- 1,061
I picked up a fascinating new book, and by fascinating I mean it revolves around cyber law, cyber security and cyber insurance. A real page turner, like Harry Potter or Lord of the Rings. Just kidding, we all know that as soon as law, cyber or insurance subjects come up, 90% of the populace would rather be doing anything else than reading or hearing about it. Regardless, this is important, and in my opinion, cyber is growing into an exponential problem, that a majority of our industry isn't interested in addressing. The book is called Damage Control, but I'll get back to that in a minute.
We can kick the can down the road for now, but in a few years many businesses will have more cyber assets than physical assets. It's easy to picture your building burning down, or one of your employees getting into a car wreck. Any savvy business owner is keen to try and shield themselves from these exposures. But a ransomware, phishing or other cyber attack? That never happens to anyone, right? The business owner figures, "my software vendors will take care of the business if that happened, right?" Unfortunately, not so right, and we as insurance agents aren't helping the problem either. Speaking to peers in the industry, we don't really know what exposures we're insuring against when we sell a cyber policy.
I was talking to one of my friends who has been a commercial P&C agent for over half a decade. He sold a company a cyber liability policy with a $1,000,000 limit. Some time later, the company realized their payroll system had been hacked and the thieves siphoned $300,000 for themselves. My buddy thought, "Thank god I put that cyber policy in place, time to make a claim". He files the claim and the carrier comes back saying "Sorry, but this policy doesn't cover cyber crime." After some panicking and talks with his agency management, they went back to the cyber carrier and claimed their ignorance to how the policy actually worked and said they sold it to the client with the assumption it would cover this event. This was 2019, so the market was softer and the carrier caved and paid the claim because of their good relationship with the agency with the contingency of not doing this again in the future. Do you think my buddy is excited to sell more cyber policies?
The book Damage Control, points out some interesting things
Cybercriminals can penetrate 93 percent of company networks
Despite all of this alarming information, even if agents were interested in helping their clients by putting untold time and effort into learning the cyber policies and trying to help their clients by setting up the policy, there are multiple downsides for the agent
All of that being said. What are your thoughts and experiences with cyber insurance for businesses? I personally think we're in for a bumpy ride going forward, and monumental challenges that we're not ready to face.
We can kick the can down the road for now, but in a few years many businesses will have more cyber assets than physical assets. It's easy to picture your building burning down, or one of your employees getting into a car wreck. Any savvy business owner is keen to try and shield themselves from these exposures. But a ransomware, phishing or other cyber attack? That never happens to anyone, right? The business owner figures, "my software vendors will take care of the business if that happened, right?" Unfortunately, not so right, and we as insurance agents aren't helping the problem either. Speaking to peers in the industry, we don't really know what exposures we're insuring against when we sell a cyber policy.
I was talking to one of my friends who has been a commercial P&C agent for over half a decade. He sold a company a cyber liability policy with a $1,000,000 limit. Some time later, the company realized their payroll system had been hacked and the thieves siphoned $300,000 for themselves. My buddy thought, "Thank god I put that cyber policy in place, time to make a claim". He files the claim and the carrier comes back saying "Sorry, but this policy doesn't cover cyber crime." After some panicking and talks with his agency management, they went back to the cyber carrier and claimed their ignorance to how the policy actually worked and said they sold it to the client with the assumption it would cover this event. This was 2019, so the market was softer and the carrier caved and paid the claim because of their good relationship with the agency with the contingency of not doing this again in the future. Do you think my buddy is excited to sell more cyber policies?
The book Damage Control, points out some interesting things
- The average insurance agent is 59 years old, and most agents that age are not looking to learn a new, complex line of insurance in the twilight years of their career
- Griffith Insurance Education Foundation and The Institutes conducted a survey that found younger employees find cyber insurance boring. It is concluded that young agents with requisite technical knowledge are unlikely to be available.
- Many businesses assume that if they get compromised by a ransomware event, they can restore their systems to the latest backups and go about their day, leaving others none the wiser. Many of these businesses don't realize they've been caught in an "attack loop", a type of ransomware that attacks a system and remains dormant to contaminate the backups for an average of 200 days prior to instigating their attack. This makes the backups effectively useless.
- Cybercriminals can penetrate 93% of company networks
- In 2021, the average number of cyberattacks and data breaches increased by 15.1% from the previous year.
- Cybercrime cost U.S. businesses more than $6.9 billion in 2021
- $43 billion stolen through Business Email Compromise since 2016, reports FBI
- Small Businesses Are the Target of 43% of All Data Breaches
- 60% of Small Businesses Go Out of Business Within 6 Months After a Cyberattack
- 51% of Small Business Owners Pay the Money When Hit with Ransomware
- 47% of Small Businesses with Fewer Than 50 Employees Have No Cybersecurity Budget
- 56% of Small Business Owners Aren't Worried About Being Hacked in the Next 12 Months
- Nearly 60% of Small Business Owners Are Confident They Can Resolve a Cybersecurity Attack
- 42% of Small Business Owners Have No Cyberattack Response Plan
- Just 22% of Small Businesses Encrypt Their Data
Cybercriminals can penetrate 93 percent of company networks
Despite all of this alarming information, even if agents were interested in helping their clients by putting untold time and effort into learning the cyber policies and trying to help their clients by setting up the policy, there are multiple downsides for the agent
- Cyber premiums are usually a miniscule portion of a companies insurance package. P.F. Chang's, a multi-billion-dollar-per-year business with significant exposure across untold numbers of computers and terminals, their cyber insurance policy premium was approximately $134,000 as of 2020. (According to Damage Control). There's only so many multi billion dollar businesses around, and at the end of the day, insurance agents need to make money to stay in business.
- Most business owners are resistant to Cyber policies as they either don't understand them, or they don't think they need them. They consider the risk versus expense and forego coverage, even if it's at their detriment.
- The cyber insurance is complex, and in a constant state of evolving and changing. Unless an agent were to specialize, it would be nearly impossible to stay on top of these changes.
All of that being said. What are your thoughts and experiences with cyber insurance for businesses? I personally think we're in for a bumpy ride going forward, and monumental challenges that we're not ready to face.
