As insurance professionals, it’s important to put ourselves in our customer’s shoes. There are several common questions your client may ask regarding their insurance needs—specifically, why they should spend more on coverages they don’t understand nor feel they need.
In every interaction, we want to be perceived as advisors and not salespeople. I speak with our agency partners daily about selling Cyber Liability and hear the kind of questions they are getting from decision-makers when they present this coverage as a necessary risk transfer tool for businesses:
- “What Cyber exposures do I have?”
- “Our business is small. Do we really need Cyber Liability?”
- “We keep credit card information and private customer data in the cloud. Do I need this coverage?”
Imagine your customer is Johnson’s Jellies and Jams, a small town confectioner and bakery that has been in business for over 20 years. The staff consists of six employees who are all family members. The business generates $750K a year in revenue with 25% of sales through an online store. They use a third-party cloud provider and a third-party payment processor to handle the day-to-day operations, and have two vendors from whom they purchase their fruit and bakery supplies.
Johnson’s Jellies and Jams’ business insurance package renews July 1st, and this year you decide to propose a Cyber policy with a $1M limit and a $1,250 premium—you know how important this coverage is for their business. Understandably, during the renewal meeting, the Johnson family asks why their small business needs this type of coverage. Without hesitation, you give them some scenarios that could occur without Cyber Liability coverage:
- The owner, Joe Johnson, receives a notification in the mail that their 3rd party payment processor suffered a breach and that some customers’ Personally Identifiable Data was compromised. Joe assumes that the breach doesn’t apply to Johnson’s Jellies and Jams and throws away the notification. A month later, the business is hit with federal fines and penalties for “Failure to Notify” their customers that personal information had been released to the public. Why did they receive a penalty when they were not the ones to suffer the breach? Even though Johnson’s Jellies and Jams did not directly suffer the breach, it is still their duty by law to notify customers that their information was released to the public due to the transaction at the business. Joe now owes the government $11K in fines for not notifying his customers.
- On the first Tuesday of every month Joe Johnson sends checks to his vendors. Just like any other Tuesday, Joe receives an email from Carozza Farms with an invoice for last month’s fruit supply. As always, Joe transfers the funds directly into their online account. The next morning he receives another email from Carozza Farms stating that the funds had been sent to a closed account and directs Joe to make a new payment to a different online account. Joe resends the money to the new account and calls his vendor to be sure the new payment has been received. The accounts receivable department at Carozza Farms tells Joe they received the original payment yesterday and had not sent a second request. Joe realizes he’s been scammed and immediately tries to cancel the online payment, but it has already gone to an undisclosed account, never to be seen again.
- Owner Joe arrives early in the morning to open the store and notices that his network is down and he can’t access his database of famous recipes. He checks his business email on his phone and finds one from an anonymous address telling him that he is locked out of his server and that his famous recipes will be posted online unless he wires 15 bitcoin to an anonymous account. Joe reluctantly sends the money ($17,700 USD) to the account. Depending on the mood of the hacker that day, Joe may receive the key to unlock the server or he may receive an email requesting more money. In many situations, sending the money is the only option.
The above situations are real life claim examples that we see on a daily basis. As advisors to our clients, we need to make them aware of their cyber exposures and offer thorough Cyber Liability solutions tailored to each type of business.
Small businesses are in the cross hairs. They don’t have specialized IT Departments or the funds to implement sophisticated security measures, making them easy targets often unable to adequately handle a privacy incident when one occurs.