Two key fundamentals for selling cyber cover

Brokers seeking to sell cyber insurance are advised to do two things: 1) develop a close business relationship with underwriters who are subject matter experts in cyber insurance, and 2) do as much up-front work with the prospective client as possible leading up to the submission to underwriters.

Serge Solksi, principal at AdviseAware Risk Consulting, advises brokers and other clients about technology risk, including those related to cyber.

“One of the things I advise is to have a good relationship with an underwriter, or hire one that studies these things and makes sure that the cyber risk package that they pull together includes those elements [of social engineering, business interruption and third-party providers],” Solski said. “You really just can’t go out on your own, you want to have a partnership. The forms are constantly evolving and it’s very difficult to stay on top of the threat, because the threat changes so often.”

Catherine Evans, vice president of Marsh Canada, stresses talking with clients beforehand, and doing a lot of upfront work before taking a submission out to market. “When you start talking about cyber to a client, that word has different meanings to different groups, so it’s really important to get at the heart of what they are concerned about losing, what particular scenarios are a problem for them, and then trying to figure out the best way to mirror the coverage to what their concerns are.”

In preparing submissions for an underwriter, Solski advises asking the following three questions to help them understand their clients’ risk profiles.

• Do you need coverage for social engineering fraud?

Some policies or endorsements cover social engineering fraud, in which a person is tricked into revealing confidential information. If that is the case, the client may need a policy or endorsement that covers this fraud or a separate crime policy (many cyber policies won’t cover wire transfer fraud, for example). Brokers should also ask if client’s employees are trained on what to look for regarding phishing emails, another form of social engineering.

• Is there a plan in place for business interruption?

Clients should understand what processes are automated by computer systems, and what happens if those computers become unavailable due to ransomware or another cyber threat. Other automation-related questions could be:

• How am I going to get back online?
• Is this something that I am going to have to subcontract to another business to make sure my company is able to deliver to meet contracts?
• What systems are automated and business dependent? What would happen if your systems are down for 24 hours, or a week? What would that cost to business?

• Are you handling customer information?

Brokers should ask clients if they have any contracts with third-party providers who have privileged access to the client’s computer systems. Brokers should use more than just an insurance-only approach. They should also look at pre-incident and post-incident preparation. Also, what happens to the business if it loses critical trade secrets?