December 6, 2019 by Jason Contant
Brokers need to focus their cyber insurance selling efforts on more than just traditional privacy risks and tailor them to specific industries, a specialist insurer said Wednesday.
“Cyber is about way more than just privacy and if you explain to your clients that cyber risk exists outside the realm of just privacy, there’s much more to talk about and the conversation should become quite a lot more open,” said James Burns, cyber product leader with CFC Underwriting.
The first mainstream cyber products in the United States developed as a response to changing privacy legislation, where cyber insurance helped clients deal with the costs associated with data breaches, Burns explained.
“The issue that we’ve seen is that as that market within the U.S. has really taken off, brokers and insurers actually have used the same talking points to try and articulate what cyber risk is to other clients, clients who don’t necessarily have a privacy exposure,” Burns said. “We know whilst Canada, U.K., Australia and other territories do have privacy laws, they don’t tend to be enforced in the same ferocious manner that U.S. privacy laws do. Obviously, there’s lots of clients that regardless of whether or not privacy laws are in place, they just don’t collect private data.”
So how do brokers expand the conversation beyond privacy? By focusing on different industries and their exposures.
CFC has launched a new free tool called a “cyber risk heat map” based on 2,500 claims (and trends) they’ve seen over the past two years. It ranks the exposure severity of nine industries’ – construction, education, healthcare, manufacturers, professional service firms, public entities, retail, technology, and transport/logistics – using a colour-coded sliding scale (mild exposure to very severe) for three main areas of cyber risk:
“If you are a company that exists in a sector that says we don’t collect data, therefore we don’t have a risk, you can use the heat map to identify other types of cyber risk that might be existing,” Burns said. “Nearly every single organization will have some risk and some exposure to all types of cyber threat, but they’ll just be far more exposed to some than others based on the way the threat actors approach them.”
For example, construction is a “really good example of where traditionally they might say we don’t have a cyber exposure.” For this sector, crime would be the highest area of exposure, BI would be an intermediate exposure and privacy would be low-risk.
Why? Because a lot of contractors tend to be involved in building projects where they are sourcing various materials. “So, they’ll be wire transferring money for timber, bricks and concrete [from] a lot of different suppliers to make sure their job is completed on time and they need to have their materials delivered. Most of the cyber claims we see in the construction sphere are theft of funds claims whereby a hacker has duped someone into paying them instead of paying a supplier,” Burns added.
Privacy has some risk, but less so than other areas because construction companies (and other industries like manufacturing) don’t tend to collect any consumer data.
“For many years, if you were a broker with many manufacturing clients, the cyber conversation was shot down because the manufacturer would say we don’t collect data, therefore we don’t have a cyber risk,” Burns said. However, manufacturers do have a high business interruption exposure because attacks such as ransomware can freeze a network and stop manufacturing operations, causing immediate financial loss.
Burns said the primary driver behind the heat map was to simplify for brokers and clients what still appears to be a quite complex area. “Cyber still has the ability to seem very confusing to many brokers and clients.”