US Pro Insurance Services

The 10 Commandments of Cyber Insurance

It is everywhere you turn now. On the front page of the newspaper, the nightly news headlines, and even on the A.M. radio talk stations. 60 Minutes has done not one, but TWO different stories just in 2014. Experts suggest that 97% of all American businesses have been breached. Yet unbelievably so, Cyber events continue to grow and are rampantly surpassing all other crimes in total.

But what do you do about it? How do you sell it if you do not understand it? Surely, maintaining the status quo is not the solution. To protect your own errors & omissions exposures, every commercial insured you have should be quoted immediately. Have you done this?

Fortunately, US Pro Insurance Services can be a valuable partner of yours. Not only are we known as “America’s Cyber Insurance Experts”, we are the only specialty lines wholesale broker in America teaching on it to agents all across America. Our website, www.cyberinsurancesource.com, is unique to the industry.

We share with you today the 10 commandments of Cyber Insurance that when followed will make you a far better salesperson of this coverage.

1. Be an Expert, or Use an Expert.
Cyber Liability Insurance is NOT an insurance policy. It is a comprehensive program of interwoven coverage parts that provide protection from a multitude of exposures the average business faces every day. These coverage modules each carry significant importance to the total Cyber exposure.

Evolving hazards, lack of uniform policy language, and a misunderstanding of what causes losses require the retail agent to be an expert in more than just insurance. They need to know and understand technology and the risks it presents. They need to know coverage forms, and how to answer application questions. They need to become an EXPERT, or the agent needs to find a broker who is. With uninsured and underinsured risks so great, there is simply no other choice.

2. Know the Record.
The record is at the center of the Cyber universe. The record, which comes in two forms, is the asset so coveted by Cyber criminals and rogue employees. Known as Personal Confidential Information (PCI), it is either in the form of Personally Identifiable Information (PII), or it is Protected Health Information. In either case, several federal, state and local regulations require it to remain protected.

Another important part of the record is quantifying it. For PII, it is as little as a full name and email address. For PHI, it is any disclosure of health data. These records can be electronic, written, or images. However, each unique personally identifiable dataset, regardless of how many instances of it being stored, remains only 1 record- it is not repeatedly counted.

3. Hot Property.
One of the biggest misunderstandings in Cyber Insurance is what kind of coverage it actually is. Cyber Liability Insurance is both a liability coverage as well as property insurance.

From the liability perspective, a business is legally required to protect third party PCI in their care, custody and/or control. This legal requirement therefore imposes liability upon the business if they fail to do so. This is known as Third Party Liability Coverage(s), and every Cyber policy includes at least some of the four (4) coverage parts. Included in this is the legal and defense expenses incurred by an event, amongst other expenses.

From the property perspective, the third party PCI in their care, custody and/or control is Intellectual Property of those parties. The same legal requirements to protect it make it necessary to restore it should it be compromised. These restorations of identities, as well as the Business Interruption and Data Restoration coverage parts, are the Property coverage components of the program.

Finally, Crime Insurance is a property coverage. Network Extortion involves ransom demands and is criminal in nature. This coverage part is similar to Crime coverage mechanics as well.

4. When Attacked, a Weapon is Needed.
Cyber events come in many forms. The short list includes network extortion, denial of service, transmission of malicious code, unauthorized access to or use of systems, and hacking. All of these are attacks. When you are under attack, your best defense against it is to have a weapon of your own.

US Pro calls the right Cyber Insurance program a Breach Response Weapon. Like any weapon, it can be useful, but may not be a strong enough response. The key is choosing the RIGHT weapon.

As earlier stated, these policies are very different in their coverage and language. Be sure to choose a carrier that not only provides all of the coverage parts, but supplements it with risk management services for policyholders.

Most critical of all is the breach response services team provided by the policy. If these services are not included the coverage is worthless.

5. Unpackaging Packages.
Package carriers who offer Cyber Insurance add-ons to their policy need to be avoided in all cases. Agents who choose this method of coverage expose themselves to much higher risk of incurring an E&O claim for underinsuring or uninsuring risk.

The problem lies in the standard of care. The insurance agent by relationship has professional liability standards imposed on them by law as licensed professionals. One of these standards is to know the product they are selling, and to be sure that it addresses all of the exposures for which it has been sold.

All packaged Cyber coverages we have seen do include many of the third party coverage parts, and may provide some first party coverage too. But many coverage parts are missing, and those that are not missing are grossly underinsured by sublimit.

