Picture this: You’re trying to sell a cyber policy, but the prospect shakes their head. “My IT’s handled by an outside firm—I have a specialist,” they shrug. “I don’t need that type of insurance.”
Historically, it’s been a common objection among business owners who simply don’t understand the extent of their cyber-related risk—or that the entity which obtains the data is responsible for keeping that data safe.
“That fallacy causes a lot of companies to not buy cyber,” says Shawn Ram, head of insurance at Coalition. “There’s a huge opportunity to increase our sophistication about the manner in which we discuss cyber-related risks with business owners.”
Consider a real-life claim for a business that outsourced its IT services. “They had a ransomware attack and found out none of their data had been backed up for three years,” says Ted Richmond, director, Royal Group Services Limited, LLC cyber insurance program managers. “They were relying on the IT firm to do it, but there was a miscommunication or a misunderstanding of services. Somebody just dropped the ball somewhere.”
The point, Richmond says, is that “just because you have outsourced IT or something similar doesn’t mean you don’t need a cyber policy. There’s still human error.”
Fortunately, after years on the market, cyber is finally starting to gain more traction among business owners. “A large segment of the market that used to be non-buyers are definitely buyers now,” says Brian Thornton, president of ProWriters, who cites classes like manufacturing, distribution, third-party resellers, construction and more as emerging prospects to target.
In part, it’s attributable to the uptick in social engineering and ransomware events over the last two to five years. “Those have dramatically changed who’s considering buying a cyber policy, because these places may not hold a lot of data, but if they get hit with a ransomware attack, nobody can do any work,” Thornton explains.
The fear factor is an important one contributing to greater awareness around the importance of cyber policies. “Business owners get scared if you ask them, ‘Hey, if you have a ransomware event, who are you going to call? What are you going to do? Are you able to get $100,000 of bitcoin in 72 hours?’ They don’t know where they would even begin, let alone whether they would be able to do that,” Thornton points out. “That makes it a lot more appealing when you show them an insurance policy that includes not only X amount of coverage, but also all these services—you’d have a law firm hold your hand through the process, a carrier who’s experienced these events and knows how to deal with this, and you’ve got it all taken care of.”
In general, more carriers are providing value-add services with cyber policies, from access to legal counsel to IT services for risk mitigation, cybersecurity education, free risk reports and even cybersecurity monitoring throughout the policy term “to help insureds understand how their cyber risk is changing over time,” Thornton says. “You’re seeing an increase in the tangible, active services that potentially come with a cyber policy or at the time of binding.”
And at the same time, it may be easier for business owners to secure cyber coverage than ever before: Over the past five years, “the underwriting has really come down as far as questions carriers are asking,” Richmond says. “Carriers are finding ways to write more business. They’re not walking away from something just because they had a previous loss.”
Today, cyber carriers are much more willing to “go the route of asking fewer questions and taking almost a macro underwriting approach across small to midsize businesses,” Thornton agrees. “The bigger you get, the more likely you’re going to get another set of questions that dig further into detail. But there’s a range of automation being provided by different carriers or intermediaries that streamline the underwriting process as well.”
For example, “some companies are scanning clients so you don’t even have to answer any questions—as long as you have a website, they can just scan your public-facing infrastructure as well as scrape the internet or third-party databases to get information like your address, revenues and industry codes,” Thornton explains. “They automate that, then come back and say, ‘Here’s the risk report and here’s the pricing,’ without the prospect filling out a five- to 10-page application that details every little firewall and server and the way they update and do patch management.”
And for good reason, Thornton says: “The pricing is so low on the small to midsize cyber business that it’s very difficult for retailers, wholesalers or even underwriters to spend massive amounts of time on small business. There can be a lot of back and forth on these smaller accounts, so there’s definitely a focus on getting more efficient in providing coverage and terms.”
In a market where carriers are vying for business by streamlining underwriting, dropping rates, expanding coverage and providing more value-added services than ever before, business owners are simply foolish to say no to a standalone cyber policy in the current market.
“If you’re trying to sell a cyber policy, focus on the $5-10-20,000 claims that affected one of your small business customers, or potentially put one of them out of business,” Richmond advises. “Not everyone’s going to have a $100,000 data breach or a $1-million claim, but that doesn’t mean you can’t have a ransomware claim for $5,000.”
Jacquelyn Connelly is former IA senior editor.