Risk Insider: Martin Frappolli

Three Producer Cyber Strategies

By: | May 13, 2016

Martin J. Frappolli, CPCU, FIDM, AIC, is Senior Director of Knowledge Resources at The Institutes, and editor of the organization's new “Managing Cyber Risk” textbook. He can be reached at [email protected].

Cyber risk is still poorly understood by a lot of organizations. Agents and brokers are optimally positioned to help their clients get cyber under control. Here are three ways that a skilled producer can help clients prepare to manage cyber exposures.

Share the News: Cyber Risk Involves More than Customer Data

The headlines continue to focus on breaches that involve customer data, perhaps because so many people are potentially affected.

Agents and brokers can help clients measure and then prepare for the great variety of cyber risks, including first party exposures. Insureds may not be thinking about the costs of forensics, fines and restoration of systems and data in the wake of a cyber breach.

Perhaps the biggest threat is business interruption, whether from a targeted attack or a widespread outage of network services resulting from state-sponsored cyber terrorism.

Scott Addis, founder of “Beyond Insurance,” says “There is a misconception that breaches are caused primarily by hackers. Recent studies show that more than one-third of cyber breaches are caused by negligent or rogue employees.

“A well written cyber policy is far more expansive than just protection for the liability and response costs associated with a data breach. Policyholders may benefit from comprehensive protection including coverages such as network interruption, data restoration, reputational harm, social engineering, regulatory fines and penalties, and media liability, just to name a few.

“When a breach occurs, the board will be far more interested in the adequacy of coverage than the premium that was charged. Work with an expert.”

Use the Whole Toolbox

Producers sell insurance, and they help insureds understand policy choices and then match proper coverage to their exposures. But at a more fundamental level, insurance is just one tool in a risk manager’s toolbox. Especially for the mid-size and smaller organizations, the producer can serve as the de facto risk manager.

Consider all of the hygiene practices we employ to manage well-known risks like fire. We build to safety code standards, we equip buildings with sprinklers and extinguishers, we don’t store greasy rags next to the boiler, and we conduct fire drills. We do all that to mitigate the fire risk, and then we buy insurance.

A savvy producer can help a customer embrace that same approach with cyber risk. Mitigate the exposure by good cyber hygiene, understand the first party risks, understand that employees are still the biggest area of vulnerability, and only after that buy cyber risk insurance.

Read the Policy, and Then Read it Again

Stephanie Snyder, national cyber sales leader with Aon Risk Solutions, says that “cyber insurance policies are consistently inconsistent. There are over 60 cyber insurance markets that offer 60 different policy forms. These forms may contain different coverage triggers, definitions and exclusions.”

She says that no cyber policy should be bound “off the shelf.” Due to the unique needs of every organization and the inconsistency in policy wording, “all cyber policies require coverage to be manuscripted.”

To get to the right policy that properly addresses the client’s cyber exposures, the producer must consider the industry exposure and specific customer concerns. “Ask questions,” Snyder advises.

“The dynamic nature of cyber risk means that just as your clients are trying to address their enterprise cyber risk exposures, the underwriters are trying to understand potential losses and how to underwrite to them. The evolving nature of cyber risk means that to an extent, we are all learning together.”

More from Risk & Insurance