Whether you’re a major corporation or a mom-and-pop shop, any business that uses email, takes credit card payments, and has an online presence needs to protect itself from cyber risks.
Small and medium-sized businesses (SMBs) in particular are waking up to this reality and implementing what safeguards they can against cyber attacks. Unfortunately, even the best firewalls don’t provide sufficient protection — and a great number of businesses remain unconvinced of the need to purchase cyber liability coverage.
Unique set of exposures
The challenge for agents and brokers is to help clients and prospects to better comprehend that need, and to offer policies that directly address each business’ unique set of exposures. The threat is real, but the value proposition must be effectively communicated.
It isn’t enough to raise the specter of cyber threats in a wider context; they need to be made “real” for the client. And that entails describing a worst-case scenario that lays out just how much money could be lost in the event of a breach.
“More and more companies are worried about cyber risk,” says Tim Francis, enterprise cyber lead at Travelers. According to the 2017 Travelers Risk Index, cyber liability is the second-biggest worrisome risk for businesses of all sizes, right behind medical cost inflation. “The hope would be that any company vulnerable to a cyber attack — which means any company using technology — would strongly consider protecting itself with a risk management plan that includes cyber insurance.”
Opportunity & challenge
Francis notes an uptick in the number of SMBs buying cyber liability insurance, but adds that there are still a fair number that don’t. Therein lies the opportunity — and the challenge — for savvy producers.
“The reality of cyber exposure is that the internet has reached in, grabbed hold, and made the world we once knew totally unrecognizable,” says Shawn Ram, head of insurance at cyber insurer Coalition. According to Ram, businesses need better tools to manage this risk and better coverage to insure them — and he notes that middle-market clients in particular remain underserved.
Ram calls SMBs “the biggest untapped, underserved and underprotected market for cyber insurance.” He points to a 2017 Better Business Bureau report clearly illustrating that only 15% of small businesses have cyber insurance. For the majority of SMB owners, cybersecurity is simply too expensive and complex. “But smaller businesses, which do not have the resources to protect themselves and are also unlikely to survive the consequences of a cyber breach, have perhaps the greatest need for cyber liability coverage,” he stresses.
Eric Cernak, vice president and cyber risk practice leader at Hartford Steam Boiler–Munich Re, agrees that the SMB market is underserved from a cyber liability insurance perspective: “Within this market, many B2B companies, particularly manufacturers and light industrial, represent a considerable growth opportunity.”
Cernak characterizes the level of market penetration for cyber liability coverage as shallow, especially for middle-market clients. He points out that there are two primary causes, both of which result from a lack of education and understanding relative to the risks and coverages available.
First, he explains, cyber insurance is still largely perceived as data-breach coverage, and many organizations that do not collect personal information as part of their operations feel that they are not a target. Second, many SMBs believe that criminals target only large organizations.
“However, this is not the case — and, in fact, many small- to mid-sized organizations may be targeted for the connections they maintain to larger organizations,” Cernak cautions. A good example is the famed cyber attack on Target in 2013, which resulted in the theft of credit card information of more than 70 million customers. The hackers had gained access to Target’s data through the retail giant’s HVAC and refrigeration vendors.
From ‘nice-to-have’ to ‘must-have’
Although there are still businesses that don’t believe they’re at risk, cyber liability insurance has clearly moved into the category of “must-have” coverage for companies across all industries. Savvy agents and brokers should be stressing this fact regularly to clients and prospects and outlining ways they can help.
“Having a tailored cyber liability policy is no longer ‘nice-to-have.’ It is becoming mandatory for all organizations,” says Michael Schultz, senior broker for professional liability at Burns & Wilcox.
“Cyber incidents are becoming less of an ‘if’ and more of a ‘when’ for companies of all sizes, so agencies and brokerages would be smart to stress to businesses the importance of having safeguards in place,” says Francis. Understanding why clients and prospects put off buying coverage can help agents and brokers overcome resistance. “There are many reasons some clients continue to hold off purchasing coverage,” says John Graham, vice president and cyber product manager at Chubb Commercial Insurance.
“Probably the most pervasive is the misguided belief that they’re not a target and that the bad guys will go after someone else.”
