July 18, 2018 by Sarah-Cunningham-Scharf
WannaCry, the Equifax debacle, theYahoo hack, the Uber cover-up—the list goes on. We’ve all heard about these massive cyberattacks and data breaches in the past year (and perhaps reconsidered our choice of password as a result).
While headlines featuring major cyber scandals help to raise consumers’ awareness around privacy concerns, they can also leave small and medium-sizedbusinesses (SMBs) believing they aren’t of interest to cyber criminals.
Because of the focus on “all this big stuff, [SMBs] don’t think [cyber risk] applies to them,” says Lori Bader, Gore Mutual’s senior director of national sales and business development. “They feel they don’t have the ability to be financially hurt or damaged.”
Lindsey Nelson, the international cyber team leader at CFC Underwriting Ltd. in London, England, explains that this assumption partially stems from brokers referencing big name cyberattacks when attempting to persuade smaller clients to buy cyber coverage.
“When brokers are selling to Canadian SMB clients, they’re hearing about U.S. Fortune 500 companies,” she says. “The message isn’t matching up because a lot of those clients will go back and say, ‘Well, I’m not Equifax, I’m not Yahoo. That’s not an exposure that’s relevant to me.’”
SMBs might also assume these massive cyberattacks are irrelevant because they centre on thirdparty liability and privacy. Miki Ho, Beazley Canada’s cyber-risk underwriter, says, “The first buyers [of cyber coverage] were retailers, health care, financial institutions because they saw privacy exposure. They were worried about getting sued by their clients for mishandling their information.”
The truth is far scarier for SMBs. All businesses are vulnerable to these types of cyber risks, says Bader, and the number of incidents is increasing. “We’re increasingly dependent on technology. The rise of internet-connected devices gives attackers more opportunity, and they’re not particular about whether they’re going after large organizations.”
In fact, Nelson says 90% of her firm’s cyber claims in 2017 were filed by SMBs. “One of our largest claims last year in Canada was a small architect firm of five employees making less than $1 million. They were subject to a ransomware attempt where they reported about $400,000 in data recreation costs to restore their files.”
“The number one objection a lot of our brokers experience when they sell cyber insurance is the IT director assuring them that their systems are 100% secure, so they don’t need the insurance.”
It’s also important to note that cyber risk doesn’t solely exist online. “For small businesses, it could be a stolen laptop,” says Bader. “It could be a mobile device left somewhere in a coffee shop. It could be malicious employees within the organization. It could just be employees mistakenly clicking on phishing links. Or it can be an attack.”
So how do Canadian brokers overcome objections from SMBs who believe cyber policies are only beneficial to large enterprises?
Focus on cyber policies relevant to an SMB client, says Nelson. She notes that an “objection that we’ll get from clients is we don’t hold any sensitive data. Therefore, we don’t have any exposure and don’t need to purchase the cyber policy.”
Nelson recommends “moving away from the concept of privacy liability. Cyber policies cover much more in terms of first-party exposure that have nothing to do with data. Focus on the key coverage components that are more relevant, regardless of industry, size, or location of the risk.”
Ho agrees it’s in the client’s best interest to focus on more common risks. “Most of the claims we’re seeing have been a lot of ransomware, a lot of malware that’s affected systems. We’re seeing a lot more business interruption claims. The products have evolved to match these exposures, but clients aren’t necessarily aware of the benefit.”
To illustrate the vulnerabilities all SMBs share, you can use real claims examples around these common risks. “If I can tell you something that has happened to a small business, then you can put yourself in that business’s shoes,” says Bader. “We have an obligation to give actual claim examples to help customers understand they’re vulnerable.”
Determining an SMB’s knowledge of cyber security and its existing defenses is another way to broach a coverage conversation, says Ho.
First, Ho suggests asking if they know cyber coverage is available. “If they say yes, then the next step would be understanding if they’ve considered buying it. If they’re not aware the coverage is available, then highlight some of the key points that would be beneficial to that client and their industry.”
