InfoSec Distribution of Cyber Insurance: Has the time come?

By | Cyber Risk Underwriters Information | No Comments

Has the time come?

Cyber insurance is distributed by business insurance agents specializing in traditional commercial products such as property, general liability, workers’ compensation and employee benefits.  Despite diminishing premiums and dramatically improved coverage forms, cyber insurance take-up rates remain very low for SMB’s (small to mid-sized buyers under $250M annual revenue).  Can infosec channels more effectively provide comprehensive cyber cover to this highly vulnerable market?


“The only thing missing from managed security services offerings is cost effective financing for isolated and possibly catastrophic client events.”

Wrong buyers and wrong sellers?

Market survey estimates suggest somewhere between 16% and 35% of SMB’s purchase comprehensive cyber coverage. Many obstacles make for a difficult sale.  Almost 50% of brokers’ surveyed say not understanding exposures is the biggest obstacle to closing cyber deals.  This compares to onerous application process (15%), not understanding coverage (14%) and cost (13%).  In our experience, lack of exposure knowledge actually keeps some agents from presenting coverage.

When providing workers’ compensation insurance, agents maintain specialized knowledge and can accurately quantify and communicate key exposures to loss. Insurance agents and brokers are seen as subject matter experts in workers’ compensation, as well as other products comprising a business insurance portfolio. Due to the paucity of loss data and limited technical expertise, this is not the case with cyber insurance.  In response, many global and large regional brokerages employ talented, often credentialed cyber experts.  This is not true with middle market agents who often rely on spotty cyber endorsements added to existing business insurance products.

Travel insurance is a good example to consider.   Travel agents are subject matter experts when it comes to travel risk.  They can easily explain the risks involved and offer insight based on first hand traveler experiences.  Perhaps this is why travel agents distribute some 70% of travel insurance.


InfoSec involvement in procurement can improve underwriting and coverage outcomes

Unlike insurance agents, security experts can explain the exposures to buyers and clearly understand cost components involved in responding to a breach event. In many cases, it is easier to educate a security professional about how insurance responds to a cyber event than to teach an insurance agent to understand and explain cyber risks.

Sample Cyber Claim Denials

  • $275k: Reporting Delay
  • $475k: Use of Unapproved Vendors
  • $4.1M: Application Misstatements
  • $2.0M: PCI-DSS Contract Exclusion

Leaving infosec subject matter experts out of the procurement process often leads to coverage disputes and unacceptable claim recoveries. The likelihood such outcomes is minimized when infosec professionals are involved in the process and properly on-boarded.

In addition to understanding exposures, security vendors already possess data needed for the application process.  As such, CFO’s and other corporate officers may no longer need to endure the task of completing onerous applications

“Are you nuts? We don’t want to sell insurance”

MSSP’s should not get into the insurance selling business for many reasons.  Commercial insurance is one the most heavily regulated industries in the US.  Directly selling of commercial insurance and requires appropriately licensed and trained insurance professionals.

A cyber insurance product imbedded into a security service offering is possible and need not be overly complicated.  If designed properly, a successful program does not require vendor licensing, additional internal resources or material product “touch” by the vendor.  The volume of premium generated by a single InfoSec provider will also reduce premium costs for customers.  We note that Apple and Cisco recently teamed up with global insurance providers Aon and Allianz to offer discounted cyber cover to users of their platforms.

“In many cases, it is easier to educate a CISO on how insurance responds to a cyber event than to teach an insurance agent to understand and explain cyber exposure to loss”

Driving Demand

In order for the cyber insurance market to meet robust growth projections, catalysts beyond scare tactics about newsworthy mega-breaches such as Target, Equifax, and Yahoo are needed.  Most SMB’s can’t relate such large-scale events to their business.  One catalyst is the increasing number of companies requiring business partners purchase cyber coverage.  Better education of cyber risk is also driving some level of demand.

For small to middle market organizations, the use of external third party information security support services such as managed security providers is a key strategy to mitigate cyber risks.  The only thing missing from most security services is cost effective financing of isolated and possibly catastrophic events.

