REBUTTING CYBER POLICY DECLINATIONS

What to tell your clients when they use common excuses

By Christopher W. Cook

Many moons ago, in the month of October, we ran several feature articles and columns regarding cyber insurance. Now that we’re two months down the road, I figured we could share some more insight on the topic. I mean … come on.

I recently viewed a webinar hosted by Coalition, Inc., titled Overcoming Objections with Cyber Insurance, which shared the top excuses brokers’ clients give for not buying cyber and provided tips on how to refute their declinations.

“The last two years have been insane in the [cyber] market and have really been forcing [brokers] to become more of a risk consultant,” said Zachary Sawin, sales operations manager at Coalition, who previously worked on the brokerage side of the industry.

“It’s no secret that the broker role has changed and evolved over the last few years, and it’s changed because the cyber risk landscape is constantly changing,” added Sophia Kudlyk, Coalition product marketing manager. “As brokers, you are expected to keep evolving and keep up with that pace of change, which can be hard to do.”

While the global cyber insurance market is projected to grow to almost $40 billion by 2028, according to Advisen, “64% of small businesses are not familiar with cyber insurance and only 17% currently have a policy.”

However, “the opportunity for cyber insurance as a risk mitigation tool is definitely growing,” said Kudlyk. “Yet, the adoption remains quite small, especially when we’re talking to the small- to mid-sized business (SMB) markets.”

So, what’s the holdup? Here are five of the most frequent client objections that you may be receiving:

1. I’m not a target for cyberattacks
2. We don’t rely on technology as a business
3. I’m already protected from cyber threats
4. I have coverage in my existing policy
5. Cyber coverage costs too much

Let’s take a closer look at each of these objections and provide support to hopefully get your reluctant client to change their opinion on the product.

I’m not a target

By now, it’s safe to say that every-one can be a target for a cyberattack. Sawin discussed that there are two victim types in cybercrime: targets of choice and targets of opportunity. He noted that having a conversation about the two with your client could be beneficial.

“Targets of choice are … large, multi-national sometimes conglomerate companies that have tons of personally identifiable information … resting on their networks that is internet accessible,” he said. “Then there are targets of opportunity, small- and medium-sized businesses that rely on their local market presence and basic technology like email,payroll and benefits that all live online now. They don’t have the budget or the expertise to shore up their network defenses for top-of-the-line security best practices.

“People are always the weakest link. You can have an unlimited cybersecurity budget and still be subject to user error, [employees] clicking on phishing links.”

—Zachary Sawin
Sales Operations Manager
Coalition

“Even some targets of choice that have the budget to do it are still subject to the risks of bad actors, so the paradigm of ‘I’m not a target for cyberattacks’ is irrelevant. Bad actors are looking for essentially low-hanging fruit, the path of least resistance. Phishing campaigns … are ubiquitous no matter the industry class, as long as you have an online presence.”

Sawin went into more detail on the evolving landscape of cybercrime. “For a long time, targets of choice required deep technical expertise or required bad actors to get an idea of the way that a company operates, to find out who the high-value targets are within that particular organization,” he said. “Essentially, cybercrime has become commoditized to a degree. There are ‘ransomware-as-a-service’ operators who will write the code for bad actors to then purchase and deploy. It’s much easier for bad actors to have access to disruptive tools … and small companies have become incredibly profitable targets because of their lack of … understanding about what their risk posture really is from a cybersecurity perspective.”

Coalition’s recent Claims Mid-year Update found a:

• 40% increase in the frequency of ransomware attacks
• 54% increase in the frequency of fund transfer fraud (FTF) incidents
• 50% increase in the average claims costs

We don’t rely on tech

If you receive this response as an excuse, simply ask back, “Do you use email to converse with your employees internally, with your vendors, or with your customers?” said Sawin. “The answer to that is almost always a resounding ‘yes.’”

Technology has become critical to any business. There are seven domains that apply to any company that’s an LLC or incorporated in the United States, Canada, or across the world:

1. Customer information
2. Order and supplier information
3. Business plans and intellectual property (IP)
4. Finances and invoices
5. Employee information
6. Payroll
7. Email

“[These seven domains do a] good job of conceptualizing the attack surface, or the [types] of critical technology that every single company relies on no matter the industry, class, size or location,” Sawin said.

It’s important to know that safe-guarding the data involved with any of these domains is ultimately the company’s responsibility, even if the duty to do so is outsourced elsewhere.

“Another objection I get a lot is, ‘We’re on the cloud; we have no cyber exposure because we outsource all of that.’ Well, that could have adverse effects on your ability to recover [data]. If all your information technology infrastructure or your services are host-ed by a third party, then you don’t have direct access into that tech stack in the event of a breach,” Sawin added.

