In an era of daily data breaches, every business with a computer is at risk—which means every business needs cyber insurance coverage.
But cyber insurance has historically been a tough sell for independent agents and brokers.
Most agents do a fine job explaining the nuanced cyber risks that confront their mid-size and smaller business clients. And more than 70 insurers now provide some form of cyber protection. But many Main Street businesses still believe their system or network firewalls, anti-virus software, encrypted data and marginal online presence protect them from cyber criminals.
In the Bull’s-Eye
“Small and mid-size companies are far more likely to be a victim of a cyber attack than they think they are,” says Tim Francis, enterprise cyber lead at Travelers Insurance. Consider Symantec’s 2014 Internet Security Threat report, which indicates that small and medium-sized businesses (SMBs), defined as having fewer than 2,500 employees, accounted for more than half of all targeted attacks (61%) in 2013—up 11% from the previous year.
Unfortunately, this eye-opening threat fails to make much of a difference with many commercial lines clients. The Hartford Financial Services Group’s annual Small Business Success Study of Small and Medium-Sized Enterprises (SMEs), defined in the study as companies with fewer than 100 full-time employees and annual revenue of $100,000 or more, reports that 27% do not believe a data breach represents a business risk. Nearly one-third (31%) believe there would be no impact to their companies if they were to experience a data breach.
“Obviously, education is critical,” says Thomas Kang, cyber product manager at The Hartford. “In this regard, we all need to do a better job.”
For independent agents and brokers, educating commercial accounts about cyber risk is an ongoing tension fraught with peril to their own enterprises: They must not only fully impress upon generally unconvinced clients just how exposed they are to evolving cyber threats. If the company passes on the insurance and later experiences a data breach, systems shutdown or cyber extortion loss, the agent confronts the possibility of a negligence lawsuit for failure to provide adequate professional advice.
Regulations and Costs Mount
Data breaches remain the primary threat to SMEs. According to a June 2014 report from the Insurance Information Institute, nearly every state (47) requires notifying individuals whose private information has been stolen. The cost of this notification is substantial—$145 per record, according to Ponemon Institute’s 2014 Cost of Data Breach Study. Multiply that by the number of records breached and the overall expense can literally bankrupt a small business—it’s not uncommon for a company to maintain a database containing the personal information of thousands of customers and employees.
Now toss in the related expenses to undertake a forensic investigation of how the breach occurred and handle the crisis from a public relations standpoint, and top it all off with the dire possibility of a class action lawsuit from the victims.
“We tell our clients that the victim notification costs, while substantial, may not jeopardize the survival of their business,” says Reggie Dejean, specialty lines manager at Lawley Insurance in Buffalo, New York. “But when you look at all the other potential costs, which can easily add up into six figures and more, they may not be able to open up the doors. We then say, ‘Why wouldn’t you want an insurance policy that will take care of all these expenses?’”
Even a commercial client located in one of the three states that does not yet require victim notification is not immune from these financial outcomes, since many companies conduct business in multiple states. “If the client is in a state without the law but has customers in Connecticut and Florida or conducts business over the Internet, its agent is responsible to know the laws in all the relevant states,” explains Shawn Dougherty, commercial lines product development director for cyber, insurance programs and analytics services at Verisk, a data analytics company.
And that’s not a task for the faint of heart. Although 47 states require victim notification, procedures and timeframes differ across state lines, and different industries are subject to different rules. For instance, health care institutions must comply with state laws as well as the federal Health Insurance Portability and Accounting Act, the Affordable Care Act and recent statutory amendments to the Health Information Technology for Economic and Clinical Health Act.
Another regulatory wrinkle confronts the client that operates beyond U.S. borders. Globalization means some business clients sell products and services overseas or even have facilities on the ground.
“Some countries have mandatory data breach notification laws, but most don’t,” says Ken Goldstein, vice president and worldwide cyber security manager at Chubb Group of Insurance Companies. “Several countries are progressing in this direction, however. For instance, many countries are struggling to finalize their notification requirements, including how much to fine companies that fail to notify on a timely basis. This puts the onus on brokers and agents to stay on top of these regulatory trends.”
