February 2, 2020 by Jason Contant, Online Editor
James Burns, cyber product leader with CFC Underwriting, shares his insights on what the industry needs to do to sell more cyber insurance policies.
cu | How do successful brokers sell cyber insurance?
They make cyber products relevant to the client by identifying exposures. Some brokers have been less successful in trying to sell the cyber product because the companies to which they were selling didn’t necessarily see the exposure as relevant to them. When brokers have taken the approach of selling cyber as a 21st century crime product, when they talk about the potential for modern-day businesses to fall for wire transfers and scams such as that, they tend to have been more successful. That type of exposure seems to be more relevant to different types of industries. For me, it’s all about relevance. Brokers should not try to sell a generalist product, in the same way they would to all of their types of clients, because different types of clients have different types of cyber risk.
cu | Traditional cyber policies used to focus on privacy risks for industries like healthcare and retail. Is that still the case?
Healthcare would be much more privacy-exposed than, say, construction because the healthcare industry is collecting relatively high-value data. But cyber is about way more than just privacy. If you explain to your clients that cyber risk exists outside the realm of just privacy, there’s much more to talk about; the conversation should become quite a lot more open. The issue we’ve seen is that, as the privacy market within the U.S. has taken off, brokers and insurers in Canada have used the same talking points to try and articulate what cyber risk is to other clients – clients who don’t necessarily have a privacy exposure. While Canada and other territories do have privacy laws, they don’t tend to be enforced in the same ferocious manner as U.S. privacy laws. Many clients, regardless of whether or not privacy laws are in place, just don’t collect private data.
cu | What are the main areas of cyber risk?
We’ve seen three main areas of cyber risk: theft of data (privacy), theft of money (cybercrime), and damage to digital assets (system damage and business interruption).
cu | Can you provide an example of an industry with business interruption or cybercrime exposure?
Manufacturers weren’t really in that first camp of traditional cyber buyers, because manufacturers don’t tend to collect consumer data. For many years, if you were a broker with manufacturing clients, the cyber conversation was shot down because the manufacturer would say, ‘We don’t collect data therefore we don’t have a cyber risk.’
But what we’ve seen develop in recent years are attacks against manufacturers in which the hackers are not trying to steal data, they’re simply trying to freeze the network. If they can freeze a network, it can stop manufacturing operations; that can cause immediate financial loss from a business interruption perspective. Tied in with this, we’ll see manufacturers get hit with ransomware attacks whereby the attackers will lock down the systems and demand a ransom in exchange for the systems to be freed up.
cu | How about crime?
Crime is slightly different because crime tends to be relatively industry-neutral insofar as crime involves theft of funds. So businesses will tend to wire funds electronically, depending on whether they need to buy stock, pay vendors, or accept money from clients. Some industries are more exposed than others. A good example is construction. Lots of contractors tend to be involved in building projects for which they are sourcing lots of different materials from lots of different suppliers. They will be wire-transferring money for timber, bricks, and concrete to make sure their job is completed on time. They need to have their materials delivered. Construction is a really good example of where clients may say, ‘We don’t have a cyber exposure because we don’t collect consumer data,’ just like manufacturers.
Cyberattacks often involve a human element, so brokers should be looking at this as a business continuity product, as well as from a crime standpoint, not just from a business interruption perspective. If a business has a large sum of funds stolen through wire transfer fraud, they often run into cashflow issues. They need that money back and quickly.
cu | Do you see new service offerings coming down the pipeline, or even changes to current offerings?
I think there has been an over-emphasis on the policy wordings themselves. The wordings are important; they determine what coverage is there or isn’t. But we’re starting to see brokers become hung up on the nature of the wordings almost at the expense of inquiring with individual insurers about what their cyber claims solutions look like. I think we’ve seen lots of innovation in the area of wordings and what the actual coverage looks like from a language perspective.
I don’t think we’ve seen insurers invest enough in the infrastructure that needs to sit behind the product in order to fulfill the promise that exists within the policy wording. Take two cyber insurers with very similar products: if a client has a claim, the client experience and outcome could be very different from one insurer compared to the other based on the cyber claim service offered by each insurer.
Here is my advice to brokers who are trying to choose their cyber insurance partners: look at the claim service alongside the policy wording, and make sure you are looking at best-in-class policies as well.
cu | How do you get someone to buy something they think they don’t need, especially in a hard market, when premiums for other policies are going up?
It’s difficult to sell something when people think they don’t need it. That does make the insurance discussion more difficult for the broker. As business lines such as directors and officers (D&O) and professional liability start to harden, the client might feel like they don’t have the insurance spend for a cyber policy. But that becomes irrelevant if the risk is articulated and it’s clear it could end up costing the client so much more if they don’t invest in a cyber insurance policy.
Again, keep it relevant. We’d be wary of talking to a small business customer about reputational risks when it might be a less relevant example for them. For that client, we’d encourage brokers to talk about the real claims we see from small customers, and that tends to be theft of funds, social engineering, and ransomware.
If we can make it relevant by explaining the claims are real — if we can articulate to insureds that there are businesses like them who have cyber claims and that they would have seriously struggled without a cyber policy — then the fact that their other premiums have gone up in a hard market doesn’t put them off wanting to invest in a cyber insurance policy. At the end of the day, it’s going to cost them so much more if they have a cyber claim and they haven’t got it insured.
Title: Cyber product leader, CFC Underwriting
Past experience: Before joining CFC in London, U.K., nearly eight years ago, Burns worked at Zurich Insurance in London for four years as an account executive and market underwriter for professional and financial lines.
Education: BA (Hons), Politics and International Relations from Royal Holloway, University of London