There are “catastrophic consequences” involving the breaching of basic technology. In 2021:

• Email threats had an average loss of $89,000
• Online banking FTF attacks had an average loss of $118,000
• Remote access services being targeted by ransomware had an average loss of $334,000

“Basic technology can make you vulnerable,” Sawin said. “I’m sure we’ve all experienced the uptick in text, email, and voicemail phishing, and the consequences can be extreme.”

I’m already protected

Cybersecurity tools that your clients may already be using are only the first step when it comes to securing your in-formation technology infrastructure.

“[There are] five main access points that bad actors will do their reconnaissance on to deploy whatever malicious software or tactics,” Sawin said. Those access points are: users, endpoints, net-work access, applications, and devices.

“People are always the weakest link,” Sawin continued. “You can have an unlimited cybersecurity budget and still be subject to user error, [employees] clicking on phishing links. It’s no skin off [the bad actor’s] back to send 10,000 phishing emails. And the problem is they only need to be successful one time. It’s not a matter of if, but when.

“Cyber insurance is not a replacement for strong cybersecurity controls. … Invest heavily into the training of people; make sure you have some form of base-line cybersecurity standard you’re following.

“Protections can and do fail,” Sawin said. “There is no such thing as total protection. Cybersecurity tools are only one small piece of effectively managing cyber risk, and cyber insurance is essentially the last line of defense.”

I have existing coverage

While some BOP or general liability policies might have added-on coverages for cyber, “the stand-alone cyber policy is very broad and far-reaching,” Kudlyks aid. “Package policies typically have coverage for certain risks that we categorize as third-party risks like network information and security liabilities, any regulatory fines and penalties, or other sub-limited third-party related costs.”

However, stand-alone policies cover first-party-related risks. “First party means any out-of-pocket costs that an organization needs to pay to immediately recover in the event of a cyber incident; a lot of these costs are quickly mounting, and they’re far-reaching,” Kudlyk said.

Some of these include:

• Breach response costs
• Cyber extortion payments
• Stolen funds
• Lost business income
• Computer replacement
• Technology failures

“[A] stand-alone [cyber] policy offers a broad net of very far-reaching triggers… because no two new cyber claims are the same,” Kudlyk said. “It’s also import-ant for brokers to remember that not all cyber insurance is created equal, and not leaving your client with coverage gaps is important.”

“You can’t afford not to buy cyber insurance. As frequency and severity of cyber incidents continue to rise, especially impacting businesses, the costs to resolve a cyber incident, such as legal, forensics and business interruption, cannot be ignored.”

—Sophia Kudlyk
Product Marketing Manager
Coalition

When looking for a cyber insurance provider, “choose from [those that have]any risk mitigation or risk management tools apart from the comprehensive coverage in the cyber insurance policy; you can have tools that can alert policy-holders to a vulnerability or something that’s going on in their network that they wouldn’t normally be aware of until the claim or cyber event actually occurs,” Kudlyk said.

“The second part is [having] operational and technical support during an incident,” she continued. “[They should also have] in-house claims and incident response expertise. …[H]avingan in-house team [is important] because when a claim occurs, efficiency and a timely response are the name of the game.

“When you have hours add up get-ting agreements signed and all the right people [involved] online, this adds to the time the business is down … and causes more confusion and anxiety for your policyholder.”

Coverage costs too much

“This is a difficult one to contextualize,” Kudlyk said. “Cyber claims are devastating in nature, and the cost of responding to them is only going up because they’re getting a little bit more complex. It’s important to illustrate a situation of how costs can quickly and exponentially grow.”

For example, after a breach occurs:

1. Legal expenses. The discovery of a claim leads to the mobilization of a response team. There is also notification management and potential third-party lawsuits.
2. Incident response and forensics. There’s an assessment, negotiations if ransomware is involved, and forensics reports to conduct. There might be datamining to dig through compromised data and then recover any stolen data.
3. Business interruption. Money is not earned as it was before the breach; add on to that public relations costs.

Kudlyk shared an example of a breach timeline that lasted up to 30 days, but “it can extend way beyond that, and these costs add up,” she said.

Brokers should help their clients understand the value behind the policy. “What are you actually getting, and what do the [cyber breach] teams actually specialize in?” asked Kudlyk. “Put the policies side by side.”

With traditional cyber policies, one-size-fits-most underwriting is based solely on the industry and the company’s revenue. The coverage uses standardized language and limits. Whereas with an active cyber policy, “we go one step beyond that to tailor the risk in a near-real-time view of what exposures and technologies that organization actually uses to make them either less vulnerable and not charged as much premium,” Kudlyk said.

“You can’t afford not to buy cyber insurance. As frequency and severity of cyber incidents continue to rise, especially impacting businesses, the costs to resolve a cyber incident, such as legal, forensics and business interruption, cannot be ignored,” she concluded.

For more information:

Coalition, Inc.

www.coalitioninc.com