It's no secret cyber insurance adoption rates were meager during its first two decades as a defined product category. Insurers and policyholders alike wrestled with the potential usefulness and perceived benefits. In the past few years, however,
At the same time, misperceptions about cyber insurance remain. As cyber policies grow in volume and variety, both stubborn and emerging marketplace myths make it difficult for insurers to optimize their cyber programs. Beyond the problems this creates for carriers and their stakeholders, suboptimal cyber programs can leave millions of policyholders vulnerable to the financial consequences of social engineering, cyberattacks, human error and device failure.
What follows is a collection of objections policyholders often share with their insurance teams, as well as concepts for combatting them.
"I'm already covered for this by another policy."
It's not unusual for policyholders to believe their insurers will consider digital theft losses the same as physical theft losses. However, digital intrusion is typically considered a unique circumstance, and therefore, excluded from coverage.
To combat this myth… insurers can simplify policy language, avoiding jargon that can be confusing to policyholders. They may also choose to develop and disseminate content, such as side-by-side comparisons that clearly differentiate between physical and cyber theft coverage. Policy review is an ideal time to present this information — with brokers or agents proactively discussing the latest cyber and identity theft risks with policyholders.
"My bank has my back."
Especially for victimized businesses, bank reimbursements for incidents of fraud, scams and social engineering are not always granted. Unless the loss is clearly covered by the Electronic Fund Transfer Act (EFTA), banks may not reimburse the customer. This happens frequently
To combat this myth… insurers can partner with banks and other financial institutions to bundle traditional personal and business finance solutions with cyber insurance policies. As the threat environment grows more complex and stakes of loss higher, risk management packages may have particular resonance with business accounts and high-net-worth clients.
"My assets are too small to be on a criminal's radar."
Small businesses and middle- or low-income families often believe fraudsters only target victims with a lot of money, lucrative trade secrets or large caches of data. Cyber criminals, however, are known to follow the path of least resistance. Especially with the help of AI and automation techniques, numerous attacks against multiple small, unprotected victims can take less time and yield more booty than a months-long hack into a locked down enterprise. This is likely why cybercriminals have zeroed in on vendors, causing third-party breaches to surpass primary breaches for the first time in 2023.
To combat this myth… insurers can work with subject matter experts in cybersecurity and identity theft to understand attack trends. By identifying individuals and businesses that attract the most unwanted attention from hackers, fraudsters and scammers, insurers can finetune cross-sell and upsell strategies to prioritize those policyholders at greatest risk of attack.
"I would never fall for a social engineering scheme."
Human error is a leading cause of cybercrime losses. Knowledge gaps and overconfidence in one's ability to spot a scam are common, especially today as AI tools amp up the sophistication of social engineering-based scams. According to TransUnion's H2 2024 Omnichannel Fraud report, about half (49%) of all consumers said they were targeted by fraudulent email, online, phone call or text messaging scams in the last three months. As for businesses, nearly a third (31%) cited scam/authorized fraud as the most prominent cause of reported fraud losses.
To combat this myth… insurers can integrate awareness content into the policyholder journey, sharing real-life, anonymized stories of highly educated and respected individuals victimized by advanced attacks. To reiterate the value of cyber policies, the content could quantify losses and reimbursements experienced by victimized companies and individuals.
"The software company will make it right."
Software users often trust software providers to help them in the wake of an outage or other disruption, such as an intrusion or exploited vulnerability. However, even if the intention is there, software companies can have tens of thousands, sometimes millions, of affected customers. Waiting in a queue for help with lost or corrupted files could take weeks, if not longer.
To combat this myth… insurers can promote lesser-known benefits of cyber insurance policies like incident response. One-on-one support that helps individual and business clients of software outages restore systems, recover files and notify affected parties can be among the most valuable aspects of a cyber policy.
"There are far too many exclusions in cyber policies."
Policyholders who have been surprised by exclusions in the past may be reluctant to renew their policies or consider additional coverage. These customers often have a negative view around the fine print and will resist buying a policy they don't trust to protect them in crisis situations.
To combat this myth… insurers can lean in on policy customization and configurability. Working with policyholders to first understand their cyber risks, educate them on good controls and adjust or select right-fit policies can lead to better protection, increased trust and more tailored coverage that meets the unique needs of each insured. Brokers have an important role to play here, having perhaps a keener idea of whether a customer's unique risk profile warrants identity theft coverage, data breach coverage, business interruption coverage, network coverage — or a combination thereof.
"My money is better spent on cybersecurity."
The flaw in this misconception is cybersecurity and cyber insurance are either-or options. In reality, they complement one another. Strong cybersecurity measures reduce the likelihood of incidents, while cyber insurance mitigates risks if — or more likely, when — an attack occurs.
To combat this myth… insurers can integrate cyber assessments, security audits and penetration testing into the underwriting process. Not only will this offer the customer steps they can take to lower premiums or expand coverage, but there's also the added benefit of strengthening overall protections against cyber threats. For customers in a rush, providers can set them up with a rider or endorsement that may protect them as they're going through the assessment.
Stay agile — marketplace perceptions likely to shift alongside dynamic risk environment.
Amid a rapidly expanding data breach and identity theft ecosystem, it's critical for insurers to mindfully address the misperceptions that keep individuals and businesses from protecting themselves and their companies from fast-changing threats. It's also important to keep a finger on the pulse of emerging myths and misunderstandings. The complexities of personal data hygiene and cybersecurity for businesses are only likely to accelerate as new technologies and fraud schemes come on the scene, creating more confusion along the way. A culture of agility will be crucial for earning and retaining policyholder trust in a volatile landscape.
