Let’s face it, for commercial insurance producers at all stages of their careers, Cyber is not the easiest sale to make. In my opinion there are three competing factors at play which makes selling cyber a challenge.
The first is that the policy form is complex – there’s no doubt about that. But I’ll discuss how I explain it in simple terms to gain interest and buy-in from clients.
Number two is that most clients from the Main Street type account to even the middle market account don’t think they need this coverage. A lot of decision makers are misinformed and believe that cyber risk is only something that banks and Fortune 500 firms must worry about. Of course, this mindset is totally wrong, and we’ll talk about that as well.
And finally, cyber is not mandated or required coverage for most firms to carry. Unlike GL, workers compensation, property or business auto, there are no government regulations or lenders requiring cyber insurance to be on the certificate of insurance. For many business owners this is enough for them to say: “it’s not worth it to me”.
Let’s tackle point one, the complexity of cyber insurance.
There’s no standard ISO form for cyber. Each carrier uses different language to describe their coverage parts, it’s a claims-made policy, and even two policies from the same insurer can vary widely by the addition or subtraction of multiple endorsements and coverage add-ons. Without a doubt, cyber, like other management and professional forms is complex.
If you go into a prospect or a client and start talking about first party and third-party coverage parts, breach response coverages, media liability and restoration coverages you’re going to get E.G.O. – otherwise known as Eyes Glazed Over.
I’ve overcome the complexity issue by trying to keep it simple. I ask a client or prospect a simple question: “Does your business run on data?” The answer 99.99% of the time will be, “of course”. I then ask: “If your data was stolen, destroy, or held hostage for even a few days, would it financially impact your business?”
The business owner obviously sees where this is going but volunteers, “yes, of course it would impact me financially.”
At this point I try and mitigate that feeling like someone is getting sold and tell the decision maker that I understand they’re feeling like this is a sales pitch but ask them to stick with me. I then turn my attention to ransomware attacks and how they are so endemic in the small and medium sized business market and I tell them about a conversation I had with an IT expert who explained it to me this way:
“Hackers used to spend hours and hours trying to infiltrate a network to steal private information such as credit card numbers, social security numbers, health information, etc. that they could turn around and sell it for a few dollars a pop on the dark web. Then a smart hacker discovered the Trojan virus that could explode ransomware inside a network by a simple click of a link in an email and the whole game changed. Now a hacker can send out hundreds if not thousands of emails a day hoping several people will click that link so they can take control of their computer and possibly an entire network. And here’s the kicker, instead of selling private data on the dark web for a few bucks a pop, a hacker can demand a ransom to restore the data they seize in multiple bitcoins. For hackers, ransomware is a jackpot”
In a recent study performed by Beazley the average ransomware demand in 2018 was more than $116,000, and the median ransom was $10,310. In 2019 those numbers have skewed upwards. By the end of Q1 2019 the average ransom increased to $224,871!
This is a true story and when I tell a decision maker it, there is usually a defense that pops up. Like: “we’ve got solid firewall, or our IT folks have this under control, or that couldn’t happen here.” If you’re a smart producer or account manager you probably have tons of data to refute those statements, but my suggestion is to not go there. Don’t argue, don’t try and prove the client wrong; it’s just not worth it and it won’t get you closer to a closing a deal.
My response is something like: “look, I’m not here to argue with you, or tell you that you’re not safeguarding your data properly. But what I will say is that Cyber Insurance is pretty cheap (I of course have a premium indication in hand to show them) and I’m not really here to sell you something. My job is to educate my clients about risk, and cyber risk is something that can easily inflict pain on any company, of any size in any industry. All you need to do is a Google Search: Ransomware Attacks and see the hundreds of events that happen each month. And those are the ones that get reported and noticed.” On top of that I may mention that every company that ever did get hacked probably thought they were bullet proof too. No one actually believes they will fall victim to a hack or other disaster, right?
