The insurance industry has wrestled with the best way to respond to all the different privacy and security exposures businesses face in the current tech-heavy world. Since it first came out in the late ’90s, cyber coverage has evolved from a tech errors and omission (E&O) policy covering mainly information technology professionals to a policy for companies of all sizes and descriptions.
Carriers have had to adapt to insureds’ needs for more coverage than what was originally available and respond appropriately, while keeping up with technology changes that raise new exposures.
“A lot of the early cyber coverage was really web media coverage,” says Michael Carr, senior vice president of E&O underwriting for Argo Pro. “Then we got looking into the security perils; what would happen if somebody hacked you? What we’ve found is that’s only a piece of the issue with data privacy and confidentiality.”
Carriers have also added other features including credit monitoring services, cloud provider protection, and data breach response teams to deal with the exposures.
Carr says from what he has seen, carriers have risen to the challenge. “I think as an industry we can feel pretty good about the fact that this coverage has not stayed still yet,” he says.
One way carriers have kept the policies moving is by including various value-added services on cyber policies and endorsements to help companies prevent data breaches and assist them if a breach does occur.
IDentity Theft 911 is one of the service firms utilized by 180 carriers in mitigating and preventing data and security breaches. Carriers working with small to medium-sized enterprises (SMEs) especially see it as an advantage to offer these options, says Matt Cullina, CEO of IDentity Theft 911 in Scottsdale, Ariz.
“What I have found through surveys with different carriers is that agents find it an easier sell with the value-added options for a brand new risk,” says Cullina. “It creates more of a talking point – rather than just a coverage and gives [the client] something tangible they can use today.”
Cullina says carriers have also found that offering value-added services like IDentity Theft 911 improves retention rates because the client knows the carrier has gone beyond just providing coverage.
Even with value-added services, SMEs have been a challenging segment for the insurance industry to sell this coverage to. Larger corporations and companies usually employ breach mitigation experts either through internal departments, or contracts with outside firms. Larger companies also have better security in place to prevent breaches.
However, the smaller and mid-size businesses don’t typically have the resources or expertise needed to deal with or prevent a breach, or even realize they are a target.
“They’re too busy getting product out the door, they’re too busy getting customers in the door, and they just can’t focus on what they see as an overhead burden,” says Richard Betterley, president of Betterley Risk Consultants in Sterling, Mass. “I think they don’t really understand the risk and so it makes it really difficult for them to manage it.”
Betterley Risk Consultants is an independent risk management consulting firm that monitors the insurance market . Betterley publishes a guide to specialty insurance products with information about 31 different cyber carriers. Betterley said they have found the risks are much greater for the smaller enterprises. At the same time, their premiums are relatively low but they are less capable of avoiding losses.
The best way for insurance companies to control that exposure is to provide access to third party vendors that help SMEs manage the risk, he says.
“The victim of a cyber breach has probably never experienced it before and hopefully never will again and they don’t know what to do,” says Betterley. “I think it helps if the insurance company can step in and say, ‘Here is what we think works well and here are some vendors we have negotiated preferred pricing with for our insureds.’”
The biggest hurdle agents and brokers face when they approach SME’s about the coverage is the “can’t happen to me” attitude because the headlines and publicity centers on larger companies, says Betterley.
“They don’t seem to realize they have become the targets because they’re easier to breach,” he says. “The agents and brokers are talking about it more, I hope enough, but it’s a difficult product to understand.”
Many agents themselves find the subject challenging.
IDentity Theft 911 has found agents and brokers are typically undereducated on the topic, says Cullina. For IDentity Theft 911 to have a successful program with a carrier, the agents need to be trained first in talking to their clients about the risk, and how to help them manage their threat.
“I think the best thing they can do is look at themselves,” says Cullina. “We find insurance agents not to be a great risk. We have handled a lot of data breaches caused by insurance agents. The more the agents are in the know, the more they can help bridge the awareness gap.”
Carr says what should really get agents and brokers attention about selling coverage to SME’s is that the pick-up rate is greater than it has ever been, and it will keep growing.
“In the small to midsize segment, at least two thirds of your clients haven’t bought yet,” he says. “A good chunk of them probably will over the next couple of years, either because they have to come to recognize the exposure or because they have a contractual duty or even a statutory duty that requires them to do it.”
Carr says the contractual or regulatory requirements are the main driver of the increase in awareness among SME’s. Additionally, more regulatory activity is leading insureds to purchase higher limits. Social media, websites and more client interaction via the Internet will keep this class relevant for years to come, so agents would be wise to invest in learning about this segment.
“There are great opportunities for businesses to do more stuff, but also all kinds of new exposure vectors that companies need to pay attention to,” says Carr. “And as a producer you can be a trusted adviser to your client to navigate through the risk side of all those great new tools.”