How insurers can reduce cyber claims without slashing coverages

Cyber insurers are finding that acting as incident response services for their small- to mid-sized business clients is helping to reduce overall claims, experts shared during an industry conference. 

Insurers should be the first ones to open the lines of communication so clients know they can come to them for advice, speakers said during a panel discussion at the Insurance Brokers Association of B.C. (IBABC) AGM and Leader’s Conference in Whistler, B.C. 

“We try to become an extension of their IT group. What that has actually resulted in is we’re seeing a drop in claims,” said Neal Jardine, global cyber risk intelligence and claims director at BOXX Insurance.  

“The moment we start to see an uptick in one area, we reach out to all our clients and say, ‘hey, this is what’s happening; this is what’s changing. If you do this or implement this, it’ll cause a drop [in claims].” 

In fact, the bulk of the work cyber insurers end up doing may not be the quoting-and-binding of cyber policies, but around the expertise they provide to clients post-bind.  

“We were [commenting] the other day about how sometimes we don’t feel like we’re selling insurance anymore. We’re selling that 1-800 number, especially for the smaller [clients] that don’t understand [cybersecurity] necessarily,” added Michael Trendler, managing director, specialty insurance at Travelers Canada. 

“They come in one morning and their system is shut down from a ransomware attack. To be able to call the people that know what they’re doing that day and [say], ‘we need your help’—that’s huge, because otherwise you’re in a lot of trouble if your system shuts down.” 

More often than not, it’s the smaller-to-mid-sized businesses that require additional cyber support.

iStock.com/KanawatTH

“We focus on the small- to mid-sized businesses; we don’t touch the really large [businesses],” Jardine added, “and what we’re finding is small- to mid-sized businesses are asking for cyber [policies] because it’s kind of like having your own incident response service.” 

While large business clients are more likely to have IT on hand to address issues, or perhaps more capital to outsource their IT, many smaller clients do not.  

“It’s almost like you’re outsourcing your entire incident response plan and all the services to your insurer who’s ready to action it and go right away,” said Jardine.  

Plus, including advice and incident response services gives clients more bang for their buck, especially those smaller clients who may be watching their pocketbooks more carefully.   

“We encourage our clients to phone us whether they think it’s a breach or not—just phone us and bounce the idea off of us,” Jardine said.  

“You don’t have to make a claim to phone us,” he said. “Clients will phone us and say, ‘what about this software versus this software? Does this estimate look correct?’ We’ll just walk you through and say, ‘Yeah, sure, it looks fine,’ because most of our clients are SMEs. They don’t have an in-house IT group.” 

But even the clients who have in-house IT must be diligent to reach out when they suspect any suspicious activity.  

One of the largest breaches Jardine responded to occurred because a company’s IT manager did not believe their business had been cyber-breached, he shared.  

“The IT guy didn’t think it was a breach. Six months later, we find out all the data is gone and there’s a massive ransom…because [the hacker group] felt like they were ignored for six months,” he said. “The client needs to understand that they’re not just buying a policy, they’re buying a bunch of services to come with it and that in turn should reduce their overhead costs for it in other ways.”  

Feature image by iStock.com/erhui1979