RPS Insurance
Servicing clients and their many evolving exposures is difficult enough. Throw in trying to keep up on the cyber liability and data breach exposures and the various ways to develop the right level of protection, and it leads to a complicated situation that may leave agents exposed themselves. Here are the top five concerns agents and brokers should be aware of in helping design the right cyber liability coverage for their clients.
1. The complications of covering Cybercrime
Cybercrime – such as phishing schemes and social engineering that targets computer networks or devices – is a complicated area for insureds. They expect that if a claim involves a computer and/or money and they have both a Cyber policy and a Crime policy, they should be covered. Unfortunately, oftentimes this isn’t the case. First of all, not all Cyber and Crime policies are created equal. Some Crime policies specifically state that social engineering exposures and cyber theft is included while others may not. It’s important to design a Crime policy that covers certain cybercrime exposures and complements what is covered under Cyber Liability.
In addition, each policy may include condition precedents that determine if coverage will respond. For example, for a social engineering loss to be covered, a policy may require an insured to have implemented dual authentication or out-of-band authentication. If the insured did not implement these measures and they were duped into wiring money or sending confidential data to a bad actor, they may find their coverage will not kick in for the loss.
2. Beware of Cyber coverage added in policies such as the CGL, BOP, and Professional Liability.
Cyber Liability insurance may be an added “throw-in” as part of a Commercial General Liability (CGL), Business Owners Policy (BOP) or Professional Liability policy, but in most cases the insured will not have the breadth and extent of coverage they need and that is provided by a stand-alone Cyber policy. These policies may include low limits or sub-limits for Cyber losses, which will leave a client underinsured in the event of a breach or network security lapse. The policy may have aggregate limits shared among the various coverage grants, leaving the insured exposed in the event of a significant cyber loss. For example, if there are shared limits for E&O and D&O exposures under a Professional Liability policy and then Media Liability is added, while the frequency of this type of risk is not high, the severity can be high. The insured would have a substantial out-of-pocket exposure.
Exclusions are another area of concern when Cyber coverage is added to the CGL, BOP or Professional Liability policy. The insured may have limited coverage for first-party losses and a lack of additional services, such as breach response or Business Interruption, which are critical after a network related event.
3. Business Interruption triggers in Cyber Liability insurance have expanded greatly in some policy forms.
You need to know what to look for, when it is important, and for which industry verticals.
Any strong Cyber policy today will include Business Interruption coverage to pick up the BI exclusion on a Property policy for a network security event. Most Cyber policies will respond in the event there is a security breach and the network is down for a period of time, causing the insured to lose revenue. This has been expanded more recently to also include BI coverage as a result of an insured’s system failure or network disruption, which is a much broader trigger and can cover anything from an employee error to IT implementing software upgrades which causes a network to go down for an extended period of time. In addition, there are policies that will provide a sublimit for coverage if an insured suffers a business interruption loss because of a third party’s system failure. This can be an IT vendor such as a data hosting company or Internet Service Provider, or, a company in the insured’s supply chain. This “supply chain” system failure coverage will generally be more difficult to obtain as underwriter see these exposures as ones they are not able to underwrite. As a result, if coverage can be found, it will generally be at low sublimits or the carrier may require a listing of such vendors on the policy.
The type and extent of BI coverage in a Cyber policy becomes extremely important depending on the type of business you’re insuring. For example, a manufacturer would be greatly impacted if a supplier’s system failed, upending the manufacturer’s ability to do his job.
4. Pre-breach resources are great, but insureds often get what they pay for.
There is a big push to prevent claims with pre-breach resources, including the availability of complimentary on-line portals and training. This is great and may help sell a Cyber product but how engaged are insureds in using these services? It’s important not to sell solely based on what an insured can get for free.
The take-up rate for these services has been traditionally fairly low, particularly in the small to mid-size market. While we want to offer insureds the resources to prevent claims and improve their risk profile, it’s important that we are providing the right fit in terms of coverage; add-on risk management services shouldn’t be at the expense of the policy language itself and the insurance agreements provided. If there is no buy-in from the clients, the services should not be used as a differentiator at the expense of the coverage provided. On the flip side, when the insured buys into the process and cyber training is linked to their overall risk management program and accountability can be achieved, then these services are effective. They become part of the corporate culture.
5. Understand risk management procedures with the greatest impact for averting cyber/privacy loss.
Cyber threats today rank among the top concerns for businesses, with cyber claims among the largest losses companies experience. It’s important, therefore, for agents and brokers to familiarize themselves with the terms and risk management procedures involved to help prevent these types of losses. This includes implementing multi-factor authentication for remote access to avert business email compromise; putting in place checks and balances for any wire transfers, invoicing, etc. to minimize social engineering exposures; having segregated, regular backups of all critical data to manage ransomware risks; and providing ongoing, company-wide employee training so that everyone understands the extent and impact of cyber threats today.
Collaborate with RPS
There are a number of Cyber insurance solutions for diverse industries, including healthcare, non-profits, schools, public entities, professional services, retail and hospitality. Collaborating with RPS gives you access to the wide range of coverage, but also experts who specialize in handling cyber risk all day. For clients with less than $100 million in revenue, you can get a quote for Cyber in about 60 seconds on the RPS e-Commerce platform by completing a short and simple 4-question application. For larger businesses, please contact your RPS Executive Lines professional.
Don't let this major opportunity pass you by
We’ve talked over and over about the incentives of adding commercial business to your book – higher retention rates, higher referral rates, and increased commissions. But commercial business is more time-consuming to learn and can often be difficult to place, many agents just didn’t find it worth the investment. However, the Commercial growth we’ve seen proves that many agencies are moving this direction, and positioning themselves as leaders in the community when it comes to providing for the needs of consumers. Are you one of them? Check out the 2019 Issue 3 of Smart Choice Magazine for more.