4 Questions Agents Should Be Asking Manufacturers About Cyber Risk
Thanks to continual advancements in technology, the line between the physical and digital world continues to blur, eroding traditional definitions of cyber risk. Originally, a company’s cyber exposure could be determined by its possession of PII.
But reliance on technology in all areas of business has greatly expanded the concept of cyber risk and made it more difficult for companies to accurately identity, quantify and mitigate their exposures.
Manufacturers, for example, hold very little PII. They do, however, depend on complex industrial control technology. If this technology gets hacked, the consequences could include anything from product defects and supply chain disruption, to forced shutdowns that may result in business interruption losses suffered by themselves and their customers.
Given that cyber insurance is still evolving, businesses may have a hard time determining if they are protected from breaches that cause physical damage or other types of loss unrelated to PII. Agents and carriers have a critical role to play in building an understanding of traditional and emerging cyber exposure and addressing coverage gaps.
What Agents Should Be Asking About Cyber Exposure
To help clients with non-traditional cyber exposures fully understand their risk and identify gaps in their insurance protection, agents need to dig deeper into their operations. Here are four of the key questions agents should be asking in order to craft the best cyber solution.
1. What are your digital assets beyond PII?
A digital asset is generally considered an intangible piece of information that has value. For a manufacturer, digital assets could include the software or code that runs industrial control systems, intellectual property in the form of trade secrets or copyrighted product designs, or feedback data generated by machinery and the analytical programs that interpret it.
Thinking beyond Social Security numbers and credit card information forces a review of critical data and technology systems, and a second look at their security.
“There are service providers out there that will help you identify and rank order the importance of various digital assets to your organization,” said Eric Cernak, Head of Cyber for The Hanover. “It’s a good way to expand the scope of thought outward beyond PII and take a more comprehensive view of cyber risk. Listing out these assets is also a good first step toward quantification of risk – critical to the underwriting of any cyber policy.”
2. How long can you operate without access to critical systems and data?
Business interruption coverage typically only kicks in once a designated waiting period has elapsed. A shorter waiting period means the policy will pay out sooner and restore cash flow more quickly, but comes with a higher premium. Getting the best coverage for the best price requires knowing how long you can afford to wait.
According to The Hanover’s recent Cyber Risk Report, completed in conjunction with Zogby Analytics, 60% of respondents said their business would become unprofitable within 48 hours if they lost access to critical systems/data.
“Common waiting periods were often 24 hours. More recently, they have been reduced to 12 hours, and can sometimes be negotiated to either six or eight hours. Understanding how long you can operate during an interruption helps businesses make informed decisions around their policy’s waiting period,” Cernak said.
Answering this question will also unveil risk management strengths and weaknesses. A company that invests in data storage and performs full data backup on a regular basis could feasibly recover more quickly from an interruption.
3. What critical aspects of your operation are outsourced to third parties?
Outsourcing is a double-edged sword. It may reduce risk by transferring some tasks over to organizations with more expertise and resources, but it also exposes the contracting organization to the third party’s own vulnerabilities.
The Hanover’s Cyber Risk Report found that 70% of businesses outsource security operations or critical IT resources to a third party, given the technical knowledge it requires. But while it’s wise to recognize their own limitations, a lack of cyber security knowledge could also lead companies into inadequate contracts.
“You need to think about the additional exposure that partnership creates. What happens to your organization if that third party goes down? What standards of cyber security are they adhering to? Do they have cyber or technology E&O insurance? And have you identified a backup provider?” Cernak said. “You can’t contract all your liability away.”
Vendor contracts should always address how risk will be mitigated and how the liability will be shared. Reviewing those contracts could highlight previously unrecognized coverage gaps.
4. What are your business plans for the next 12 months?
Because no one is immune to cyber risk, any plans to expand or enter into new partnerships will likely require that all parties involved carry cyber insurance.
“At some point during the next 12 months, one of your clients’ potential contracts is most likely going to require them to carry cyber insurance, especially if they’re doing business with a larger organization,” Cernak said. “And chances are the other party will be looking for more than $1 million in limits.”
Thinking ahead to the way cyber exposure may change can help an organization determine how much risk it can retain and what changes should be made to align with a potential new partner’s requirements. It could be a matter of purchasing more limit, reducing risk to a more acceptable level, or some combination of the two.
“Having those conversations now means that an organization isn’t scrambling to bind cyber insurance three days before a deal, and doesn’t miss out on new opportunities,” Cernak said.
Why Agent Support Matters
According to The Hanover’s Cyber Risk Report, 71% of businesses that have a cyber insurance policy purchase it at the recommendation of their insurance agent. Agents act as critical risk advisors, but staying on top of a risk as fluid as cyber – in addition to the rest of a clients’ exposures – is a tall task.
“We want to help our agents by providing them the tools and resources that support having those initial conversations with clients about cyber risk. Especially in sectors like manufacturing that don’t deal much with PII, building that understanding can be difficult,” Cernak said, “We’ve developed several resources and tools that help agents start that discussion.”
The Hanover’s comprehensive suite of cyber products also means agents can find solutions for unique client needs.
“We have customizable solutions that range from low-friction, bolt-on data breach and cyber liability coverages to a standalone cyber product. Plus, we offer a solution that’s complemented by management liability policies, including E&O and D&O.” Cernak said. “The cyber solutions that we devise can grow and evolve alongside the insured as their exposures change, which is important since the technological environment and landscape of cyber threats changes rapidly.”
A key benefit of these coverages is the access they provide to a panel of breach response experts, including forensic investigators, ransomware negotiators, breach attorneys and public relations firms.
“A cyber-attack is often a traumatic experience that has to be resolved quickly, so we assembled a very strong network of industry leading professionals who can do just that,” Cernak said. “No one is immune from cyber risk. But when you have the risk transfer component of a custom cyber policy, backed up by an expert panel of breach response professionals, you have a winning solution no matter where your exposures lie.”
To learn more, visit https://www.hanover.com/agentsolutions/man_cyber.html.