3 cyber insurance questions for brokers

An employee at his desk at S2W Inc., a South Korean cybersecurity company, in Pangyo Techno Valley, Seoul, South Korea, on Wednesday, Aug. 17, 2022. The majority of S2W workers have expertise in North Korea, and they work with international law enforcement to thwart North Korean hacking attempts. The company also has private-sector clients in e-commerce, automotive, semiconductors, and biotech. Photographer: Woohae Cho/Bloomberg
An employee at his desk at S2W Inc., a South Korean cybersecurity company, in Pangyo Techno Valley, Seoul, South Korea on Aug. 17, 2022.
Photographer: Woohae Cho/Bloomberg

Brokers are trusted advisors. They help clients navigate the combined and often complicated space of insurance to ultimately transfer business risk in a responsible and effective manner. Given the current cybersecurity landscape of our increasingly digital and interconnected world, it has never been more important for brokers to go the extra mile to truly understand their clients' cyber insurance needs. 

The internet has never had so many devices and systems connected to it, and businesses are no exception. This widespread, internationally networked environment naturally causes an increase in organizational complexity and risk. According to IBM, for the 12th year in a row, the United States had the highest cost of a data breach: $9.44 million on average per breach. That is $5.09 million more than the global average. Of note, the same IBM research showed stolen or compromised credentials were the most costly, and ransomware attacks grew more destructive at an increase of 41% more attacks in the last year. 

With those stats in mind, it feels a lot like every organization under the sun would benefit from cyber insurance. From a risk management perspective, a standalone cyber policy is now a must-have for more and more small businesses, and even large enterprises. 

From one passionate cyber risk professional to another, I see three key questions brokers could ask themselves related to cyber insurance due diligence that will go a long way to signing clients and creating lasting value and impact.

1. How much cyber insurance does the client need?

Once it is determined whether a client needs cyber insurance, the next step is to determine exactly how much cybersecurity exposure the client is facing. Brokers can help clients understand the financial impact of an unmitigated cyber risk. While it is true that ransomware is often in the news with flashing red fonts and scary statistics, the actual ransom payment (if paid at all) may not be the thing a client needs to focus on, especially for smaller businesses that may have lower payment demands than larger organizations.

Instead, business interruptions and incident response costs tend to be more financially detrimental than the actual payment. Accounting for this is critical, and many brokers have their own actuarial models or can leverage research backed tools in the market to assess a company's actual (not just perceived) cyber risk. This assessment is critical to establish an appropriate policy.

2. Is the client 'cyber healthy' enough to get the right coverage at a competitive premium?

How secure is the client today? This is a tricky and complicated conversation for a broker. Customers in poor cyber health often don't know, or don't want others to know, the state of their cybersecurity program. Customers in good cyber health might get frustrated if the broker doesn't appreciate or understand their posture.

The best way to deal with this situation is to use data. Data driven cyber risk quantification methods remove the emotions from the picture, and their aim is not to penalize, but to help the customer become more secure. By embedding tools that help evaluate cybersecurity risk posture based on data, the client, and broker, can gain much needed visibility that is easy to communicate.

All insurance policies start as a blank contract, and it's up to the broker to guide their customers in crafting a strong narrative and communicating an effective, data-backed position to cyber insurance underwriters.

3. If improvements are necessary, can the broker help the client become 'cyber healthy'?

Yes, brokers certainly can. Through an unbiased view of a client's cybersecurity program, those companies can gain a set of actionable recommendations that will tangibly improve their posture; which improves the likelihood of better coverage and more approachable premiums. When armed with the right tools, brokers can help direct the customer towards resolving any critical security gaps that underwriters will evaluate.

A critical piece of this puzzle to consider early on is engaging Managed Security Service Providers (MSSPs), which play a vital role in helping customers become insurable. Many organizations, especially smaller businesses, don't have the resources or knowledge to build out the kind of robust cybersecurity program needed to address the risks of today's complex digital landscape. 

Exciting conversations about cyber insurance lay ahead in 2023

Brokers are positioned to create a massive and positive impact for their clients. The conversation around whether a company will face a cybersecurity breach has shifted from an 'if' mentality to 'when,' causing businesses of all shapes and sizes to not only secure their assets, but also insure them. 

The cyber insurance market is complicated, and will only become more complex. Brokers can play a central role in the evolution of this process. A great way for cybersecurity insurance brokers to enhance their impact is to ask insightful questions of themselves, designed to frame conversations in the most informed, logical way possible when engaging with clients.

For reprint and licensing requests for this article, click here.
Cyber security Brokers Cyber attacks Ransomware
MORE FROM DIGITAL INSURANCE