For over a decade, cyber insurance has been on the market, and over that time, a predictable pattern of obstacles to the coverage’s sale has emerged. There is also a typical order in which the obstacles occur. In previous articles we said that a client might first reason that “A breach won’t happen to us,” and then explain that even if it does, “We’re already covered by our existing policies.” We debunked these lines of thinking in Parts 1 and 2 of this series, so let’s move on to the third objection: “Our data is secure.”
This rationale is typically voiced by the Chief Information Officer or others in the IT Department. Because one of their main job responsibilities is information security, many IT professionals consider the purchasing of cyber insurance an implicit acknowledgement that they can’t keep the company’s network secure and haven’t fully done their job. IT specialists would like to consider the company immune from risk because of their efforts. Since IT personnel are integral to the completion of the application, and ultimately to the sale, this attitude is a major hurdle for the independent insurance agent.
There are ways, however, to help IT professionals understand the need for cyber coverage, while affirming their identity as guardians of the company’s data. First, articulate that cyber policies can cover not only digital threats to the IT system, but also privacy exposures such as paper files and other vulnerabilities outside the IT Department’s scope of duties.
Second, remind the IT Department that valuable assets are almost always protected by insurance, regardless of loss mitigation efforts, and data should be no different. For example, you can make an analogy between network security and the firm’s automatic fire suppression sprinkler system:
“Note the conference room we are sitting in has sprinkler heads. The architects that designed the building took special care to make sure there were enough sprinkler heads and water available should a fire start. They also carefully chose non-combustible materials for the building’s construction. Everything was done to eliminate the possibility of a devastating fire. However, even with all the precautions, you still purchased insurance to cover the building, because despite everyone’s best efforts, sometimes building burn down.”
In a digital network, even when the firm’s IT personnel take all reasonable precautions to protect data, the network can still be compromised. In fact, breach experts say that even companies with the highest level of security sophistication are not 100% secure.
Therefore, purchasing cyber insurance is not an indictment of the IT Department’s job performance, but rather an acceptance of the inevitability of an incremental risk.
Brian Brown is a guest author for INSUREtrust. He is an expert in cyber liability coverage, and has held a number of senior positions in the insurance industry for over a decade. He may be contacted by email at [email protected] or by phone at 404-849-3004.