Now that you’ve schooled up on the ins and outs of cyber coverage, here’s how you make the threat real for them – and make the sale.
Previously, we detailed how critical it is for independent agents to learn the finer points of cyber coverage. It’s an ideal way to not only protect your client, but also protect you from E&O exposure – and can boost your premium.
Once an agent becomes savvy enough to identify their clients’ potential for loss, the ins and outs of cyber policies, and the types of information that underwriters will need, only then can they make an expert pitch to see that their customers are protected.
Like any other peril, the threat of loss from a cyber attack has to be made “real” for the client. The agent must paint a picture of the broader exposures; real-life examples of cyber events taken from the headlines are useful, such as the January 2022 breach suffered by the Red Cross in which more than half a million records were compromised – including documents that the Red Cross classed as “highly vulnerable.” Or the 2020 breach suffered by insurance software provider Vertafore in which a third party accessed the names, dates of birth, addresses, and license numbers of 27.7 million Texas drivers.
The point you’re driving home to the client is that you don’t need to be a Target or a Microsoft to get hacked. It happens to small businesses throughout the U.S. every year: According to the Verizon 2021 Data Breach Investigations Report, companies with fewer than 1,000 employees saw 1,037 cyber incidents in 2021 – and in 263 of those incidents, sensitive data was stolen.
It’s not an exaggeration to say that if a small to midsized business gets locked out of its system as the result of a data breach, the ensuing financial damage suffered could be the difference between staying in business and shutting down for good.
Once the basic understanding of the wider threat is understood, the gravity of the exposure can be laid bare for the client. Does the business handle payment data? Does the state in which the business is based require notification to customers if their information is compromised? If it does (and many do), those notification costs alone could prove costly – to say nothing of the business’ reputational loss.
Putting the potential loss in dollars and cents for the client, versus the cost of having the right coverage in place, can go a long way in making the sale.
Demonstrating to your carrier partners that the client is a good risk is paramount, particularly when trying to keep the cost of coverage affordable. Underwriters will want to know what steps the insured has already taken to protect themselves, such as using multi-factor authentication (MFA), endpoint detection and response (EDR) tools to detect and mitigate cyber threats, and backups held in a separate, secure location which require MFA for access.
Practice What You Preach
If the client still insists on foregoing cyber cover once the agent has made their case, the insured should be asked to sign a document that states the coverage was offered, but the customer is opting to remain uninsured against a cyber loss. Not only can this change the mind of a cautious businessowner, but it also protects the agent against possible Errors & Omissions exposure.
If a commercial client suffers a breach and finds out that they’re not covered for a cyber loss under their General Liability policy or their BOP coverage (as many of them might assume), that client can then rightfully demand to know why they weren’t presented with an option to protect themselves. At best, the agency might lose the client; at worst, they can be sued.
The ace in the hole for cyber-selling agents, however, is being a cyber-insurance policyholder. This is something that many agents also lack, much to their detriment.
“Agents will say, ‘I don’t need cyber because I’m already protected by my IT service provider, they address that,’” says Tom Wetzel, an agency consultant on cybersecurity and whose firm Thomas H. Wetzel & Associates is partnering with PIA National to offer its exclusive cyber risk assessment to independent insurance agents. “Well, IT service providers are not always equipped to handle cybersecurity challenges. Some are, and that’s a good thing. But it goes way beyond having a good firewall.”
It’s equally naïve for agents to believe that they’re immune to a cyber breach. All it takes is for one employee to open a phishing e-mail, click on a link they think is legitimate, and bam – their agency’s system is infected with malware. Imagine getting locked out of your agency’s computer system for at least a week or two while a ransom is negotiated with the perpetrator, on top of the expense and hassle of securing a firm to do that for you.
Whether you’re selling cyber or buying it yourself – and you most definitely should – it’s smart to think of cyber exposure as “the great equalizer,” because all of us, whether it be individuals or businesses, are potential targets. As Wetzel puts it, “Cyber exposure is different from other perils in that it affects everyone. We’re all vulnerable in the digital ecosystem.
“Cyber security has to be a topic that’s discussed all the time. It has to be a primary business function,” he adds. “If you’re going to bill yourself as a trusted advisor and fulfill that duty, you have to guide them in protecting themselves. Make the strongest possible case for it.”
Especially when it comes to cyber insurance, an ounce of prevention is well worth a pound of cure.