Part of the dialogue of course must be about the coverages and the premiums, but it still may be too early to whip out that proposal. My objective during the first or second conversation about cyber is to keep it simple and equate the downside risk to what the premium could be. I’ll reiterate the direct cost of a shut down from ransomware. In many cases the company has zero revenue coming in; and then move onto the indirect costs. The potential regulatory expenses, the forensic costs to review your data, the IT costs to secure your network, possible notification costs, the damage to the company’s brand and reputation, and so forth. The tone of the conversation continues to be educational, not judgmental or salesy.
From my perspective, cyber could be more important than property coverage on a building or contents and I’ll ask a client on the fence about purchasing cyber coverage: “how many buildings do you see burn to the ground these days? I’m not saying you shouldn’t insure property, but the frequency and severity of a cyber event is far and away much greater than loss or damage to physical property.”
As agents and brokers, I think we need to shift our thinking of cyber as a liability form and think of it as more of a first party property type form. Yes, I know it’s not a property policy and there is third party liability built into the cyber policy, but for most small and medium sized businesses the primary risk they face from a cyber event is the damage, destruction or taking of their data. Could they face liability lawsuits if data is leaked into the public realm? Yes, of course they could, but many SME decision makers have not witnessed this first hand or read a news story about those types of suits happening at peer companies. Those events that do make the news are the Home Depot’s, Target’s and big banks that stick in the minds of these decision makers which makes it difficult for them to imagine it happening to them or their firms. That’s why I don’t spend a lot of time discussing notification costs or liability protection.
There are a few other things I do like to discuss with decision makers:
- Cyber risk is not going away. It’s not being mitigated or reduced in any fashion. In fact, new variants of the risk are arising constantly. We weren’t talking about ransomware 2 years ago and now it’s a major threat.
- Waiting until something does happen will of course be too late. An article by Inc.com published last year stated that 60 percent of small businesses that are hit with a cyber attack are out of business in six months! Cyber insurance can mitigate that statistic.
- Cyber coverage is more than just insurance. Post-breach or post-event services provide a critically important bucket of services immediately following an event. If an insured suffers a devastating fire at their place of business, they can call you, their agent or their insurer to start a claim. If it’s a really sticky loss they can hire a public adjuster, but a fire loss will take months to remediate. Hopefully the insured has sufficient property insurance and business income coverage. But, if a client suffers an uninsured cyber event, what do they do? Who do they turn to? Who’s the right expert to contact? Time is of the essence during an “event” so getting questions answered quickly and correctly are critical. Cyber insurance often will provide that expertise on a 24/7 basis as part of the policy coverage. That alone is worth the premium in my opinion!
- Finally, I mentioned it earlier; cyber insurance is pretty cheap. Whether it’s for small business or middle market accounts cyber premiums account for a small percentage of a client’s total insurance spend. I believe we are seeing an artificially low premium environment today as carriers fight for market share; but I expect premiums will rise as claims become more severe and frequent. Getting in now makes sense!
As an insurance professional, I believe we have a duty to educate our clients and prospects about all types of risks and how to mitigate those risks. Cyber is no different. You don’t need to be a tech expert to educate and inform clients about cyber, but having a good knowledge of the policy form, the services, and the current risks is very helpful and builds your credibility. Not sure what the policy covers or how it works? I’d suggest contacting the wholesaler or underwriter you place your cyber coverage with for a discussion. Many of these folks really “get it” and are happy to share their knowledge and expertise with agents and brokers.
Finally, I’ll admit that two or three years ago I seemed to struggle to get cyber sold and installed into many of my client’s insurance programs. Today it does seem easier. I’m not sure if it’s the shift in my selling skills/approach as I described here, or if the general awareness of cyber risk is just compelling more clients to say “yes”. It’s still not an easy sale, but it is getting easier.
Good luck with your cyber selling!
About Gordon Coyle, CPCU, ARM, AMIM, PWCA
Gordon Coyle is a third generation owner of the 90 year old insurance brokerage firm The Coyle Group, (www.thecoylegroup.com) located in New City, NY. His focus is exclusive to commercial property casualty insurance, and predominately works with lower middle market firms in the New York Metro area. As you can see from the alphabet soup following his name, he is a certified insurance nerd!