One might think stand-alone cyber insurance would be a relatively easy sale given the increasing frequency and severity of highly publicized attacks against an array of companies and government entities. Yet agents and brokers are often either struggling to convince clients to buy the additional coverage or, in some cases, are even advising against a purchase. The Deloitte Center for Financial Services fielded a pair of surveys examining why stand-alone cyber insurance sales aren't rising more quickly while generating ideas about how growth might be accelerated well beyond the rather modest $2 billion in sales being produced today. Our recent Deloitte Insights report — "Overcoming challenges in cyber insurance growth" — focused on the experience and attitudes of insurance buyers at middle-market companies (those with over $250 million but less than $1 billion in annual revenue). This segment should be prime prospects for the coverage given the rapid rise in cyber events targeting companies that size. Part of the problem — a lack of enthusiasm for the coverage among many intermediaries — was validated in our companion survey, summarized in this article, which gathered feedback from agents and brokers serving the middle market. We found a distribution force that is, at best, having trouble convincing many clients to take on the added policy, and at worst, averse to selling stand-alone coverage on the merits. In either case, insurers may need to reconsider the product's design, pricing, and marketing strategy to get their distribution force more enthusiastically on board and create a more compelling case for buyers. The stage seems to already be set for more sales of stand-alone cyber policies. Sixty-nine percent of agent/broker respondents said they are "very concerned" about the rising cyber threat facing their customers. Meanwhile, only about half of those surveyed agree clients are generally well prepared to prevent and/or limit the damage from cyberattacks or have enough coverage for such risks. Yet among businesses we surveyed without the coverage, 22% said they didn't purchase stand-alone because their agent/broker had not suggested doing so. Even more alarming is that 21% of respondents said their agent/broker had advised against buying a policy. At the same time, while 85% of agent/broker respondents said discussing cyber insurance options with clients is a high priority, businesses surveyed indicated agents/brokers were rarely the first to initiate discussions about buying a stand-alone policy. Indeed, only 6% of stand-alone buyer respondents named their agent or broker as the lead catalyst in their purchase decision, with pressure from the C-Suite (particularly the CEO) most often leading to inquiries about the coverage.

Why are agents/brokers having trouble?

Agents and brokers are generally not enthusiastic about selling stand-alone because of the challenges they need to overcome to close a deal, our research indicates. For example, when asked why clients are passing on stand-alone, the top reason cited by agent/broker respondents is that buyers feel they already have some cyber coverage packaged in their current insurance policies, including property (48%), general liability (63%), professional liability (65%), business interruption (65%) and directors and officers liability (39%). This rationale was validated by similar responses among the non-buyers we queried in our consumer survey. However, agents and brokers surveyed seem to recognize their clients may be harboring a false sense of security. While many buyers may assume they are covered for cyber by standard property and liability insurance, only 14% of agent/broker respondents said cyber risks were specifically covered in such policies. Adding to the uncertainty is that standard policies often may not explicitly exclude cyber events. This can result in claims disputes over what's been called "silent" coverage for cyber risks that are becoming pervasive yet are neither included nor excluded in standard policies. The sale of a stand-alone cyber policy can resolve that uncertainty while providing dedicated limits and clearer coverage terms. This conundrum may resolve itself over time, as more insurers include cyber exclusions in standard policies — much as they did years ago in carving out other evolving specialty risks such as environmental, employment practices, and directors' and officers' liability. But for now, such uncertainty typically benefits neither insurance buyers nor sellers. Another problem facing many agents and brokers in selling stand-alone cyber insurance is the lack of coverage standardization (see Figure 1). While most policies cover the most common cyber risks such as theft or destruction of data, as well as breaches exposing data to outsiders or compromising data integrity, insuring emerging exposures appears to be more problematic. For example, only half of agent/broker respondents said the stand-alone policies they sell cover ransomware demands, which is one of the fastest-growing exposures facing the business community and public sector. Only 44% said stand-alone covers denial of service attacks, while only 37% cover regulatory fines prompted by a data breach. A lack of standardization and the exclusion of many emerging cyber risks likely makes it that much harder for agents and brokers to compare and contrast coverage options and convince clients about a stand-alone policy's value. In addition, while it may be difficult to sell stand-alone cyber insurance to first-time buyers, retention also poses challenges. One-third of businesses surveyed without stand-alone said they had a dedicated policy at one time but were not satisfied with it. Agent/broker respondents said clients who once had stand-alone but didn't renew often dropped the policy over cost (64%), insufficient coverage (60%), and lack of clarity in terms and conditions (51%), while 26% cited poor claims experience. This indicates that even if agents and brokers manage to sell stand-alone coverage, renewal may be anything but automatic.