Some infosec vendors think rounding out services with cyber insurance will differentiate their services in a very crowded market resulting in improved new business and customer retention. If properly designed, incorporating a level of cyber coverage within the security services offering can result in better-educated buyers, painless application process, lower rates, and better coverage outcomes



  • Deloitte University Press: Demystifying Cyber Insurance Coverage-Clearing Obstacles in a Problematic But Promising Growth Market 2017
  • PartnerRe & Advisen: Cyber Liability Market Trends Survey October 2016.
  • Finaccord: Distribution Channels for Travel Insurance and Assistance 2013.

About Cyber Risk Underwriters:

We underwrite and distribute specialty cyber insurance products for InfoSec vendors and retail insurance agents.  Our products include cyber warranties, MSSP distributed cyber insurance, as well as stand alone cyber and technology errors & omissions insurance.


Contact:  Jeffrey Smith
Managing Partner
Cyber Risk Underwriters

Why Mid-Market Healthcare Providers Need Stand-Alone Cyber Cover

By | Uncategorized | No Comments

Cyber Insurance: Mid-Market Healthcare Providers: Endpoints, Medjacking, Security Budgets & HIPAA

An attack surface is the sum of all the endpoints of entry that an attacker can breach your environment. In a healthcare setting, endpoints go well beyond workstations, laptops, PDA’s and cell phones to include digital medical devices and software. “Medjacking” is the hijacking of biomedical devices that create backdoors to hospital networks. Malware has been found on imaging equipment and blood gas analyzers, as well as in software that manages surgery and treatment schedules, power systems, and the administration of medicine. Reimbursement uncertainty leads to tight budgets for information security. This means a custom designed cyber insurance policy is a necessity to minimize financial and reputational costs of isolated cyber events.

Many small to medium providers don’t view HIPAA fines & penalties as a significant threat due to the limited number of patient records maintained. A review of HIPPA settlements for 2016 confirms that even breaches involving less than 50,000 records can result in catastrophic financial loss. For example, Raleigh Orthopedic Clinic, P.A. of North Carolina incurred a breach of 17,300 records erroneously released to a business associate. The HIPAA settlement was $750,000. The settlement is just one component of breach costs.   The cost of the corrective action plan, computer forensics, breach event costs, loss of revenue and other expenses that accompany a cyber breach event involving medical records likely tipped this claim over $1,000,000. The annual premium for a 20-physician practice is around $5,000 for $1,000,000 in coverage.

The latest firewall or anti-malware products will not prevent employee errors or a determined attacker. Too many small to medium sized providers rely on “short” cyber insurance limits included in a medical malpractice policy. These limits can range from $25,000 to $100,000. As indicated above, such limits are not remotely adequate to protect providers from isolated catastrophic cyber breaches that need only affect a small number of patients. A well-crafted, stand-alone cyber insurance policy is a low cost solution to a potentially devastating financial risk.

Stand-Alone Cyber for Mid-Market Healthcare Providers


Trouble Closing Cyber Insurance Deals?

By | Cyber Insurance News, Cyber Risk Underwriters Information | No Comments

Trouble Closing Cyber Insurance Deals?

The cyber security industry is broken. The industry sells over $80 billion of anti-viruss, firewalls, penetration tests, threat detection, consulting services and other products yet clients still get hacked[1].  Vendors aggressively sell security products based on hype as opposed to product efficacy.

Ask your client if the security products they purchase come with a return policy or warranty. Less than 3% of cyber security vendors provide warranties help a client financially recover from a failure of product performance.  In other words, if a security product fails and results in financial damage, your clients sole recourse is costly legal action.  More reason that a cyber insurance policy is a critical part of any business’ insurance portfolio and a great value given current market conditions. In fact, for most risks, cyber insurance premiums are less than 5% of total IT security spend.

As an example, a $200M manufacturer’s IT budget includes $500,000 for cyber security.  A well-crafted cyber policy cost around $10,000 for a $1,000,000 limit.  A relatively small price to pay for proven breach resources and loss cost financing.

