Just a few years ago, convincing a small to midsize commercial client to purchase cyber insurance was a tall order.

But thanks to a rash of high‑profile breaches and increasingly sophisticated cyberattack schemes, that reluctance didn’t last long—and now, simply pushing a policy won’t cut it with savvy clients. They’re hungry for more.

“I’ve seen the best agents out there really hone in on their book of business and figure out the messaging and risks by industry,” says Matt Cullina, CEO of CyberScout, an ID theft resolution and data breach management firm.

For example, professional groups like lawyers, accountants and travel agents house more personally identifiable information than the average small business, whereas retail establishments house a lot of credit card data. “You start asking those questions to understand the customer better and you realize cyber risk is creating reputational risks that are outpacing other traditional risks, so the tail’s wagging the dog,” Cullina says.

And the benefit is twofold. Asking targeted questions pushes the conversation beyond a simple sale and into your main wheelhouse as an independent agent: proactively managing risk in a way that helps clients avoid claims in the first place.

“There’s a lot that goes into cyber beyond just the policy,” says Brian Thornton, president of ProWriters. “Clients are starting to ask a lot more questions about all those protective measures of risk management, and those discussions tend to be where I see the most active increase in what people are doing about their exposures.”

The Human Element

The first line of defense in the cyber equation may not be what you expect: Up to 95% of data breaches result from human error, according to a recent survey from Willis Towers Watson. IBM reached the exact same conclusion in its 2014 Cyber Security Intelligence Index.

“When we looked at our own cyber risk claim data, about two‑thirds of cyber claims directly involved an employee,” says Anthony Dagostino, global head of cyber risk at Willis Towers Watson. “Whether it was a negligent employee or a malicious employee, that could mean something like losing a laptop, faxing information to the wrong recipient, sending an email with a spreadsheet.”

But how did the survey reach the staggering 95%? “When we dug into the other one‑third of claims, even technical issues like lack of patching or failure to implement a certain control—that can be traced back to a talent issue too,” Dagostino explains. “That’s not having the right infor-mation security officer in the role who’s able to prioritize what needs to be done for the organization.”

Consider that a huge portion of breaches start off with some kind of social engineering. Cybercriminals know “all they need to do is trick one person to get access,” Cullina says.

“If you think about it, human error is the lowest‑hanging fruit,” points out Nick Economidis, underwriter at Beazley. “It’s really hard to crack a password; it’s really hard to crack encryption; it’s really hard to get through a firewall that’s properly configured. Getting somebody to make a mistake is easy.”

But chances are, your commercial clients are blind to the human element. In its 2017 Cyber Readiness Report, Hiscox analyzed 3,000 com-panies of various sizes across the U.S., U.K. and Germany and tested them on technology, strategy, resources and process. According to Dan Burke, cyber and technology product head at Hiscox USA, quality of technology was actually fairly consistent between “cyber novices” and “cyber experts.”

“Across small to large organizations, strategy, resources and processes were where experts set themselves apart,” Burke explains. “A lot of companies are throwing money at the technology problem, thinking superior technology will help resolve their risk. Frankly, that’s not the case.”

As phishing and social engineering attacks become increasingly sophisticated and targeted toward specific individuals, “creating that human firewall is a massively important piece that can’t be understated,” Burke says.

Risk Management

To help your commercial clients achieve that goal, encourage them to focus on two important pieces of cyber readiness:

AWARENESS. Simply raising awareness about common cybercrime schemes can go a long way toward protecting an organization.

“Whatever role you have within the company, if privacy isn’t something that’s constantly on your mind, you’re letting your guard down,” Cul-lina says. “We see scams getting smarter and smarter, and hackers are very good at the psychology of it.”

“The cybercrime losses we see right now are sophisticated personal emails sent to specific people in an organization who are likely to have ac-cess to money or accounting or records, and have an ability to do something very quickly,” Burke agrees.

One example: electronic wire transfer fraud, where a criminal impersonates the CFO and sends an angry email on a Friday afternoon asking an employee to wire $500,000 immediately—and discreetly.

“Everybody wants to please the boss, so they’ll just process that without any extra protocol,” Cullina says. “Or it’s just someone letting their guard down and seeing an email that looks interesting and new, so they click on the link or open an attachment.”

At a minimum, your client’s employees need to understand the types of attacks that are happening so they can be on the alert. “You need to be talking about this not only in the C‑Suite, but with all your employees,” Thornton says. “Just clicking one email can be enough to get somebody in, so tell your employees, ‘This is what a bad email looks like. If you’re not sure, don’t click.’”

“It’s very easy to eliminate some of that risk—pick up the phone and call the person who supposedly sent you the email, or walk down the hall and verify that instruction is the real instruction,” agrees Eric Cernak, vice president at Hartford Steam Boiler.

TRAINING. Raising awareness is a smart first step, but it only gets you so far. Your commercial clients also need to invest in cybersecurity training for their employees—on an ongoing basis. “It’s not enough to train your employees once a year and then everything will be fine around cyber,” Cullina says.

“It’s a constant diligence. It’s just like protecting your physical assets, your money in the bank—these digital assets need the same level of diligence and attention.”

And “the good news is training can be fairly inexpensive for the value that is derived from it,” Cernak adds.

Alex Wayne, president & CEO of A.J. Wayne & Associates, Inc. in Chicago, suggests working with companies like KnowBe4, which can send out fake phishing emails to try to trick employees into clicking on something they shouldn’t. “You may have somebody who’s what they call a ‘happy clicker,’ and these kinds of programs are designed to train your employees to tell the difference between a safe email and a bad one,” he explains.

And training is another area where a stellar cyber policy can go the extra mile—especially for small businesses, which often don’t have a separate IT department. “As part of their value proposition, a lot of cyber policies provide loss mitigation portals where companies can direct their employees to learn about this stuff,” Cernak says.

Systems Security

Of course, “it’s impossible to train your employees to become a foolproof system,” Wayne says. “You can do your best, but ultimately I would contend that every company out there is going to have a problem at some point where somebody clicks on something they shouldn’t.”

And that’s where cybersecurity comes in [see sidebar]. According to a recent survey from Nationwide, 85% of business owners agree it’s important to protect against viruses, spyware and the like, but only 65% actively do so—and 76% don’t have a cyber response plan in place.

“Do they secure their Wi‑Fi network or is it open to anyone? What do they require for a password? Are they using numbers and special characters? How often do they require those passwords to be changed? Have they activated the firewall connection to get into their system? If you don’t take these basic steps, you definitely have vulnerability to your system, which makes it pretty easy for a hacker,” says Karen Johnston, technical commercial consultant – staff underwriting at Nationwide Insurance.

Overall, Dagostino calls cyber risk management an “equation” that involves people, technology and capital. “You protect your capital through insurance,” he says. “If a client doesn’t have the best technological protections, it’s up to the agent to sell to the underwriter the company’s culture and people that are focused on security and privacy. It’s an enterprise‑wide approach.”

Jacquelyn Connelly is IA senior editor.