What can insurers do to help?

Our survey report includes suggestions about how insurers might jump-start stand-alone cyber insurance sales, whether by adjusting pricing, upgrading the value proposition, or more effectively communicating the need for a dedicated policy. Yet while each of these options might enable agents and brokers to make a stronger case for a stand-alone purchase, insurers will also likely need to consider additional steps to support the agents and brokers trying to convince prospects to take the plunge. Among the options:

• Better educate the distribution force: While most consumers surveyed said they would welcome more information and training about cyber risk management (including insurance options), agents and brokers likely could also use more training about cyber risks as well as evidence of a stand-alone policy's value — either as a supplement to or substitute for multi-peril policies.
• Arm sellers with case studies: Our consumer survey found that fear is a major factor for cyber insurance buyers. Those hearing about cyberattacks and their consequences against competitors, suppliers, vendors, or even those outside their industry were far more likely to buy a stand-alone policy — as were those who had endured an attack themselves. Providing case studies demonstrating how stand-alone policies kicked in after an event, as well as the challenges facing those without dedicated coverage, could, therefore, make the difference between a sale and a pass — especially if the example involves an event within the prospect's own industry.
• Get independent validation: Forty-one percent of stand-alone buyers surveyed said a prime purchase motivator was "results from an independent cybersecurity risk assessment," which is likely seen as a more credible recommendation than a pure sales pitch from a self-interested insurer or commissioned intermediary. Many of the survey's agent/broker respondents are already well positioned to arrange for this service, as 55 % said they "routinely offer cybersecurity assessments by qualified specialists."
• Go holistic: Agents and brokers (as well as their insurers) could make stand-alone policies more valuable to buyers by packaging the coverage as part of a comprehensive cybersecurity program. Among non-buyers surveyed, 31% without any cyber coverage and 24% of those with cyber included in standard policies cited this as a factor that could convince them to buy stand-alone. Many agent/broker respondents already market such capabilities (see Figure 2). For those who do not, cyber insurers could perhaps help fill the void by directly providing or helping arrange access to a suite of cyber risk management services for policyholders.
• Mind the gap: Agents and brokers should be reminded that those who don't at least inform clients about all available cyber insurance options, including stand-alone, could potentially face errors and omissions exposure themselves if businesses end up uninsured or underinsured for a cyberattack. Consider what happened after Superstorm Sandy, when many commercial customers sued their agents for allegedly failing to adequately inform them and/or recommend separate flood policies to supplement their standard property and business interruption coverages.

While insurers appear to have a lot of work to do to broaden the appeal of stand-alone cyber policies to prospective buyers, they also likely need a plan to better engage with and support their distribution force. Getting agents and brokers more enthusiastically on board and in position to make a stronger case to clients may be the most effective approach insurers can take to help cyber insurance reach its full growth potential. For more on this research, read our full report. You may also listen to a webcast about the study's key findings and recommendations. Former National Underwriter Editor-in-Chief Sam J. Friedman ([email protected]) is insurance research leader at Deloitte's Center for Financial Services in New York. Follow Sam on Twitter at @SamOnInsurance, as well as on LinkedIn. Julie Bernard ([email protected]) is a principal with Deloitte Risk and Financial Advisory and a Cyber Risk Services leader with Deloitte & Touche LLP. See www.deloitte.com/about to learn more about Deloitte's network of member firms. Related:

• Insurance makes the world go round
• Three cybersecurity considerations for business clients in the COVID-19 era
• Cyber basics in a connected world