It's important for the insurance broker to really get a handle on what the insurance exposure is and how much coverage a customer needs to properly protect them.

Q: How difficult does the constant changes in technology and hackers' methods make writing cyber coverage?

MIKE: That's a big reason why we're seeing a big increase in demand [for cyber coverage]. There recently has been, and there continues to be, cyber breaches in the news a lot. There's an emergence of politically-oriented hacking groups that are highly sophisticated and have shown to be able to break into some of our most sophisticated security systems, such as governmental entities like the FBI.

I think to the average small- to mid-size business, when they're watching this and they're learning about how much a breach costs, they realize that it's a lot more expensive than one would have thought. Then they think, “OK, how well am I protected?” If the FBI is getting hacked into, it's a big jump to think that your part-time IT guy who installed some firewall is really going to adequately protect you against these sophisticated hackers.

However, I don't want to overstate the hacker thing because while it is bringing some awareness to the need for cyber, the vast majority of claims we get at NAS are because of negligence.

We have a lot of doctors' offices and medical groups, and a lot of times a claim is them leaving a laptop on a train or taking a bunch of filing cabinets full of medical records and throwing them away.

Q: How do you deal with negligence claims?

MIKE: From an underwriting perspective, we know mistakes are going to happen. What we want to do is really make sure that the damage is very limited if something like that happens. The most important thing that we check to prevent negligence is to make sure that portable devices are encrypted. That dramatically reduces the risk, because it's incredibly difficult to break encryption.

Q: Would you check for encryption on mobile devices, as well?

MIKE: Yes, to an extent. There certainly is exposure with backup drives or USB thumb drives that can hold a large amount of data. There is a more limited extent on mobile devices like a cell phone or smartphone because usually they're not storing large databases of customer information. There might be some information in their email or something, but it's usually to a much smaller extent.

The ideal risk has a broad plan with an understanding of all of the information they store and retain. The good insureds are focusing on this and making sure they reduce their risk where they can and then get into the insurance with the understanding that things can still happen no matter how prepared they are.

Q: Are insureds adapting these strategies or are they reluctant to take these precautions?

MIKE: I will say that the average submission we see has a higher level of security now than a few years ago. Awareness has seeped into the insurance purchasing market, but it still has a long way to go.

Q: What are some cyber risks that people aren't talking about as much as they should?

MIKE: I think that everyone talks about the direct costs of a breach, like notification and legal expenses, fines, penalties—these are a lot easier to quantify than the indirect costs. However, many companies find that after they have a breach, they have a significant loss of revenue.

For example, after a breach, a company has to send a letter to all its customers saying it lost their private information. Now these customers have to worry about identity theft and monitor their credit, and that's a betrayal. It's a competitive landscape out there, and depending on the industry, there's a very good chance that company's customers will go somewhere else. That's going to have an impact.

To a really large company, it might just be a little blip in their revenue and it won't threaten their continued existence. But a small- to mid-size company can't afford a big drop in their revenue for a few months or a year. That could really ruin their business. It's kind of like a business interruption claim, but very few—if any— companies out there that sell cyber liability cover this.

Q: What are some important factors to focus on when writing cyber liability lines?

MIKE: I think many cyber underwriters out there rate on the revenues of a company as opposed to the number of identities. At NAS, we've been collecting both data sets on the risks we write, and we've found that there are some substantial outliers where a very small company has a very large amount of identities. Identities equal exposure in a cyber policy. Potential loss is really contingent on how many identities a company's lost.

So service-oriented companies like cloud computing hosts or healthcare third-party administrators or a mortgage servicer or a medical biller might only be making a few million in revenue, but they might have millions of records. I don't think that's being taken into consideration by many markets and I think that's a way to not get enough rate and as a result, get stung pretty badly on a claim.

Q: Has customer demand for cyber liability been increasing?

MIKE: I've been doing this for seven years now, and I would say that demand for the coverage is certainly the most I've ever seen it. However, while demand is high, it's still just scratching the surface, and there's still such a lack of awareness out there about how much these claims cost if a company has a breach. There's still a lack of awareness of how valuable this coverage is.

Q: What kind of coverage does NAS offer for cyber liability?

MIKE: We have a standalone cyber product called NetGuard Plus. Then, we also have cyber on all of our technology professional liability that we write. We have cyber in one form or another in almost every single one of our products. We think it's important to at least give some protection included with the normal policy that they purchase.