That’s because the cyber coverage needs differ for every type of business depending on how they use IT—are they frequently travelling with devices that could be stolen? Do they use servers, or cloud storage?
“The biggest thing is understanding why a client might be interested in buying the coverage—tailoring the cyber pitch to the client’s needs,” adds Ho. “Understanding how companies use IT, what their reliance is on those systems.”
It’s also key to understand you may get a hostile reaction from the IT team, who could interpret your pitch as an insinuation that they haven’t done a good enough job protecting their employees. “The number one objection a lot of our brokers experience when they sell cyber insurance is the IT director assuring them that their systems are 100% secure, so they don’t need the insurance.”
Nelson says one way to work around this is to explain that “from a frequency perspective, it’s the human error-related scenario that triggered much of our claims activity,” such as forgetting a laptop in a coffee shop or clicking on a phishing link.
“All of those scenarios are issues that the IT department isn’t able to account for,” she says. “It’s very easy for brokers to go back and say, ‘Well, you can account for all the systems and that’s great that you have them. But it’s important to have that two-pronged approach in cyber insurance as well to account for the employee side of cyber incidents.’”
Adding a cyber policy means clients have to increase their insurance budget—which can be a touchy conversation. Ho says, “Everybody’s focused on spending money wisely. When it comes to cyber, I think the answer is [asking], ‘What happens if you were to suffer an incident? Who would you rely on?’ And that question often gets the conversation started and it gets clients interested in understanding what cyber insurance could provide.”
There are many value-add services that come with a cyber policy that can help justify the cost—such as a breach response plan, which Bader says is key in recovering from an attack. “The best thing to do is to have a breach response plan in place before the breach happens, and you need insurance coverage to help you keep your business operating while you deal with this.”
Mitigating business interruption costs is becoming a more popular trend in cyber insurance, says Ho. “We think of energy providers, manufacturing companies, industrial type risks. They’re realizing that if their systems are down they can’t produce their product, which can be a huge interruption in their revenue stream and potentially impact the longevity of their business.”
It’s also a good idea to educate clients about the damage their brand would experience in the event of a cyberattack. “It’s a reputational risk. The customer is trusting you with that information,” Bader says. “There’s a duty to do everything possible to protect the customer. Reputational damage can put a small company out of business.”
“It’s important for the broker community to be aware of different products that are available to clients and familiarize themselves with the different terms and conditions that are listed within each one—not just the price or the limit being purchased.”
Following the Digital Privacy Act of 2015, Canadian companies must inform customers and the Privacy Commissioner when there’s a breach of private information, starting Nov. 1, 2018, says Bader. “There are clear rules for how companies must inform Canadians when their data is compromised. It’s very specific— and there’s an expense to deliver the notification. In the situation that it’s more severe, the Privacy Commissioner will have to be advised as well.”
Bader believes this new law could be a motivator when discussing cyber coverage with your clients. “I think this is going to be the turning point in companies not having insurance protection. This will be a great reason to make sure that you’re protected.”
Another common objection Nelson says brokers need to overcome regarding fine print is that many SMBs “say cyber policies are riddled with warranties and exclusion; therefore, there’s no point in purchasing because it won’t respond adequately. There are a lot of different cyber policies available to insureds these days, and there’s a lot of varying levels of coverage out there.”
So, to respond to that objection, she says “It’s important for the broker community to be aware of different products that are available to clients and familiarize themselves with the different terms and conditions that are listed within each one—not just the price or the limit being purchased. Take a step further and really become familiar with what specific exclusions are in this marketplace.”
If all else fails, Nelson says, show them the value-add services they’re purchasing in addition to the coverage. “The cyber policy can act as a way for them to have the appropriate channel network on speed dial in the event of an incident. A lot of insurers are offering risk management portals and proactive services—it’s a benefit to insureds to know they have both proactive and reactive services available to them around a cyber incident occurring.”
Copyright © 2018 Transcontinental Media G.P. This article first appeared in the June/July edition of Canadian Insurance Top Broker magazine
This story was originally published by Canadian Insurance Top Broker.