February 26, 2018 by Jason Contant
Clients’ arguments against purchasing cyber insurance can often easily be defused, delegates attending NetDiligence’s Cyber Risk Summit heard Friday.
Lindsey Nelson, international cyber team leader with CFC Underwriting, said she is often surprised when she hears companies saying they don’t have a cyber risk or exposure, because they have strong IT controls in place.
Insurance professionals can break down this argument using the following two simple questions:
“Two obvious answers to that [mean] that you do have an exposure,” she said.
The questions indicate the importance of human error in creating the potential for cyber breaches.
“It really involves going back to the client and asking them: how do you account for rogue employee scenarios? How do you account for lost portable devices that’s an accident by an employee? How are you accounting for employees clicking links or transferring over funds electronically, if that’s part of the program?” Nelson asked. “These are all things that the IT department can’t necessarily account for, and often that’s the incentive for them to get insurance.”
She said that she often compares cyber insurance with property insurance. “If you look at a property, if you put a sprinkler on it, are you not going to get property insurance anymore because you have that control in place?” Nelson asked. “Probably not, you’ll still get property insurance. You can have the best IT systems in place, but insurance should still be there as well.”
Jeremiah Tonn, vice president of Marsh Canada’s cyber practice, said he sometimes hears from clients that “cyber’s not really for us, I’m not really seeing the exposure.” Or they might say: “We have the exposure and we think it’s totally taken care of.”
Tonn tells his clients that a basic system can have over 60 million lines of code. “It’s impossible, and not your job as an information technology professional, to view all 60 million lines of code and make sure there are no zero-day vulnerabilities or other things in there to expose [the system],” he said. “It seems to get information technology professionals on board right there. It’s defused a lot of things in the beginning. It’s defused even large firms pretty easily.”
Joe DePaul, cyber/E&O practice leader with Willis Towers Watson, added: “There are some great examples out there to really show clients, prospects, that the insurance does work. It does respond if the coverage is crafted correctly. Those discussions around, ‘We don’t need it and here’s why,’ actually can very easily be combatted these days.”
Greg Markell, president and CEO of Ridge Canada Cyber Solutions, said the argument, ‘We’ve got it covered,’ can be dismantled pretty easily with one simple question:
Clients typically respond that “it takes a few days,” Markell said. “Can you really operate as a company, and can you afford to be down for that long, even for something as simple as ransomware?”