Your clients likely see daily headlines about large-scale data breaches that affect some of the nation's best-known brands. Yet data breaches aren't just an enterprise issue.
According to the 2017 Verizon Data Breach Investigations Report, 61% of breaches last year involved businesses with fewer than 1,000 employees. That's reflected in heightened interest for cyber liability insurance, a category that saw 35% premium volume growth in 2016 alone, according to a recent report from Fitch Ratings.
Although awareness about cyber liability is high among midsize business (MSB) owners, deep knowledge is not. This gives brokers a prime opportunity to educate risk managers, building owners, property managers and other decision-makers.
Related: The 3 R’s to remedy a cyber breach
Use these five tips to better educate and sell cyber liability to potential clients:
The need remains for agents and brokers to educate midsize businesses about cyber liability coverage. (Photo: iStock)
No 5: Explore your client's cyber liability needs.
When you ask your clients whether the business has cyber liability coverage, increasingly they may answer yes. But what I’ve found, especially working with many midsize hotels, resorts and restaurants, is that the existing "cyber liability" clients have offers only limited protection.
I've also talked with midsize business owners who think their Commercial General Liability coverage will cover data breach costs (and most won't).
This presents an opportunity to educate risk managers on the benefits of standalone cyber liability coverage that includes the following:
Coverage for both liability and customer notification costs. We advise organizations with under $25 million in revenue to consider up to $5 million in limits and at least 250,000 notifications (not a capped dollar amount).
Coverage of Payment Card Industry (PCI) fines and regulatory defense costs or penalties that result from breaches.
First-party coverage for losses from network security breaches.
Services such as forensic investigations that determine the breadth and scope of the breach, and crisis management that helps to protect a midsize business’ reputation during the process and ongoing credit monitoring for those affected.
Related: Emerging cyber risks
Some clients may not realize that their existing cyber insurance only offers limited coverage. (Photo: iStock)
No. 4: Tell a relatable story.
Once you establish the type of cyber liability products your clients need, educate them about the risk of data breaches. You can use a big-name example (such as the 2013 Target data breach that affected 41 million consumers), but it's more meaningful to talk about what's happening in their industry.
Do some limited research and identify a breach the midsize business owner will recognize. Sadly, in the hospitality industry, there's no shortage of them. According to Verizon's 2017 report, accommodations (hotels and restaurants) ranked as the top industry for point-of-sale intrusions.
Cyber liability policyholders are most likely to respond to risk anecdotes from their own industry. (Photo: iStock)
No. 3: Make it personal.
After establishing the need for cyber liability with a powerful illustration of what can happen to a midsize business that's victimized by a data breach, it's time to ask thought-provoking questions. If a breach like that happened to you, what's the first thing you would do? Who would you call? What kind of response would you need? How long would it take? What would that mean for your business? Then listen empathetically to each answer and look for that a-ha moment.
The reality is that most midsize business owners wouldn't know what to do if a breach occurred. So, this is your best chance to provide details that will help ease your client's concerns. For example, I find most hospitality businesses don't realize notification provisions vary by state and are based on the state where the affected customer lives, not by the state of the physical facility that was breached.
At this point, I also like to discuss the value of crisis management. No business can afford to lose trust with its consumers. So I let potential clients know how a solid public relations strategy (the costs of which are included in a standalone cyber liability policy) will help manage the reputation of the business, respond effectively to any media coverage, and rebuild customer trust.
The reality is that most midsize business owners wouldn't know what to do if a breach occurred. (Photo: iStock)
No. 2: Dive into the details.
Because cyber liability is relatively new, your clients may not know all their potential liabilities. For example, a franchisee for three locations of a midsize national hotel chain may not realize the franchisee may be held liable for a data breach within the brand's online reservation system even though a third party operates that system. The franchisee could be brought into a suit because the franchisee made the decision to hire the management company. A building owner may give insurance decision-making power to a property manager, but the owner may not know whether that property or hotel manager actually has cyber liability coverage.
The exposure is greater than the reservation system as well. There are numerous other point-of-sale transactions at a hotel for example (restaurant, gift shop, front-desk or parking, for example).
In addition to the limit of liability, many clients aren't sure of the size and scope of a potential data breach, so they don't know what number of notifications to choose. I coach hotels to prepare for a six-month breach and tell them to base that on the number of customers, number of rooms and standard occupancy rates.
Many clients aren't sure of the size and scope of a potential data breach, so they don't know what number of notifications to choose. (Photo: iStock)
No. 1: Know it may take time.
Most midsize businesses will see cyber liability as a good idea, but many aren't yet required to have it. You’ll need to continue good storytelling and help potential clients understand that having a smaller, defined cost for a standalone cyber liability policy is better than the enormous potential cost of a data breach. And remember, if they don't have a current cyber liability policy, you don't have to wait until the next renewal cycle to continue the conversation.
In today's connected world, data breaches are serious business. By offering comprehensive standalone cyber liability coverage and telling a relatable story to illustrate what can happen, you’ll give midsize business owners some much-needed peace of mind.