Cyber insurance has been on the market for over a decade establishing a predictable pattern of obstacles to the coverage’s sale. Our previous articles identified that a prospect might first reason that “A breach won’t happen to us,” and then explain that even if it does, “We’re already covered by our existing policies.” Next, they would argue that “Our data is secure.” We’ve debunked these myths in Parts 1-3 of this series.
The fourth objection, “I can’t talk to the IT people,” stems from the fact that many insurance purchasers (CFOs, COOs, and others) are reluctant to engage their professionals in cyber risk discussions. The buyer does not understand IT jargon and lingo, and typically does not communicate with IT unless there is a computer problem.
Furthermore, many organizations outsource network functionality and data management to vendors, including data storage, backup tapes, applications, and web hosting. If a vendor is breached, the business that hired the vendor is legally liable for the exposed data and notification related costs.
Giving the insurance buyer a higher-level understanding of the risks their company faces provides a common ground for discussion. For example, employees are using a number of different connections to the Internet to conduct business – the office network, their own home Internet service, and WiFi networks at airports, coffee shops, etc. All of these connections are vulnerable to breach and represent points of risk.
Analogies in language the insurance purchasers are familiar with helps them understand the need to purchase insurance even if they don’t understand the intricacies of cyber issues. For example, all newly-constructed commercial buildings must have an automatic fire suppression sprinkler system. While most people cannot explain the mechanics of how a “combined dry pipe pre-action system” works, they can still discuss knowledgeably what would happen if that sprinkler system failed.
The same is true of the exposures presented by a complex data network. The exposures need to be organized into a structure for discussion, including where data is stored, the types of information stored, the protections in place, and how the data is accessed.
Brian Brown is a guest author for INSUREtrust. He is an expert in cyber liability coverage, and has held a number of senior positions in the insurance industry for over a decade. He may be contacted by email at mailto:briandykerbrown@gmail.com or by phone at 404-849-3004.