Cyber liability is becoming less niche and more standard fare. And that means you need to be ready to act as a trusted advisor for your commercial clients—even if you wouldn’t feel comfortable calling yourself a cyber liability expert.
Heading into the New Year, here are the top 4 cyber liability issues you need to keep an eye on in order to best serve your client base.
Payment card information. It’s probably the most basic exposure, but payment card information is begging for your attention. “Agents and brokers really need to understand how the payment card industry works and what responsibilities it places on merchants that handle that information,” says Nicholas Economidis, underwriter in Beazley’s technology, media and business services group. “That can have a large impact on a relatively small business if they’re responsible for a breach.”
That’s where you come in. Economidis suggests offering clients a full review of the merchant services agreement in order to help them understand their responsibilities. “It is quite common under those agreements for the retailer to be responsible for the cost of a forensic audit should the payment card companies suspect they’re the source of a breach,” he explains. “That can be a significant cost—we’re talking $50,000 and up to get one of those done.”
Since many commercial insureds are in a hurry to get forensics audits over with, they don’t realize the audits themselves can become a source of fines and penalties. At that point, agents “really have to be involved in that process and make sure the forensic report reads as favorably as possible,” Economidis says.
Vendors and outsourcing. You will probably run into a client that outsources a need like payment processing or data hosting. And often, they mistakenly think they’ve eliminated their exposure in the process. “In reality, they didn’t outsource the exposure—they just outsourced the service,” explains Brian Thornton, president of ProWriters.
For example, “a lot of times businesses rely on IT vendors to set up the card processing environment, and the vendors kind of shrug their shoulders and say, ‘You just paid us to install the equipment—you didn’t pay us configure it. That’s a whole different issue,’” Economidis says.
According to Thornton, contracts for outsourcing anything typically do not give the small business the opportunity to leverage or amend the terms of agreement. “When you look into the actual contract, they’re accepting most of the liability,” he explains. “That’s really important when you do have a claim specifically with that vendor—that’s where the coverage becomes important to make sure it’s covering that instance as well.”
“The problem is most people don’t read these things—they just sign them,” Economidis adds. “If the agents can just read them and help point them to the key clauses, they’ll be providing a huge value.”
“But I don’t need it.” For many independent agents, “the question is ‘How do we go about convincing clients to buy it that don’t necessarily see the exposure?’” Thornton says. “That’s the difficulty they’re having—they’re placing all the lines of coverage and trying to add cyber to the mix. Some of the clients still resist it or don’t think they necessarily have an exposure.”
How can agents combat that mindset? “It goes back to my early days in the business when my first day in insurance they gave me this book that explained the role of the broker and the agent,” Economidis says. “In the book, the agent is going out and working slip-and-fall hazards and pointing out potential loose shingles that could become a property loss. When you think about it in that sense, agents really need to be having conversations with their customers about what types of information they’re collecting and handling and what they’re doing to protect it.”
“But I don’t want to deal with it.” Don’t fall into this trap, Thornton warns. “The common theme we hear from agents is that working on the comp and the property goes with big premiums and larger commissions, whereas the cyber may only be a couple-hundred dollar commission,” he says. “It’s a lot of time and effort, especially when you’re talking about getting multiple options and comparing forms that don’t stack up next to each other easily.”
But even in the small business world, cyber liability has become a much easier placement “as far as finding a market that can give pretty broad coverage at a reasonable price,” Thornton says. “The applications used to have 100 questions each. They’ve really scaled back and really drilled down into what they need to know on a risk, so they’re not requiring as much information. It becomes a little bit easier process than it might have been a couple years ago.”
“They definitely need to be talking to the clients about this, because their clients stand a reasonable chance of having a loss or incident,” Economidis adds. “If they’re not talking to their clients about it, chances are someone else is talking to their clients about it.”
Jacquelyn Connelly is IA senior editor.