Serge Solski, principal at AdviseAware Risk Consulting, advises brokers and other clients about technology risks — including cyber risks and coverage. He spoke to Canadian Underwriter Monday about some questions that brokers should be asking their clients to help understand their risk profile and advise on appropriate coverage.
Are wire transfers a part of your business?
Obviously, if it’s not part of the business, the client does not have that exposure. But it is a risk, and client will likely need a separate crime policy, since a lot of cyber policies don’t cover wire transfer fraud.
Solski said that some policies have specific coverage for social engineering, where a person is tricked into revealing information. “If a policy does not have that in place… my understanding is some forms will only cover if a hacker backdoors [i.e. hacks] into your computer system, as opposed to tricking one of your employees to open the door for them.”
Solski said “it’s not a stretch” to say that 80% of cybercrime is caused from social engineering, whether it’s wire transfer fraud or ransomware.
Brokers should also ask if the client’s employees are trained on what to look for when it comes to phishing emails, another form of social engineering. “You better get social engineering in there, because if you’re not telling them what to look out for, they’re going to be easy marks for social engineering because they have no paranoia or suspicion,” Solski said.
Is there a plan in place for business interruption?
Clients should understand what processes are automated by computer systems — and what happens if those computers become unavailable due to ransomware or another cyber threat.
“How am I going to get back online?” Solski said clients should be asking themselves. “Is this [process] something that I am going to have to subcontract to another business to make sure my company is able to deliver [and] meet contracts?”
Clients may also want to have a third party assess the risk. If a third party is assessing the client’s risk exposure, “that goes beyond what a broker can do,” Solski says.
Failing to assess this risk could also result in customers leaving “pretty quick,” he adds, “because your customer won’t care that you are down.”
Are you handling customer information?
Brokers should ask their clients if they have any contracts with third-party providers who have privileged access to the client’s computer systems. Asking this question is not necessarily for the purpose of advising on policy coverage — it helps clients to mitigate the risk of a data breach and reduce any subsequent losses.
“One of the things I like to say to brokers is you need to come at this with more than just an insurance-only approach,” Solski said. “You need to come at them with an approach that says, ‘I am here to solve your problems from end-to-end,’ and that means [mitigating risk and losses] pre-incident and post-incident.”
Clients should also be aware of the sensitivity of business information, which can be just as valuable to a cyber-criminal as personal information. “What happens to your business if it loses critical trade secrets?” Solski said. “That’s going to be [a question] more for clients that are [doing] research and development.”
One of the hardest things for a broker, Solski said, is getting a client to understand that they are subject to the same risks as larger companies. “If you think that ‘I am too small,’ that’s the wrong philosophy because you are never too small,” he said.