Cyber Risk Underwriters is 100% focused on emerging risk insurance solutions.  We distribute products to retail insurance agents, CISO’s/CIO’s and via cyber security consultants, Managed Security Service Providers (MSSP’s) and Value-Added Resellers (VAR’s). Have any questions? Feel free to contact us here or call us at 866-292-3092 today!


Hey Retail Agents! Does your cyber insurance connection offer a de facto super ninja on all things cyber?

By | Cyber Insurance News, Uncategorized | No Comments

Unlike other cyber MGA’s and wholesalers, we don’t look to old insurance guys for strategic direction.  We got industry leading ethical hackers to help you close deals.

Check out our Jeremiah Grossman discussing extortion, cyber insurance, and cyber security guarantees…and in terms your clients can understand.




RAND on Cyber Insurance Pricing…”in some cases the carrier would appear to guess..”

By | Cyber Insurance News, Cyber Risk Underwriters Information | No Comments

So we just finished reading a very deep dive by Rand called “Content Analysis of Cyber Insurance Policies:  How do carriers write policies and price cyber risk?”  The depth of the analysis is significant including discussion of pricing “boxes”, increased limits factors, and security factor weighting.  When all was said and done, our favorite excerpts include:

  • “Only in a few cases were carriers confident in their own experience to develop pricing models”
  • “We are not using claims counts as the basis for credibility because we have not experienced any claims over the past three years..”
  • “Further, it is not unforeseen for carriers to examine their competitors in order to define rates
  • ..”in some cases, the carrier would appear to guess..”

Guess we don’t know what we don’t know eh?  It’s a “last look market”…damn the sexy marketing slicks!

Negligent employees are no. 1 cause of cybersecurity breaches at small to middle market enterprises.

By | Cyber Insurance News | No Comments

Careless workers and poor passwords have led to a rise in ransomware attacks and other breaches on SMBs, which cost an average of $1 million.

Negligent employees are the no. 1 cause of data breaches at small and medium-sized businesses (SMBs) across North America and the UK, according to a new study from Keeper Security and the Ponemon Institute, released Tuesday. Of the 1,000 IT professionals surveyed, 54% said careless workers were the root cause of cybersecurity incidents, followed by poor company password policies.

This is especially concerning due to the rise in ransomware attacks: More than 50% of SMBs surveyed had experienced such an attack in the past year, which often enters an organization via a phishing email aimed at tricking an employee into clicking a malicious link or download. Indeed, in the survey, 79% of those hit said the ransomware entered their system through a phishing or social engineering attack. Further, of those who experienced an attack, 53% were hit more than once in the year.e

Check it out at:



Equifax: Protect Yourself!

By | Cyber Insurance News | No Comments

From the experts…

  • Use credit monitoring service such as LifeLock:  They won’t prevent identity theft put can help you recover.
  • Place a freeze on your credit files:  Security freeze laws vary by state, but they usually cost between $0 and $15 to instate. To adequately protect yourself, you must place a security freeze on your credit file with each of the three main credit bureaus (TransUnion, Equifax, and Experian) as well as Innovis, a credit reporting agency.
  • Periodically order a copy of your credit report: A security freeze doesn’t prevent everyone from viewing your credit file. For that reason, it’s a good idea to periodically order a copy of your credit report so that you can review it for unauthorized charges.
  • Create a security alert or security freeze for your consumer file:  Services such as ChexSystems provides a bank with a consumer report whenever someone attempts to create a new savings or checking account in your name.
  • Opt out of new credit report and insurance offers:  Some attackers try to intercept new credit or insurance offers in the mail so that they can open new lines of credit in your name. Fortunately, you can opt out of these free offers by visiting

How to protect yourself in the wake of the Equifax data breach




Security Guru Adrian Sanabria on Equifax Breach: “Should We Be Surprised?”