Given the modest cost of Cyber coverage, the few dollars saved purchasing a packaged coverage means thousands of dollars spent when an event does occur.

***One important note. If your Insured is a Technology business of any kind, it should always package its E&O with Cyber together. Always! This is important to the Insured to avoid gaps in coverage which may occur when these are written apart and with different insurers.

6. Standard is Not Standard.
Standard markets, including all of the largest big name companies, are late to the Cyber policy. The coverage forms remain less broad than those carriers who have become known as the leading Cyber coverage forms. It is true that in some cases the rates they offer are lower; it is never an apples to apples comparison.

In fact, in the instance where I have done policy comparisons for our customer, comparing our core carriers against a standard market, all of our core carriers were broader in coverage. Even more interesting is when we found cases where the coverage was as close to apples to apples as possible, our core carriers were less premium in almost every case.

7. UEN- The Primary Cause of the Evil
UEN is the primary cause of all Cyber events, and while possible to mitigate, it cannot be eliminated nor can it be avoided. UEN is a Cyber exposure every business has, and every business will always have, regardless of every best effort they make.

So what is UEN? UEN is a phrase US Pro penned, and it stands for Unintentional Employee Negligence. It happens in a lot of different ways, resulting in all kinds of events, and is simply human error. Yet, it is human error that is innocent, unintentional, accidental, and mostly, unbeknownst.

We will not give you all of the ways it happens here, but the top UEN event is unencrypted information that is compromised as a result of a lost or stolen mobile device. 88% of all cyber events are caused by unintentional employee negligence.

8. The 4 Golden Rules
There are 4 golden rules to know about Cyber Insurance that serve as a foundation from which to build on your Cyber knowledge. While these are explained in depth in our free online webinar, we wanted these to be established in the 10 commandments. These rules are as follows:

  • Rule 1: A network security breach does not necessarily result in a privacy compromise.
  • Rule 2: A privacy compromise does not necessarily occur from a network security breach.
  • Rule 3: A third party liability event does not mean any first party costs will be incurred.
  • Rule 4: First party costs can NEVER be incurred without a third party event.

Understanding these rules, and what they mean, is your logical next step to becoming a knowledgeable Cyber salesperson.

9. Put the Fire Out.
The Property Fire analogy, also explained in depth in our online webinar, is the single best tool for explaining Cyber to a business owner. This powerful and detailed analogy actually visualizes for the buyer an exposure that is invisible but real.

Like any Property Fire, the first response is to “put the fire out”. This requires calling the Fire Department. Commandment 3 tells us that since this is Property coverage, an event is a property fire. Even though the property is intellectual, a compromise of it is comparable to it being on fire. It needs to be put out first, then rebuilt. The right cyber program will provide to its policyholders a breach response services team that is in theory the fire department.

Package carriers and standard carriers do not provide this-they use the atypical claim department response. This method of response starts the process, and imposes burden onto the Insured to hire response teams. Meanwhile, the fire is still burning.

Avoid policies that do not offer to put the fire out first.

10. Avoid. Accept. Mitigate. Transfer.
In order to properly assess one’s overall Cyber exposures, all aspects of the operations must be considered from bottom up. Once assessed, every business must then AAMT the exposure. These are choices, but in the end, only one is viable.

Choose to avoid the risk. Commandment 7 eliminates this choice.

Choose to accept the risk. We did not touch on this but the average Cyber claim is $180,000. This is a minimum expectation regardless of the size of the business. The average climbs by the size of the risk. Establishing a value to one’s potential exposure is almost not possible, making self-insurance not an option.

Choose to mitigate the risk. Strong controls and procedures will serve to minimize exposures, but the risk is omnipresent. Commandment 7 reminds us that despite all of our best efforts at controls and procedures our own employees cause the majority of events- even with all of these in place. Choosing mitigation over transfer may become a very expensive choice.

Choose to transfer the risk. Transferring the risk means buying insurance. This is the only logical choice. Having a solid insurance program combined with strong controls and procedures complemented by annual risk assessment is the right choice.

Using these 10 Commandments are going to make you better salespersons of Cyber coverage. Cyber Insurance sales is about changing a buyer’s mindset from one of “I cannot afford to buy it” to a mindset of “I cannot afford to be without it”. If you can use these tools, it will happen.

US Pro is America’s expert on everything Cyber. As the first and most important commandment tells you- either be the expert, or use an expert. We hope that you choose to use us.

Send your submission to us today at ksneed@usproins.com for immediate response. We want to be your Cyber Insurance expert!!