With cyber threats now an issue for businesses of every size, brokers face a critical choice: recommend a dedicated standalone cyber insurance policy, or add cyber cover as an extension. Many clients – and even some brokers – underestimate the gaps and limitations that can arise from simply “tacking on” cyber coverage. But what should a broker be considering and explaining to customers when that decision is being made – and is it really a choice?
Cyber cover as an extension under another insurance product has become common, particularly in the SME space served by brokers. These endorsements are available with a range of insurance offerings, including business packs, D&O, and commercial property.
Yet with the penetration rate of standalone cyber among SMEs still very low – under 20% – many Australian businesses are relying on the more limited protection of endorsements. This trend puts the onus on brokers to clearly explain the differences and help clients understand the real risks of inadequate cyber cover.
“I personally would never, ever tell a client to hold their hat on that kind of extension – it is just a little bit of protection that can be nice to have if they don’t have a standalone cyber policy,” said Scott Wilford (pictured above, left), executive director of Oracle Group Insurance Brokers
The protection limits tend to very low and restrictive, he said. Sublimits are also poorly defined and often just a couple of lines in a business pack schedule with limited and ambiguous wordings.
“It's probably a little bit of a sales pitch so it's not preferred,” said Wilford. However, if it’s free with another policy, an endorsement is better than nothing.
“But I always say that you have got to have a full blown cyber policy that's fit for purpose around your business, otherwise you just don't have protection and you'll be disappointed when a claim happens,” he said.
This underscores why brokers and clients should carefully consider the distinct advantages of a dedicated standalone cyber policy.
Other brokers and cyber experts agree, including Anthony Smit (pictured above, right), WTW’s cyber risk and insurance consultant.
“At the end of the day a standalone cyber insurance policy is the most appropriate and suits both a million dollar business or SME and a $20 billion business,” he said.
Coverages – so wordings and covers, not the limits – are similar across insurers, said Smit, and can be tailored to be fit for purpose no matter size of the business. Despite the complexity of cyber threats, this similarity in standalone covers can be helpful for brokers faced with understanding and explaining this challenging and complex threat.
Read next: Unpacking cyber insurance contradictions
The smaller market is also well covered by specialist insurers that target SMEs up to large corporates. “No matter the size there are well respected and rated insurers available, and at the risk of leaving a few out examples include Emergence, Dual, AIG, Chubb, AXAXL, CFC,” said Smit. He detailed the critical differences that often distinguish a standalone policy from an endorsement.
“A key advantage with a cyber policy is that you get access to instant response experts,” said Smit.
There are three elements to a comprehensive standalone policy.
“One is triage and the response, which is incredibly important, especially with SME type companies,” he said. The second part is cover for first party costs, so the restoration and remediation of the business’s actual environment. “The other aspect is third party costs that relate to claims brought against a business due to a cyber event,” said Smit.
Cover for third party costs has become increasingly important in recent years with the rapid escalation of class actions against businesses. “Often this type of coverage is not captured in any sort of extension of an existing policy,” said Smit.
Cyber extensions – are they making it harder to sell standalone cover?
Some brokers are concerned that the widespread availability of cyber extensions on existing policies is actually giving SMEs and other clients a false sense of security and making it harder for brokers to sell standalone polices.
“It impacts us in terms of how to communicate effectively with our clients because the client goes, ‘I've got cyber insurance,’ but they don’t! It's not worth the paper it’s on,” said Wilford.
However, cyber brokers and other experts say extensions are important components of a comprehensive approach to cyber threats – but when they are extensions to a standalone cyber policy, not the other way around.
“If I do a cyber policy for a client, I always make sure they’ve got a D&O extension because you’ve got exposure as a director to those things which aren't covered under traditional D&O or management liability,” said Wilford.
Smit said WTW refers to this as “whole of program.”
“At the end of the day, certain PR, D&O and stat liabilities would have cyber exclusions – which makes it even more imperative that you have a cyber policy in place,” said Smit.
In the current challenging business environment where businesses are looking to cut costs its well documented that many SMEs see a comprehensive cyber policy as too expensive and not worth the cost. Smit and Wilford argue that, given the potentially catastrophic results of a cyber attack, it’s worth the cost and actually not that expensive.
The challenge for brokers is convincing clients. Wilford likes to use stories the illustrate the business case in favour of taking out a policy.
“I tell them that if they do have a cyber incident and they don't have cyber insurance and they ring some sort of cyber help number, it's going to cost them $10 grand before they even answer the phone,” he said. That should be compared, he said, to the cost of an effective cyber policy. According to industry estimates, that policy might cost $2000 for a business worth up to a few million dollars. This means a business would still be in a better position after five years compared to not having a policy.
“Because you’ve going to have a cyber attack in five years no matter what,” said Wilford.
Smit addresses this sales challenge by raising client’s awareness of the expensive chain events that would follow an attack on their business.
“If you have an incident right now, who would you call? Who would be the IT guy? Do you have them on a retainer?” He asks the business owner. “The second question is, from a legal or regulatory point of view, if some data is lost, who would you call, which lawyer?” Smit said.
He said educating clients around those questions helps them to see the value of a good standalone cyber policy that provides a panel of expert responders on retainer. “So from a financial point of view for a SME, why wouldn't you do it?” Smit said.
Are you a cyber broker? How would you go about convincing an SME to buy a standalone cyber policy? Tell us one of your strategies below.
