February 25, 2018 by Jason Contant
The majority of clients that Marsh Canada meets with – anecdotally 70-80% – still don’t understand what a cyber insurance policy does, Jeremiah Tonn, vice president of the brokerage’s cyber practice, said on Friday.
Speaking at NetDiligence’s Cyber Risk Summit in Toronto, Tonn provided delegates with a walkthrough of a cyber insurance discussion with a client. Using the example of meeting with a risk manager, the company’s IT team and the legal department, Tonn said he still hears objections such as “Cyber’s not really for us; I’m not really seeing the exposure.”
Only after a walkthrough of the different coverages available do some clients start to realize how cyber insurance may apply to them.
“With every risk, we’re still in the education phase so the very first thing we do as brokers is have an initial meeting with clients to really understand their exposure,” Tonn said during a panel discussion on the cyber insurance underwriting process. “The idea is to look at it from a holistic standpoint, understand the exposure to their culture and to help quantify risk and where they might experience some financial hardship as a result of a breach. In these initial meetings, we also educate them on what a cyber insurance policy does.”
After that preliminary meeting, Marsh then gets into some exposure analysis, privacy and business interruption modelling and risk transfer solutions.
Then comes the application – reaching out to insurers and asking what questions they would like to have responses to. “There are many, many different applications out there,” Tonn said. “You have some applications… that ask 20 questions and some ask 70 questions.”
Marsh then creates its own application that condenses it down to the very basic questions that underwriters are trying to get responses to. “A lot of times underwriters are asking the same question in different ways, some of which are confusing,” Tonn reported. “We are finding it’s much more effective and better for questions to be open ended to able clients to explain their process as opposed to checking yes or no.”
This is especially true in larger organizations, where cyber risk responses are rarely simple. “To error on the side of caution, you would put no, but then you would never get insurance.”
Another panellist, Joe DePaul, cyber/E&O practice leader with Willis Towers Watson, added that some application questions are very technical, which requires bringing in others to help answer them.
Tonn said that most clients will provide the information being asked if it can be explained why it’s needed and its relevance to the insurer.
Once the terms of a policy is negotiated with underwriters, the final step is to synthesize all the information “to be able to speak and deliver things essentially at board level because a lot of discussions now are at boards or senior people.”