Target, Michaels, eBay, JPMorgan Chase, the New York Times, Google, Anthem, the U.S. Government… The list of high profile data breaches grows longer each day, and doesn’t include the countless number of small businesses that have their data compromised in attacks we may never hear about.
Given the frequency and high cost of recent cyber attacks, it’s no surprise that cyber insurance is one of the fastest growing areas in the insurance industry. It seems no industry is immune. Examples of cyber attacks on organizations can be found in education, financial services, nonprofits, professional services, manufacturing, hospitality, retail and – as the Anthem breach illustrates – even the insurance industry. The Ponemon Institute 2014 Global Report on the Cost of Cyber Crime found that U.S. companies spend an average of $12.7 million a year on cyber attacks and data breaches.
It is no surprise that 80% of property/casualty insurance executives believe cyber insurance is a major growth area for commercial insurers, according to a recent survey by the Insurance Information Institute.
With clients of all sizes and across all industries, independent agents are on the front lines of this emerging opportunity and can help clients protect themselves from cyber threats. Here are six things agents need to know about the cyber insurance market:
1. The cyber threat is a growing problem. A Symantec 2014 Internet Security Threat Report reported the number of data breach incidents grew 62% from the previous year. Add to that all the breaches that went unreported or worse, undetected. The use of connected devices such as cameras, cell phones and other digital equipment and emerging technologies like the cloud are opening the door to more cyber attacks and exposing businesses to greater liability.
Cyber risks can include identity theft of credit card or personal information, business interruption, reputation damage, data theft, software corruption and human error, the cost of credit monitoring services for customers impacted by identity theft, as well as lawsuits. According to Ponemon, the most costly cyber crimes are those caused by malicious insiders, denial of services and web-based attacks, accounting for more than 55% of all cyber crime costs per organization on an annual basis.
2. Not all data, and cyber liability, is the same. Most organizations keep data on their business, employees and customers. An organization will have different levels of possible exposure depending on the types of data they collect. This makes it difficult to compare the risk from one company to another. A doctor’s office with patient data including names, addresses, Social Security numbers and other personal information may be more attractive to a cybercriminal than a bakery, for example. Actuarial data for underwriters is hard to quantify, so cyber policies are often based on qualitative assessments. One size does not fit all.
There are two types of cyber liabilities that threaten businesses. First-party cyber liability refers to risks that can expose data on a company’s own network, such as when the personal information of 110 million Target customers was stolen. Third-party cyber liability refers to risks that threaten data on a client’s network. In the Target example, the transaction software developer may face liability. Third-party insurance has grown faster than first party, but laws regulating data privacy and critical infrastructure will drive sales in the first-party insurance market.
3. Many businesses don’t understand the threat. Carriers that offer cyber protection report that 40% of their clients say they don’t need it and another 29% think they are covered under existing policies, according to a 2014 study by Hanover Research.
It doesn’t take much for disaster to strike. Consider a business owner who accidentally installs malware on his point-of-sale devices. In an instant, hackers have access to customer names, credit card numbers and other personal information. That business has had a data breach that will cost it thousands of dollars in damages to its reputation, legal fees, software upgrades, credit monitoring and other out-of-pocket expenses. It may only cost that business owner $10,000 to $30,000, but for a small business client, that is a lot of money and could force them out of business.
4. Small businesses are easy targets. Media attention on recent data breaches might give the impression that only large businesses are at risk to cyber threats. In fact, the opposite is true. The Symantec study found that more than 30% of all breaches occurred in organizations of 250 or fewer employees. Small businesses are especially vulnerable because they lack the sophisticated protection in place at larger organizations and don’t recognize their own exposure to risk. These businesses are at the greatest risk because with no protection, not enough coverage and an “it can’t happen to me” attitude, they are easier to breach.
5. A proactive approach will drive sales. Independent agents should make cyber risk conversations standard procedure with clients to make sure they are aware of the types of coverages available and where they might be exposed. This will drive new sales with prospects, incremental business with existing clients, and can prevent client poaching by agents who are aggressively selling cyber policies. Agents who specialize in small business should offer cyber risk planning as part of their marketing efforts.
6. Education is the biggest challenge. In the cybersecurity industry, they say there are two types of businesses: those that know they’ve been breached and those that have been breached, but don’t know it. Every business has exposure at some level. The job of independent agents is to educate the business owner about the variety of exposures and help them understand how coverage can protect them.
Many of the large carriers offer education for agents and business owners, as well as products that can be customized for businesses depending on their specific risks. Policies may cover the insured’s failure to prevent unauthorized access to data, customer notification as required by law, reimbursements for security breach and payment card expenses, crisis management costs, good faith advertising, and legal costs in the event an organization is sued.
The good news is that cyber coverage is becoming more affordable and easy to obtain. Now is the right time for agents to talk about cyber insurance with their clients. The last thing an agent should hear from a client is, “Why didn’t you talk to me about this?”