How to assess your clients’ cybersecurity risks
To craft the right cyber coverage, take time getting to know the nuanced operations of your client.
All cyber policies are not created equal, and some products are better than others for a given segment of business. To determine what is most appropriate for their clients, brokers and agents should begin their assessment of a client in much the same way underwriters do: by asking “what is the primary exposure(s), as it relates to privacy and network security, for a given risk?”
It may sound basic or obvious, but from the perspective of an underwriter, submission quality often makes it apparent that an agent or broker takes a shotgun approach to assessing the cybersecurity needs of their clients.
Why size matters
As an underwriter, one of the first things I do when I receive a submission is to spend time analyzing the operations of the applicant, in addition to gauging size of that organization (note that exposure basis — read: “size” — can be defined differently for various organizations, a point I’ll come back to shortly). This information sets the stage for how I might give relative weight to various areas of controls, and my expectation for quality of those controls.
Agents and brokers would be well advised to start their engagement in the same place. The reason for this is simple: thinking about what an organization does and how “big” it is, will help to ensure agents are focused on gathering relevant information, and concentrate their marketing efforts on carriers with the most appropriate underwriting appetite, claims capabilities and products.
Focusing on an industry class, and importantly sub-class, can help guide a broker or agent around the best way to measure the size of risk. For some clients, the most appropriate measure of risk might be the number of uniquely identifiable records a business holds – often referred to as Personally Identifiable Information (PII).
Related: 6 ways SMBs can create an effective cybersecurity strategy
For others, the amount of revenue generated annually, or the type of intellectual property it maintains, may be the best representation of its true exposure basis. If we look at healthcare for example, it’s a wide class with a lot of exposure differentiation between sub-classes. For a hospital, the number of unique individual lives on which they maintain data might be the best measure of their relative size.
For a pharmaceutical production facility specializing in generic drug manufacturing, the amount of annual revenue might be a more appropriate measure of their exposure. Both sit within healthcare, but with very different profiles and operational exposure.
Surveying cyber exposures
This same example of differentiated exposures can be applied to virtually any business or industry. If the class is “professional services,” a law firm specializing in personal injury claims (where PII may be the best measure of size) has a very different exposure basis than a design firm (which generally has limited PII, but might have material revenue exposure relating to network outage because of tight client marketing timeframes for example). Again, it’s best to focus on the individual operations of a given client rather than what overarching industry class they might fall into.
Once the most relevant area(s) of exposure is identified, an agent or broker can focus on collecting the most pertinent exposure basis data, as well as controls data. If it is determined PII is the best measure of a given entity’s exposure, where does it fit from a relative perspective? Is their client an independent rural county hospital with 83,000 records?
A hospital that size could be considered “small” even though they have $140 million in revenue. Or, is the client a health system operating across three states, managing nine hospitals, each with hundreds of thousands of PII records, totaling in excess of $4 million?
If it’s the small, independent hospital, a standard application from one of the major carriers offering cyber insurance may be the right application to use. If it’s the latter entity, an agent or broker should probably determine whether privacy and security controls are centrally managed. They need to determine whether all facilities share a common network domain, as that could indicate a need for multiple applications to be completed.
Related: Accenture: Cybercrime to cost U.S. companies $5.2 trillion by 2024
The agent or broker may want to prepare the client and focus energy on scheduling an underwriting conference call, as that may be the easiest way for the health system to communicate the complexity of their IT and data-related operations, as well as the sophistication of their privacy and network security-related controls.
In addition to guiding the application process for a broker or agent and their client, this assessment process can narrow the marketing process. Often, smaller organizations should be steered toward products that include built-in incident response. They usually provide “800” numbers for near-immediate interaction with cyber-specialist law firms, as well as pre-established relationships with forensics specialists and other post-incident responders.
Conversely, larger and more sophisticated organizations have existing vendor relationships and want a product/carrier that will provide them with the flexibility to leverage those relationships, large limits across a wide variety of coverage areas, and a willingness to draft bespoke coverage enhancements.
Use your cyber practice to remain competitive
I’ve been dedicated to cyber throughout my career in commercial insurance. It’s been a fascinating area, and the maturation of cyber policies has accelerated greatly over the last decade.
There are a fair number of quality choices when it comes to selecting a primary carrier, with a wide array of policy structures. The next frontier of competition is around pre-incident services.
Cybersecurity isn’t just about reducing risk, although that’s obviously a critical piece; it is fast becoming an area for competitive differentiation amongst businesses (our clients). Recognizing that policies with built-in response mechanisms are becoming more commoditized, it will be carriers offering deep, in-house technical personnel and tailored pre-incident services that are best positioned to capture market share. Agents and brokers need to keep this in mind when evaluating carriers.
Most agents and brokers aren’t going to have a cybersecurity background and shouldn’t be expected to evaluate the relative posture of their clients. However, most have the ability and opportunity to understand the nuanced operations of their client, and that effort can improve all aspects of the cyber insurance application and purchase process.
Josh Ladeau (Josh.Ladeau@aspen-insurance.com) is global head of Cyber at Aspen Insurance.