Myth: A breach won't happen to us.

Fact: No one is immune.

Security breaches happen every day. The most notable is the massive Target and Niemen Marcus security breach losses which occurred last December, with more than 110 million records compromised.

More recently, a February breach of St. Joseph Health System in Georgia and Texas potentially compromised more than 405,000 records. Information was accessed through a single server by hackers from China and other locations. This server stored information for numerous facilities.

And data breaches are not just happening at big companies. More than 600 million personal records are known to have been compromised since 2005, according to PrivacyRights Clearinghouse. This is nearly twice the population of the entire U.S. Although the large companies receive media coverage, breaches are occurring with regularity in small and medium sized companies also.

To counter the "it can't happen to me" myth, point your customers to these sites, which contain detailed information about breaches:

• Privacy Rights Clearinghouse has every reported breach since 2005 and is sortable by industry and by type of breach
• Data Loss Open Security Foundation is a research project aimed at documenting known and reported data loss incidents world-wide.
• Verizon's 2013 Data Breach Report combines the expertise of 19 organizations from around the globe.

Most information security specialists say that it isn't a question of "if" a breach will occur, but "when." You can use these websites to show the client or prospect similar businesses that have had compromised information and highlight the potential financial impact.

Myth: Isn't this already covered?

Fact: Read the words in the policies

The existing property, casualty and professional liability policy wording has evolved to make the policies' intent clear that security breaches are not covered. Below are sample wordings from each of these policies.

PROPERTY: ISO BUILDING AND PERSONAL PROPERTY   POLICY CP-00-10 04 02 – Page 2 of 14, Section A. Coverage, 2. Property Page 2   of 14, Section A. Coverage, 2. Property Not Covered:

Covered property does not include:

n. Electronic data, except as provided under Additional Coverages – (See Page 5 of 14 – limit $2,500 – due to the low limit this acts more as an exclusion than enhanced coverage)…

GENERAL   LIABILITY: ISO   COMMERCIAL LIABILITY POLICY CG 00 01 10 01 – Page 15 of 16, Section V.   DEFINITIONS, 17. "Property damage" means:

a. Physical injury to tangible property…(underline added for emphasis)

Further in the definition:

For   the purposes of this insurance, electronic data is not tangible property.  

Note: "Property damage" limits coverage to tangible property. Specific wording that electronic data is not tangible property.

PROFESSIONAL LIABILITY: SAMPLE   HOSPITAL PROFESSIONAL LIBILITY WORDING (Used as an example):

Any administrative, disciplinary, D. Exclusions Applicable To All Insuring Agreements…any misuse or improper release of confidential, private or proprietary information,…licensing or regulatory claim asserted by or on behalf of a government entity

(Most cyber policies will cover fines and penalties. Also, many Professional Liability policies will specifically exclude Network Security and Privacy losses).

It is clear that standard insurance forms are specifically excluding coverage. Note that some forms are adding back small slices of Cyber coverage with low limits. These additional small limits are typically highly inadequate but are added by carriers to more clearly restrict coverage by reducing ambiguity about what coverage offered.

Myth: We are 100% secure.

Fact: There is always an incremental risk.

This objection typically comes from the chief information officer or information security specialist (IT). One of the main job functions of IT is information security. Many IT professionals consider the purchase of cyber insurance an admission that they have not done their job fully. They want to think of their companies as immune from risk because of their efforts. Because they're integral to completion of the application, this attitude is a major obstacle to the sale. 

There are ways to help make the purchase of cyber insurance less threatening to IT professionals. Cyber policies now cover not only threats to the IT system, but also privacy exposures such as paper files and other vulnerabilities outside IT's scope of duties.

To illustrate the need for cyber insurance, compare network security to fire prevention: "The conference room we are sitting in has sprinkler heads. The architect who designed the building took special care to make sure there were enough sprinkler heads and water available in case of fire. They also carefully chose non-combustible materials for the building. Everything was done to eliminate the possibility of a devastating fire. However, even with all the precautions, you still purchase insurance to cover the building because on occasion, despite everyone's best efforts, fires occur."

Myth: I can't talk to the tech people.

Fact: There are ways to find common ground.

Many insurance buyers (CFOs, COOs, finance professionals and others) are reluctant to engage the IT department in cyber risk discussions because they don't understand IT jargon. Insurance buyers typically do not communicate with IT unless there is a computer problem.

Here is a layman's illustration of one employee's connections to the network. (Click to enlarge.) Her interactions could include all of the following outlined in the illustration below. Each of these communication lines and each photo represent a potential vulnerability. This illustration is the potential communication connections of just one individual. Imagine what the illustration would look like with many, even thousands, of individuals communicating. The complexity of this "simple" illustration makes it obvious why insurance buyers are reluctant to delve into the intricacies of network risks.

Showing your client this image illustrates the magnitude of vulnerabilities presented by cyber exposures.

To use the automatic fire suppression sprinkler system analogy again, while the insurance buyer may not fully understand the intricacies of a "combined dry pipe-preaction system," they can still discuss knowledgably what would happen if that sprinkler system failed. The same is true of the exposures presented by this complex network. The exposures just need to be organized into a structure for discussion.

Below is a representation of the realms of risk presented. (Click to enlarge.) If each of these realms is addressed, it keeps the conversation at a level appropriate to a reasonable discussion between the IT department and the insurance buyer. See below for a breakdown of the realms which can each be taken separately.

Myth: Applications are too difficult to complete.

Fact: You can reverse the sales cycle.

Since the network affects every individual and function in an organization, many different departments are involved in network security and privacy. Therefore, the completion an application for cyber coverage can involve multiple disciplines and can be cumbersome to complete. Also, in the past applications were very long and involved.

Fortunately with experience and familiarity with the risks, insurance carrier applications are now much more streamlined. But what has assisted in the sale is the reversal of the typical insurance sale.

In a typical insurance sale, an application is completed, quotes are received, options analyzed and a buying decision is made. However, in light of the reluctance of insureds to complete cyber applications, a seasoned, experienced underwriter can often offer a very good estimate of the terms and costs with little more information than just the revenues and a review of the insured's website. With the potential costs and terms in mind, an educated business decision can then be made by the prospect prior to completion of a detailed application. Ultimately, an application will need to be completed to obtain coverage. However, with estimated cost and terms, discussions about purchasing cyber coverage can continue.