By | Cyber Insurance News | No Comments

Just the facts

Equifax announced yesterday, September 7, 2017, that it experienced a cybersecurity incident. Equifax is one of the “big three” US credit bureaus, along with Experian and TransUnion. They lost data belonging to 143 million Americans, which sounds like a lot, because it is. That’s 57% of the adult US population. Additionally, the company says payment information for 209,000 individuals was also lost, along with dispute documents belonging to an additional 182,000.

Savage Thoughts

As the title implies, I don’t think anyone was terribly surprised by this. We’re numb to the announcement of a breach has at this point. In most cases, we’re powerless to do anything about it. It’s been shown that breaches have little to no long-term financial impact on the organizations that experience them. We’re resigned to the fact that companies will continue make security a secondary priority, will continue to get hacked and will continue getting away with no serious consequences.

If you think about it, by offering its own products as a solution to the incident, this whole thing is one giant lead-generation campaign for Equifax. Yeah, it’s a big loss leader, but it’s still a loss leader on 143 million leads.

Do you know what your clients spend on cybersecurity?

By | Cyber Insurance News | No Comments

As indicated by the graph, cyber security is a growing concern yet cyber insurance is not perceived as a key part of the enterprise cyber risk management strategy.  No wonder the sales cycle to close a cyber insurance deal is over 12 months!

Know your client’s and prospect’s total investment in cybersecurity tools.  What products do they use?  Do vendors stand behind these products with security guarantee?  Is the cybersecurity function internal CISO’s (Chief Information Security Officer) or outsourced to Managed Security Providers (MSP’s)?  Do they have affordable contingent capital available to cover the costs of a breach response plan?


Because 99% Secure is Still 100% Vulnerable

By | Cyber Risk Underwriters Information | No Comments

Because 99% Secure is Still 100% Vulnerable

Cyber Risk Underwriters is a cyber insurance underwriter and wholesaler that works with retail agents, CISO’s and cyber security vendors alike to utilize excess cyber insurance capacity to address opportunities in a variety of distribution channels.  We combine highly successful P&C producers and globally recognized “ethical” hackers to offer our channel partners best-in-class products and sales support. Our Advisory Board consists of over 50 years of experience in the cyber insurance industry with notable names such as Jeremiah Grossman, Robert Hansen, John J. Soughan, and Evan Francen. Founder and Managing Partner, Jeffrey Smith and his team are  building a business model to educate clients about the catastrophic nature of cyber security risks, generate alternative distribution channels for cyber insurance products, and create a brand reputation evolving around exposure analytics and custom program design.

Cyber Risk Underwriters provide cyber insurance solutions to retail insurance agents, information security providers, and CISO’s.  Our razor sharp focus allows us to provide broking results for complex products with speed, simplicity and great attention to the finer points of coverage design and pricing. These products are more complicated than other P&C policies and evolving at a rapid pace. Cyber Security InsuranceTechnology E&OCyber Security Guarantees/Warranties, and other products require specialized brokers to craft the appropriate coverage.

Some of the benefits of partnering with Cyber Risk Underwriters are the following:

  • Producer Phone App Sales Tool

  • Branded Proposal Templates (Including Opt-Out)

  • Effective Monthly Marketing Collateral for Producers

  • Unsurpassed Technical Security Expertise

  • Proven Claims Management and Panel Providers

  • No Policy Aggregate Programs

  • Real Time Quotes For Most Risks

  • 24-48 Hour Turnaround Quotes up to $500M Client Revenue

  • Binding Quotes: Single Page Application

  • Book Quotes Based on Client Revenue

  • Lloyds A+ Security

  • Superior Offering to Admitted Products

  • Book of Business Commission Bonus

We assist our partner agents & brokers to understand and evaluate unique cyber risk profiles of their clients and provide expertly designed coverage programs from a select array of leading technology underwriters. The need for cyber coverage is increasing as the world becomes more digital and technology continues to advance. Partially protected systems won’t cut it, because 99% secure is still 100% vulnerable. Contact Cyber Risk Underwriters for your tailored cyber solutions today!