However, he notes, not all cyber attacks begin with a specific target in mind. “Often, bad actors cast a wide net, randomly looking for any vulnerabilities that can be exploited through an attack,” he says. Agents and brokers can win over clients and prospects by pointing this out and providing anonymous real claims examples that will bring the reality of the risks to light. Even sophisticated companies with large cyber security budgets can be taken down.
“No company or organization should feel immune to a cyber attack,” adds Graham. “If it hasn’t happened yet, then it’s just a matter of time before it does.”
A ripe client set
Manufacturers represent a particularly ripe market for cyber liability coverage. “When it comes to purchasing cyber coverage, manufacturing as an industry segment has historically lagged behind others, such as healthcare and retail,” says Graham. The reason, he notes, is because initially, the primary need of the cyber insurance policies was based upon exposure to data breaches and the loss of personal information. However, as cyber attacks have evolved — and cyber insurance along with them — many compelling reasons have emerged for manufacturers to consider cyber liability insurance for risk-transfer needs.
Shiraz Saeed, national practice leader for cyber risk at Starr Companies, also identifies manufacturing as a large untapped market for cyber liability coverage in 2018 and the foreseeable future. “Many types of manufacturing — as well as logistics, trucking, shipyards and distribution — are recognizing the need for cyber coverage stemming from two ransomware attacks from the summer of 2017: WannaCry and NotPetya. These led to business interruption losses that opened their eyes, and now we’re seeing a surge of demand in that space,” he notes.
Selling the value
Cyber liability policies offer a sweeping range of coverages that can be tailored to the needs of an organization based upon industry sector, risk factors, size and regulatory environment. “The agencies and brokerages that are successful are those who are able to understand the clients’ business operations and show them how and where that creates a cyber exposure,” says Graham. “Showing companies how others within their industry segment have experienced cyber attacks makes the exposure more real.”
Graham notes that data breaches or other types of cyber attacks can be very stressful to an organization and may lead to a loss of customer confidence, loss of revenues and the loss of personnel who are terminated in the aftermath. Having a capable and competent insurance carrier behind them can provide clients with peace of mind.
Schultz at Burns & Wilcox notes that good policies cover the costs resulting from data breaches, including coverage for third-party claims and first-party responsibilities, forensics, notification, credit protection, public relations and crisis management, business interruption, cyber extortion, media liability, and regulatory penalty costs. In addition, he points out that the European Union’s General Data Protection Regulations (GDPR) are scheduled to take effect in May 2018. Violating GDPR can cost an organization up to 4% of its overall revenue in fines.
Explaining to clients, especially those operating in the international space, the value of having a Cyber Liability policy is critical, he says, and detailing each of the individual coverage components helps to eliminate any confusions found within coverage and between policy forms.
Just the ‘right’ pricing
When it comes to pricing, the cyber liability market poses unique complexities, Schultz notes. Pricing can be complex because it is based on a number of variables, such as system vulnerabilities and strengths. “Most mid-sized organizations, however, can receive quote options with a gross revenues figure and Personal Identifiable Information (PII) count,” he says.
The key to cyber liability pricing is to identify exactly what each customer does and doesn’t need, and to use that information to build a customized policy.
“An SMB shouldn’t be paying for coverage it doesn’t need,” says Ram. “For example, if an SMB does not accept credit cards, then it is not subject to payment card information risks.”
When setting pricing, underwriters should evaluate cyber exposures and controls as an enterprise-wide issue, Graham says: “Technical controls are always an important aspect, but equally important is how the client involves all areas of the organization in their training and preparation for cyber incidents, as well as their policies and procedures for data governance.”
The market for cyber liability will continue to expand rapidly in 2018 within all industry segments, Schultz predicts. “The digital presence of organizations is in a period of continued rapid growth, and the accumulation of data via the Internet of Things (IoT) is only just beginning to take off,” he says. “Organizations will begin to see the necessity of protecting themselves from their digital risks financially.”
An ounce of prevention, in this case, is worth a pound of cure. And with cyber liability merely scratching the surface of where it should be, providing organizations with a clearer picture of their exposure — in pure dollars and cents — can go a long way.