Cyber Insurance as a Revenue Driver
by Greg Shields
Considered by most companies to be a cost without a budget, cyber insurance might soon be a revenue driver.
The existence of privacy/data/security/technology (aka “cyber”) risks and cyber insurance products should not be a surprise to most CSPE members, as the focus of privacy and data protection regulation has been squarely on the health care industry for more than 10 years. Although knowing that risks exist and that insurance is available does not make for educated decisions on risk valuation and risk transfer, there may soon be a greater incentive to hone your skills on both these issues.
It is common for property managers to request evidence of property insurance and general liability coverage before allowing you to occupy your premises. Now, insurance companies are starting to request evidence of cyber risk insurance from third-party service providers who are interested in being an approved vendor.
For many private, for-profit companies in the medical field, insurance companies are a very important source of revenue. At this point the insurance request is not being made of all vendors or by all insurance companies, but not knowing if you can get this coverage or what it is going to cost might be the difference between beating the competition on a bid and losing a sale. Or it might mean a considerably lower margin on your new business because you did not budget for the insurance you are now scrambling to buy and paying too much for.
Anti-insurance pundits suggest that insurance is often used as a replacement for sound security protocols and other loss-control tools. This is not a reasonable argument. Most potential buyers are not embracing cyber insurance coverage because the insurance application and underwriting process forces them to identify and admit to vulnerabilities and previous security breaches. The major hurdle is that business managers will be forced to talk to their IT people, and that means potential embarrassment when they do not understand what the IT people are explaining. But, even if when managers do understand “tech-talk,” they may be strongly reminded that security weaknesses are due directly to lack of financial support and apathy of management.
When it comes to security, the IT people should be embraced, not ignored. The priority for information security will be imposed on everyone soon; the early adopters have an opportunity to use it to win new clients.
There are definite pitfalls to cyber risk insurance. First, there is no rhyme or reason to the title, structure, wording or coverage in these policies. Many insurance buyers mistakenly believe that the government or some super regulator is reviewing such policies to make sure that coverage is adequate, the insurance company is sound and pricing is fair and consistent. I hate to break it to you, but that is NOT THE CASE. Except for auto insurance, there is no government or super regulator involved. And, if you are expecting one of your industry-based associations to be looking out for you, be very careful. An association-sponsored insurance program just might be determined by the insurance broker or company that is willing to buy the biggest ad in the association’s newsletter.
Second, exclusions can be hidden in many places other than the exclusions section of the policy. Inconsistency between answers on the application for insurance and the reality of the actual process can result in denial of a loss. And the discrepancy might not be discovered until after a loss, months or years later — possibly in a department or activity that did not exist when the application was completed. Exclusions may also arise in the definitions. For example, loss may not include future profits, disgorgement of profits, return of fees, cost to comply with injunctive relief, etc. Or a key activity of your business might not be included in the insurance agreements.
With cyber insurance products still in their infancy, buyers can benefit from competitive pricing and terms that have not yet been influenced by industry loss trends. The losses are there, but most are not yet insured, and no single insurer has enough data to estimate appropriate costs or exclusions. Cyber insurance buyers also have the opportunity to use the resources of the broker and insurance company to help identify risk and control losses, even if they never actually purchase the insurance product.
We all know the ostrich approach to risk management is not effective. By investing some time in finding out about cyber risk and cyber insurance, getting educated and making decisions, you can create a competitive advantage and win new business.
Greg Shields is a partner with Mitchell Sandham Insurance Brokers, an independent company providing commercial, private client and financial services insurance. He specializes in casualty products that address directors’ and officers’ risk, crime, fiduciary liability, professional errors and omissions and cyber/media risk. He provides insurance negotiation and risk consulting services, coverage and claims advice to small and medium-sized enterprises, multinationals and nongovernmental organizations. He can be contacted at 416 862-5626 or email@example.com or follow his blog.