February 5, 2018 by Jason Contant
Brokers seeking to sell cyber insurance are advised to do two things: 1) develop a close business relationship with underwriters who are subject matter experts in cyber insurance, and 2) do as much up-front work with the prospective client as possible leading up to the submission to underwriters.
Serge Solksi, principal at AdviseAware Risk Consulting, advises brokers and other clients about technology risk, including those related to cyber.
“One of the things I advise is to have a good relationship with an underwriter, or hire one that studies these things and makes sure that the cyber risk package that they pull together includes those elements [of social engineering, business interruption and third-party providers],” Solski said. “You really just can’t go out on your own, you want to have a partnership. The forms are constantly evolving and it’s very difficult to stay on top of the threat, because the threat changes so often.”
Catherine Evans, vice president of Marsh Canada, stresses talking with clients beforehand, and doing a lot of upfront work before taking a submission out to market. “When you start talking about cyber to a client, that word has different meanings to different groups, so it’s really important to get at the heart of what they are concerned about losing, what particular scenarios are a problem for them, and then trying to figure out the best way to mirror the coverage to what their concerns are.”
In preparing submissions for an underwriter, Solski advises asking the following three questions to help them understand their clients’ risk profiles.
Some policies or endorsements cover social engineering fraud, in which a person is tricked into revealing confidential information. If that is the case, the client may need a policy or endorsement that covers this fraud or a separate crime policy (many cyber policies won’t cover wire transfer fraud, for example). Brokers should also ask if client’s employees are trained on what to look for regarding phishing emails, another form of social engineering.
Clients should understand what processes are automated by computer systems, and what happens if those computers become unavailable due to ransomware or another cyber threat. Other automation-related questions could be:
Brokers should ask clients if they have any contracts with third-party providers who have privileged access to the client’s computer systems. Brokers should use more than just an insurance-only approach. They should also look at pre-incident and post-incident preparation. Also, what happens to the business if it loses critical trade secrets?
Have your say: