UPFRONT
OPINION
GOT AN OPINION THAT COUNTS? Email iba@keymedia.com
Budgeting for cyber insurance Helping your clients understand cyber crime is the first step in protecting them from this very real – albeit intangible – risk, writes Michael Loeters THE INSURANCE industry has struggled with the successful positioning of cyber insurance coverage as part of the commercial insurance portfolio. Other than insureds in verticals such as healthcare, financial services, retail and education, the conversion rate of discussions to quotes and quotes to binds has remained quite low. This is despite the onslaught of information, articles and underwriter presentations – not to mention the constant flow of high-profile breaches. The truth is that this is the normal evolution of a new insurance product in the marketplace. First of all, it is a product that came into the market not because of a widespread demand, but rather due to the demand of a few select segments that were facing increased regulatory and balancesheet pressure. As an industry, we are now trying to broaden the appeal of this product to those who have not yet experienced this same pressure. Second, clients are not opposed to spending money on additional balancesheet protection as long as they clearly understand the magnitude of the risk and its impact. Why should they now finance this risk with an insurance policy as opposed to continuing to self-insure? Dealing with this objection has been one of the biggest stumbling blocks for brokers. Quantifying cyber risk requires an insurance professional to think about their insureds’ risks differently. What data do they hold? What contractual obligations do they have to protect that data? How is
their supply chain set up from a network perspective? How would operations be impacted by a network outage, loss of data or privacy breach? As insurance brokers, we are comfortable talking about fires, windstorms and product liability. We have been talking about it for years, and we can illustrate our points with a lot of existing claims. Insureds do not question their exposure to these perils
be the impact on the value of the company if they lost access to the data, or if all that data was public knowledge? The answers are not surprising. The next step is quantifying the exposure. Many insurance carriers have created simple tools brokers can use to sit down with their insureds and quantify the risk in terms of cost impact. These tools are not perfect, but that isn’t the point. We have had our insureds filling out profit worksheets for years, knowing that it is our best guess of future exposure. Take one of these tools from an insurer, get comfortable with it, and use the process of completing it with an insured as an opportunity to have an intelligent conversation about their operations and risk profile. You are both likely to learn a lot. Finally, be prepared to deal with the common objections you are going to hear: We have a firewall and antivirus protection. We are not high-profile. It has never happened to us. View these not as objections, but rather requests for
“You have to help your insured understand that no matter what business they are in, they are a data company” because they have become part of the standard insurance program. The templates used by lawyers for leases and contracts already include the requirement for this coverage, so they are part of the insurance program by default. Not so for cyber insurance. So how do brokers successfully position cyber coverage as a critical part of an insured’s portfolio of coverage? First, you have to help your insured understand that, no matter what business they are in, they are a data company. Data is one of the most important assets a company holds today – from their intellectual property and customer data to their market information and financial records. How long could they function without this data? If it is valuable to them, why would it not also be valuable to someone else? What would
more information. The Internet is full of high-quality publications that will give you all the credible statistics and information you need. Insureds have sprinkler systems and alarm systems, and have never had their premises burn down – yet they still buy property insurance. Qualify and quantify the risk, then tie it back to the balance sheet like you have always done, and you will be successful in getting your clients to adopt cyber insurance as part of their portfolios.
Michael Loeters is the vice president and cyber insurance team leader at BFL Canada Risk and Insurance Services, and has provided insurance and risk management services to a wide range of industries over his 21-year career.
P 18
www.ibamag.com
18-19_Opinion-SUBBED.indd 18
18/09/2015 5:22:19 AM