Editor’s note: All this week, the team at
Insurance Business America will take a closer look at market conditions, trends, key statistics and strategies for the cyber liability insurance market.
Cyber liability purchasing patterns are through the roof, with a 21% increase in sales in 2013 and the trend expected to continue this year, according to a report from Marsh Global Analytics. However, heightened interest won’t seal the deal for producers.
Insurance Business America
spoke to two cyber insurance veterans about the misconceptions held by both producers and their clients, and came up with four that are sure to tank even your most promising deals.
Michael Palotay of cyber insurer NAS Insurance and Christine Marciano of New York brokerage Cyber Data-Risk Managers offered their insights into these conundrums and how to come out a winner.
1. Cyber liability is covered by my CGL…right?
In March, a New York Supreme Court Justice ruled that Sony Corp’s commercial general liability (CGL) policies do not cover liability for theft by hackers. The decision followed a global breach of Sony’s PlayStation user network and despite widespread publication, misconceptions on what a CGL policy does and does not cover still linger.
In fact, roughly 40% of privately owned companies still believe their CGL policy covers them in the event of a data breach, a Chubb Corp. survey found.
Marciano attributes this to some degree of overlap between cyber liability policies and CGLs. For example, advertising injury liability covered under cyber liability policies is also present under the CGL. However, hope of any serious coverage following a breach has long since been done away with, says Palotay.
“Trying to get the CGL to cover [cyber risk] was kind of a ‘Hail Mary’ and while it might have been successful in a couple of cases, it’s really not the intent of a CGL policy to cover cyber,” he said.
Marciano believes the upcoming ISO changes to CGL policy language, which specifically address and exclude cyber coverage, will do much to increase client awareness and perhaps even purchasing patterns.
“I think the Sony case and the new policy exclusion language will mean bigger growth in the market, as clients realize cyber risk is not covered, and think, ‘We really need to look at this,’” she said.
With the new policy language and multiple court cases as talking points, producers can do much to dispel those myths.
2. I don’t have any real exposure
While the highly publicized data breaches of Sony, Target and Williams-Sonoma have made cyber risk a talking point, they may actually be doing a disservice to smaller employers. By perpetuating the idea that only large companies get hacked, small businesses could be lured into a false sense of security—one their producers may even believe themselves.
To really bring home the danger to small businesses, Palotay stressed that it is important to represent exposure to a small business in real-world terms. For a small retailer or law firm, that means a breach of about 100,000 records—coincidentally, the average size of a cyber breach in 2012, according to Ponemon Institute data.
“Throwing around huge, billion-dollar numbers is a disservice because it’s not realistic,” Palotay pointed out. “We train brokers to talk about what is actually ‘the real world’ to an insured—typically $10 or $15 per breach.”
Another pervasive myth that derails sales is the idea that data breaches only occur as a result of hacking. In actuality, hacking plays just a small part in the kind of compromised information particular to a small employer.
“You don’t have to be targeted by a hacker to suffer a hacking attack,” said Palotay. “All malicious code programs replicate and infect computer after computer, and if they find files with confidential information, they beam it back to where the code originated.
Hacking gets the most headlines, but negligence and mistakes happen more often. It’s very difficult to make it impossible to occur, and that’s what cyber insurance is for.”
3. Cyber insurance is too expensive for a small business like mine
While cyber insurance premiums can be expensive, they are typically much less than many clients believe. In general, product premiums are commensurate with client risk, Palotay said.
“I think [potential clients] would be surprised at how cheap it is,” he said. “When the coverage is properly discussed and their exposure is explained in a real-world scenario, it’s usually a no-brainer for the insured.”
Specifically speaking, if each compromised record costs $10 to remediate and 100,000 records are breached, the firm is looking at $100,000 just to meet regulatory standards of reporting and addressing the damage.
In comparison to a $4,000 annual policy, that’s a good deal indeed.
4. If I had cyber exposure, my broker would have told me
The final misconception many clients hold may just be the undoing of an otherwise well-meaning insurance agent or broker.
Because insureds count on their producer to advise them of all possible risks, producers have a duty to warn them of their cyber exposure and offer the appropriate coverage. If they do not, they could be facing an errors and omissions claim, says Marciano.
“If clients have sensitive data and brokers don’t help their clients with the right product, they could be facing their own E&O claim,” she said. “It’s a gap in a broker’s own insurance policy if they’re not bringing it up and they’re going to find themselves in trouble if the client comes after them.”
Marciano said many brokers may already be in this situation, as cyber insurance is generally considered “confusing” and therefore, is ignored by producers who don’t want to invest the time in understanding the product.
“Too many brokers don’t understand the coverage and don’t feel comfortable talking about it,” Marciano said. “But if they don’t, they can’t help and they might be liable for negligence.”
Also posted in InFocus this week: "The 6 hottest cyber markets in 2014"
"Harnessing the challenging, profitable cyber market"