In personal lines, most buyers know what a claim looks like. A car is dented, a warehouse burns, a pipe bursts. You call your insurer, get an adjuster and a repair shop, and the policy pays to put things back the way they were.
Cyber doesn’t work that way, and Raf Sanchez (pictured), head of cyber services at Beazley, thinks brokers should be much clearer about that with clients.
“With auto insurance, you know what’s happened. You’ve had a crash, you need your car fixed,” he said in an interview with Insurance Business Canada. “With cyber, organizations don’t always know what’s really happening or what they should do about it.”
That ambiguity is precisely why he argues cyber should be sold and understood as a services‑first product, not just a promise to reimburse losses.
Sanchez has worked in privacy and incident response for more than 25 years and now leads Beazley’s global cyber services team. He says many of the incidents his group handles start with a simple question: is this even a breach?
“If an employee’s account is compromised – what should the company do?” he said. “Reset their password and move on? Erase their accounts? Interview them and find out how they got compromised?”
Answers to those questions are not obvious from inside the organization, especially for first‑time victims. Was an attacker blocked early, or did they establish a foothold? Is a strange email just spam, or a sign that credentials from a senior executive have been misused? In many cases, the line between “annoying” and “material” is thin.
Sanchez contrasts that with more traditional lines. Property managers know how to respond to a warehouse fire. Auto fleets understand the workflow after a collision. By comparison, even sophisticated companies may be unsure whether an odd login or a threatening email warrants activating an incident‑response plan.
That uncertainty, he argues, is exactly where cyber insurers are supposed to earn their keep.
Beazley’s cyber services function, which Sanchez leads, combines lawyers, penetration testers, offensive security specialists, risk consultants and incident coordinators. Collectively, he says, they see thousands of incidents a year, ranging from lost laptops left on trains to complex ransomware campaigns.
“We have seen thousands of incidents a year,” he said. “Accidental incidents, like leaving a laptop on a train, through to sophisticated ransomware attacks.”
For insureds, that experience translates into a playbook and a sense of proportion. An unusual email or small payment demand might be something a cyber insurer has already seen 30 times that month, in which case the advice could be to document it, adjust controls and move on. In other situations, a seemingly minor alert may be the first sign of something far more serious.
Sanchez says that’s why cyber insurers, unlike some other lines, actually want clients to call often and early.
“Carriers want to speak to their clients,” he said. “We want them to feel they’ve got value. Otherwise, what’s happened with your auto insurance if you don’t have a crash? It’s in the drawer – you’ve spent the money and you’ve got no visible value.”
In cyber, he insists, clients should see their policy as a way of putting specialized expertise on retainer, not just as a financial backstop.
One of the most common pieces of advice risk managers hear in property or auto is to pay very small claims out of pocket to preserve loss ratios. Sanchez cautions against applying that instinct to digital events.
A sextortion email, a suspicious login or a vendor notification might look insignificant in isolation. But without context, organizations can easily overreact – paying when they shouldn’t – or underreact, ignoring a pattern that points to a larger compromise.
When a client calls Beazley about a worrying message, Sanchez says the first step is often to benchmark it against the firm’s broader incident experience.
“If an organization has never seen a particular type of attack and they call us, we may well say, ‘We’ve seen this a lot recently, and here’s how it tends to play out’ – or we may say, ‘Ignore it, don’t worry about it,’” he explained.
That ability to separate noise from signal – and to suggest practical next steps around containment, forensics, legal obligations and communications – is difficult for any single company to build on its own.