Other than a conviction that they don’t need the insurance, what else is dissuading the client base? Cost and confusion over the different forms of cyber insurance. “A good-sized firm with $40 million in annual revenues and 100-plus employees could easily be quoted an annual premium of $15,000 for cyber liability insurance,” says Thomas J. Crowley, partner at Cook Marant & Associates in Melville, New York. “They hear that number and many say they’re just not in a financial place where they’re ready for the expense.”
But pricing has come down considerably in the past decade and coverages have broadened. Stripped-down policies can cost as little as $1,500 a year, depending on the carrier. Some coverage at even lower prices is available as an endorsement to the BOP policy. It’s better than nothing—but obvious coverage gaps remain.
“The problem with the lower-priced policies is that the coverage may not be broad enough for a client’s particular cyber risk profile,” says Dave Nelson, agency principal at Tegner-Miller Insurance Brokers in Santa Monica, California. “In such cases, we have to recommend they buy a separate policy, which gets confusing.”
Cyber policies run the gamut from first- to third-party coverages. The former may include protections absorbing the costs related to cyber extortion, crisis management, business interruption, computer fraud, restoration of electronic data and other expenses, like the possible need to set up a call center. Third-party coverages, meanwhile, may include network and information security liability, regulatory defense expenses, communications and media liability and E&O/wrongful acts.
But not every policy provides each of these coverages. Even the names of the policies vary, comprising cyber risk insurance, cyber security insurance, cyber liability insurance and more. “There are a lot of different coverages in the marketplace, but not a whole lot of standardization,” Dougherty explains.
And a client may think his or her organization has coverage when in fact it doesn’t. Consider business interruption insurance due to a cyber attack: Most standard commercial policies like BOPs do not address the cash flow losses resulting from a hacker crashing a company’s systems or networks. To address the costs of the business interruption, the organization would need cyber insurance, but not all cyber policies provide this specific coverage.
“There are subtle differences between forms and between carriers,” Crowley points out. “It all goes back again to why agents have to constantly stay on top of these risks and the different policies addressing them.”
It’s a major concern from an E&O standpoint. “Cyber carriers, coverages and the laws of compliance are constantly changing,” says John Immordino, vice president, professional liability at wholesaler and managing general agency Arlington/Roe. “That makes it difficult for an agent to stay on top of these developments.”
“Even big-name carriers and their cyber coverages can vary tremendously,” agrees Sabrena Sally, senior vice president and business head of U.S. agents at Swiss Re Corporate Solutions. “At the same time, the exposure is still developing. It is extremely challenging for agents to help their business customers understand what their exposures are, in addition to the coverages designed to absorb them.”
The solution may be assigning someone at the agency to ride herd on the subject. “Designate someone internally as your cyber ambassador,” Immordino suggests. “Require this person to stay abreast of all policy and regulatory developments, as well as new forms of cyber crime. If the agency is too small to do this, consider reaching out to a wholesaler who specializes in cyber insurance to do it for you.”
Ben Sowle, producer and technology practice leader at Springfield, Illinois-based agency R.W. Troxell and Company, is his firm’s cyber czar. “I’ve learned that cyber risks can be devastating to a company,” Sowle says. “I tell our commercial accounts that we must set up a face-to-face meeting to address these threats. This is something that can’t be handled on the phone or through email. Most times when I get their personal attention, they’re more apt to carefully consider just how susceptible they are.”
And SMEs are indeed that. “Hackers are increasingly turning their attention to SMEs,” Dougherty says. “They know that many small businesses don’t have the financial resources to maintain state-of-the-art technology, upgrades and patches. They may not have as much data as a large enterprise. But they have enough—and they’re an easier target.”
Russ Banham is an IA contributor.
Is The Answer Still No?
Armed with knowledge, an agent can present cyber insurance recommendations to commercial insureds. But it doesn’t guarantee they’ll listen.
“We go through the process and point out just how exposed they are,” says Thomas J. Crowley, partner at Cook Maran & Associates in Melville, New York. “We explain that you may not have experienced a data breach yet, but your IT guy will tell you 10 to 15 people per month are looking around in your system. Nothing has happened because you don’t have what they want yet. Soon you will.”
Despite their best efforts, four out of five commercial accounts don’t buy the insurance, Crowley says. “That’s a lot more than five years ago when one out of 20 bought it,” he admits. “But I firmly believe the mentality of business owners should be that they simply must have this coverage. It should be as routine as commercial auto insurance.” —R.B.