Eduard Goodman, chief privacy officer of Scottsdale, Ariz.-based IDT911, an identity theft protection firm, isn't too high on the industry's knowledge of cyber insurance, cybercrime and data theft.

Goodman assigned a grade of C- when asked to assess the average insurance agent's knowledge in this area.

He also discussed what questions agents need to ask – both of clients and providers – to ensure they are making the best cyber insurance recommendations, as well as pricing and other topics, with Insurance Journal. This interview was edited for brevity.

Insurance Journal: Cyber insurance is growing in popularity, but do you think independent agents have a good handle on this topic?

Goodman: I think, generally speaking, no. I think generally, your average agent broker doesn't truly understand what the risks are, and what's available out there in the market to address those risks.

I do think, specifically, there are lots of agents out there, and brokers, that are very well-educated in this area, and are becoming more educated as time goes by, but they are fewer and far between right now, so I think the mass of folks selling general commercial insurance out there, if I had to test their knowledge of that, I'd say maybe they'd get a C-.

IJ: Do agents need to offer this type of insurance to stay competitive?

Goodman: I think absolutely they do. I think what's being lost on lots of brokers and agents now, though, is that this is such a common risk.

So many more carriers, on a day-to-day basis even, now are adding it, or are covering these types of risks in different manners, that in some respects, frankly not offering it, not mentioning it, and bringing it up with your commercial clients, it doesn't just put you at a competitive disadvantage, it probably puts you at some risk of professional liability for failing to recommend covers, and restricting strategies to deal with what frankly, unfortunately, is a very, very common risk that hits businesses of all sizes and all types, on operational, and administrative, legal and other levels.

I think it's more than competitive advantage, frankly. I think it's one of self-preservation, at least from their own professional liability, and any potential errors or omissions they might face, and things of that nature as a broker who is a professional, who supposed to be helping manage risk insurance.

IJ: What are some of the advantages of offering it?

Goodman: I think that there's so many different advantages. I'll start out with the fact that I think most folks don't recognize how some of these different cyber events really hit a business. I think the first advantage is, if you want to have a recurring customer next year, to sell insurance products to, you want to make sure they're still in business.

The advantage primary, to focusing on offering these types of coverages, is frankly in ensuring the continuity of your own clients. We've seen scenarios where an event like this turns out not to be covered – we could talk different events – and it sinks a company, and of course they just shut down, or it creates liabilities they just can't bear.

I think that's one of the prime ones, but I think all the other things, really it's just when you do offer these types of coverages, I think what's lost on most folks is that cyber coverage – we won't credit this – there was a reinsurance provider that we work with, that when it clicked with them, they understood, real cyber insurance isn't just about writing a check to make you whole, like when your building burns down.

It's really more of a conduit to services, because you don't know what you're dealing with. You need the professionals, you need the right legal counsel, different folks in the right positions to help you work through what's a very murky situation, because it's not a traditional tangible loss or experience.

Most of the time, when that's handled right, when you take a client really from panic to peace of mind around an incident like that, it always invariably translates back to the broker or agent who offered the policy to begin with, sometimes with the client saying, 'Do I really need that?' Yeah, you do.

IJ: Name some factors, beyond revenue, that are taken into consideration when determining price.

Goodman: Revenue aside, I think the thing that is also a bit of a misnomer in cyber is that revenue corresponds to risk, and that's not always the case, especially with mandated responses around data breaches, for instance, and things like that.

Some of the factors that are considered is obviously going to be your industry type. Most notably would be professional services, with medical standing out, but also legal and CPAs. They deal with a lot of data, a lot of data on consumers. Again, they're going to tend to be on a higher price, or different type of offering, when it comes to what's available. Financial services in general are higher risk.

I think certain industry, and industry segments, most of them know and wouldn't be surprised when they find out they're in a higher risk class and are going to pay a little bit more. Size, also is going to benefit it. Not just revenue, but the amount of transactions.

I give people the example that you could be a small business owner who owns a kiosk that sells bubblegum at LAX, but you might have 100,000, 200,000 transactions in the course of a couple months, just from people buying 75 cent bubblegum. That's still a lot of data, as far as card information and things like that.

Revenue wouldn't correspond with the potential risk they might have, as an easy example. The amount of transactions, the type of business they're in, and the industry again, like I said – are they specifically targeted? – and those types of risks.

Those are the other factors that go in, besides simply looking at revenue, revenue streams, and that type of issue.

IJ: Can you give me three or four good questions that agents need to ask their clients, as well as providers?

Goodman: Yeah, I think starting on the provider side, it's really trying to figure out what the carrier itself is actually covering. I think that's a big issue, and a bit of a difficulty for brokers right now, to understand that not all cyber coverages are created equal. It's not a very well-defined area. Different carriers cover and exclude different things, which does make it tricky.

I think they need to go to their carriers and they need to get a clear answer to, "What exactly is being covered? Is this just going to cover my clients in the event of a data breach? Is this going to cover them if they don't deal with information on people, but maybe make software products or things like that," and maybe network liability, which is an older type of cyber coverage might be more apropos?

I think it's trying to understand the coverages that are being offered by the carriers that they work with, whether it's stand-alone coverages, which there's plenty of them out there, more specialized and even pricier, or even add-ons to BOPs and CCP packages that have been out there for years, as well.

Really knowing what's covered, what's not, how they address things like payment card-related issues, which has been a sticky issue, as well. Those are the things to clarify with your carriers that you're working with, to understand the products, frankly.

I think the other side, in dealing with who you're selling those products to, your actual clients as a broker or an agent, I think getting to understand the nature of the business is really important, and one of those key questions that people don't really talk about, that I think comes into play, is trying to discern right off the bat, are they a B2B business, or B2C?

B2C is going to really tend to cause you, when it's business to consumer, to focus very heavily on data breach related coverages. Those are coverages that respond to a lot of your own costs as an entity, to have to comply with regulatory notifications, and notifications to the public, which can be very costly. Sometimes defending lawsuits as well, but mostly the first-party costs.

If you work with consumers, those are the types of coverages you should be looking to offer. Those types of businesses that are retail, or physicians' offices, law firms, or any business that's going to deal with that.

If you make widgets for other companies that make widgets, you're going to want to concentrate on other issues. Business continuity is going to be very big. Cyber ransom and those types of coverages would also be very important to look at, but you want to have a good understanding of where the risk is.

I think that's one of the things to understand primarily – What do your businesses do, how do you do it? It sounds like a fairly obvious question, but it's not always, when people think about it from cyber.

I think that's one of them. I think understanding size and scope, meaning obviously transaction amounts, not just dollar amounts, but also understanding where they do business. Is it global? Is it only in the U.S.? Those are the things, as we're seeing more and more privacy risks, and other types of risks expand outside of the U.S., are really, really important.