Cyber Risk Underwriters

InfoSec Distribution of Cyber Insurance: Has the time come?

Has the time come?

Cyber insurance is distributed by business insurance agents specializing in traditional commercial products such as property, general liability, workers’ compensation and employee benefits. Despite diminishing premiums and dramatically improved coverage forms, cyber insurance take-up rates remain very low for SMB’s (small to mid-sized buyers under $250M annual revenue). Can infosec channels more effectively provide comprehensive cyber cover to this highly vulnerable market?

“The only thing missing from managed security services offerings is cost effective financing for isolated and possibly catastrophic client events.”

Wrong buyers and wrong sellers?
Market survey estimates suggest somewhere between 16% and 35% of SMB’s purchase comprehensive cyber coverage. Many obstacles make for a difficult sale. Almost 50% of brokers’ surveyed say not understanding exposures is the biggest obstacle to closing cyber deals. This compares to onerous application process (15%), not understanding coverage (14%) and cost (13%). In our experience, lack of exposure knowledge actually keeps some agents from presenting coverage.

When providing workers’ compensation insurance, agents maintain specialized knowledge and can accurately quantify and communicate key exposures to loss. Insurance agents and brokers are seen as subject matter experts in workers’ compensation, as well as other products comprising a business insurance portfolio. Due to the paucity of loss data and limited technical expertise, this is not the case with cyber insurance. In response, many global and large regional brokerages employ talented, often credentialed cyber experts. This is not true with middle market agents who often rely on spotty cyber endorsements added to existing business insurance products.

Travel insurance is a good example to consider. Travel agents are subject matter experts when it comes to travel risk. They can easily explain the risks involved and offer insight based on first hand traveler experiences. Perhaps this is why travel agents distribute some 70% of travel insurance.

InfoSec involvement in procurement can improve underwriting and coverage outcomes
Unlike insurance agents, security experts can explain the exposures to buyers and clearly understand cost components involved in responding to a breach event. In many cases, it is easier to educate a security professional about how insurance responds to a cyber event than to teach an insurance agent to understand and explain cyber risks.

Sample Cyber Claim Denials
$275k: Reporting Delay $475k: Use of Unapproved Vendors $4.1M: Application Misstatements
$2.0M: PCI-DSS Contract Exclusion

Leaving infosec subject matter experts out of the procurement process often leads to coverage disputes and unacceptable claim recoveries. The likelihood such outcomes is minimized when infosec professionals are involved in the process and properly on-boarded.

In addition to understanding exposures, security vendors already possess data needed for the application process. As such, CFO’s and other corporate officers may no longer need to endure the task of completing onerous applications

“Are you nuts? We don’t want to sell insurance”
MSSP’s should not get into the insurance selling business for many reasons. Commercial insurance is one the most heavily regulated industries in the US. Directly selling of commercial insurance and requires appropriately licensed and trained insurance professionals.

A cyber insurance product imbedded into a security service offering is possible and need not be overly complicated. If designed properly, a successful program does not require vendor licensing, additional internal resources or material product “touch” by the vendor. The volume of premium generated by a single InfoSec provider will also reduce premium costs for customers. We note that Apple and Cisco recently teamed up with global insurance providers Aon and Allianz to offer discounted cyber cover to users of their platforms.

“In many cases, it is easier to educate a CISO on how insurance responds to a cyber event than to teach an insurance agent to understand and explain cyber exposure to loss”

Driving Demand
In order for the cyber insurance market to meet robust growth projections, catalysts beyond scare tactics about newsworthy mega-breaches such as Target, Equifax, and Yahoo are needed. Most SMB’s can’t relate such large-scale events to their business. One catalyst is the increasing number of companies requiring business partners purchase cyber coverage. Better education of cyber risk is also driving some level of demand.

For small to middle market organizations, the use of external third party information security support services such as managed security providers is a key strategy to mitigate cyber risks. The only thing missing from most security services is cost effective financing of isolated and possibly catastrophic events.

Some infosec vendors think rounding out services with cyber insurance will differentiate their services in a very crowded market resulting in improved new business and customer retention. If properly designed, incorporating a level of cyber coverage within the security services offering can result in better-educated buyers, painless application process, lower rates, and better coverage outcomes

Deloitte University Press: Demystifying Cyber Insurance Coverage-Clearing Obstacles in a Problematic But Promising Growth Market 2017
PartnerRe & Advisen: Cyber Liability Market Trends Survey October 2016.
Finaccord: Distribution Channels for Travel Insurance and Assistance 2013.
About Cyber Risk Underwriters:
We underwrite and distribute specialty cyber insurance products for InfoSec vendors and retail insurance agents. Our products include cyber warranties, MSSP distributed cyber insurance, as well as stand alone cyber and technology errors & omissions insurance.
Contact: Jeffrey Smith
Managing Partner
Cyber Risk Underwriters