I started in the insurance industry right out of high school, and here I am 52 years later – an agent, risk consultant and overall insurance maven at L. Calvin Jones in Ohio.
The last thing I ever thought I’d do was add “cyber diva” to my list of roles. I fell into cyber insurance after a cold call at a business near Youngstown. The owners told me they’d had a claim denied and didn’t understand why. Listening to their story, I knew enough to realize they had needed cyber coverage, but I didn’t know much more than that.
That’s how I got started, investigating their loss, and after I’d done my due diligence and figured out how cyber coverage worked, my colleagues pegged me as the resident cyber expert.
It’s a good time to be a cyber expert. A recent survey of agencies from Liberty Mutual and Safeco Insurance identified cyber liability as one of the emerging issues most concerning agents – and for good reason. According to Cybersecurity Ventures Global, cybercrime costs are projected to reach $10.5 trillion annually by 2025.
Here are four tips I always offer agents looking to get started with cyber.
Sell with stories
Stories sell cyber. Some are already in the public domain. Others you can draw from your own experience working with clients who’ve experienced fraud. You don’t have to name names, but in my experience, if you ask a client whether you can share what happened to them, they’ll often agree.
We had a case that made the front page of the local papers concerning a plastics company. The owner would spend a week every month at its fabrication plant overseas and communicate with the home office by email. Someone hacked into his company email account, figured out when he would be away and then used his account to defraud the company by impersonating him.
Acting as the owner, the hacker told accounts payable to start wiring money to a new overseas account to pay invoices to non-existent companies in Southeast Asia. The hacker sent a total of six fake invoices over nine days amounting to well over a million dollars, all of which the company paid before realizing something was amiss.
The accounts payable staff never suspected the invoices were from anyone other than the owner, who was completely unaware of what was happening. By the time the company’s accounts were emptied, the only recourse was to sue the IT provider responsible for managing the security of its systems.
Stories like these drive home the necessity of cyber coverage.
Master the application
If you’re new to cyber, you’ll want to acquaint yourself with the questions carriers ask and why they ask them. How your clients answer will affect whether they’re eligible for cyber coverage and, if so, what it will cost. The most common:
- Does your business use multi-factor authentication (MFA)? MFA-protected systems require a second form of authentication in addition to a password to prove a user is who they claim to be – commonly a code texted to a cell phone. This makes it harder, though not impossible, to break into a secured system. Most carriers require that commercial clients have MFA before they’ll provide cyber coverage.
- Do you provide annual cybersecurity training to your staff? This one’s self-explanatory. Carriers want businesses to train employees annually on the methods cybercriminals most often use to gain access to commercial systems and how to prevent them. While not strictly required yet, it will be before long.
- Do you patch your systems within 60 days? Businesses need to track and regularly install patches from software providers like Microsoft to ensure they remain protected from newly discovered vulnerabilities. Most carriers require that policyholders install system patches within 60 days of their release. In some cases, they require patch installations within 45 days of release – or even 30 days.
- Do you back your data up offline and do you encrypt it? While data encryption is not yet required, offline backups are essential, protecting the business in the event that a hacker gets into your system and compromises critical business data. Offline backups are a first-line defense against ransomware attacks.
Explain that cyber policies are warranted
Unlike most products we sell, cyber policies are warranted. That means the answers your client provides on the application must all be true, or the carrier will simply void the policy when they receive a claim – and you can be certain that the first thing the carrier will do when getting a claim is pull up the application and fact check your client’s answers.
I have clients start by filling out the cyber application and not signing it – you don’t need a signature to obtain a quote. When the quote comes back, if the client decides to move forward, I have them go back and reread the application to make sure all the answers are true.
Guesses won’t cut it – with warranted policies, the onus is on the business to understand the questions and answer them accurately. It’s far preferable to pay a little extra because you don’t yet provide annual cybersecurity training than it is to get an expensive claim denied because you unintentionally fudged the facts.
Make sure clients use a quality managed security provider (MSPs)
Unless they have an in-house IT team, most businesses use an MSP to handle things like implementing MFA, installing software patches and managing offline backups. Unfortunately, there are some really bad MSPs out there. Working with an incompetent MSP can leave a business vulnerable not only to cyber-fraud, but to voided contracts and denied claims. So first order of business: always make sure your clients are working with a legit MSP.
When helping a client fill out a cyber application, if they don’t know the answer to a question, that’s usually your opportunity to figure out who, if anyone, manages their system security. High-quality MSPs are more than happy to answer your questions – largely because, as an agent, you’re in a position to recommend them to other small businesses that need an MSP.
____
Cybercrime is rampant and evolving, with 2023 promising to be even more treacherous for small businesses and individuals, so there’s no better time to start evangelizing and selling coverage. Make sure your clients are safeguarding their systems, training their staff and getting coverage to mitigate losses when those safeguards fail.
