutterstock/Pressmaster)

5. Compare policies, coverages, limits, exclusions and costs.

Be sure the client understands what is available from each Cyber insurance carrier that it's considering. Carefully weigh the level of services provided by each one, especially access to experts. Remember that, to date, there is no one standard definition of "cyber insurance," and coverage as well as exclusions may vary.

In some cases, your clients may need to increase their levels of other coverage, such as business interruption. You may need to examine your errors and omissions insurance as well. In some cases, clients have charged their agents and brokers with failure to recommend appropriate policies or adequate coverage.

Business-meeting-diverse-audience-SS_224514082-VGstockstudio

(Photo: Shutterstock/VGstockstudio)

6. Educate yourself and the public.

The term "cyber" covers many things and isn't well defined. It can apply to a data breach, a denial of service or misuse of personally identifiable information. It's up to agents and brokers to educate themselves, said Francis, so they can be aware of the issues and provide the best available information to their clients.

Attend continuing education courses on cyber issues, including data security and privacy issues. For example, The Institutes conducts a program on Cyber Risk Management. Other insurance industry associations also hold webinars and provide training materials on cyber security.

Consider holding small information sessions for your clients and other small to mid-sized businesses in your community. You can explain the need for Cyber policies to groups of business owners, rather than one on one.

Given the rapid pace of change and innovation with Cyber policies, agents and brokers are sure to have many opportunities to grow their business by providing cyber insurance to their current clients, and new ones as well.

How can you transform your risk management preparedness and response strategy into a competitive advantage?
 
Introducing ALM's cyberSecure — A two-day event designed to provide the insights and connections necessary to implement a preparedness and response strategy that changes the conversation from financial risk to competitive advantage.  Learn more about how this inaugural event can help you reduce risk and add business value.
NOT FOR REPRINT

© Arc, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to TMSalesOperations@arc-network.com. For more information visit Asset & Logo Licensing.