You’ve been pushing cyber coverage hard to your commercial clients. But are you practicing what you preach at your agency?
A cyber endorsement to your agents E&O policy isn’t enough to protect you against the myriad cyber-related threats your business faces. Here are the top reasons why your agency needs comprehensive cyber liability coverage.
Insurance agencies collect high volumes of personal identifiable information (PII). “Everybody who has employees has cyber exposure, but insurance agents actually have more exposures than most other companies because they have so much PII,” says Alex Wayne, executive vice president at A.J. Wayne & Associates, Inc.
All insurance businesses, including independent agencies, collect a large volume of data—from credit card and bank account numbers to addresses, social security numbers and personal health information, says Brian Thornton, president of ProWriters.
“Criminals know this—that all the information collected at an insurance agency is high PII,” says Laird Rixford, president of Insurance Technologies Corporation. “They absolutely target financial industries. They’re not going to target a bakery shop. They’re not going to target a gas station, other than trying to go after their credit card vendor. Credit card numbers are great, but true identity theft information is much more valuable to a thief or criminal.”
And it’s not just about your agency, either—it’s every other organization you partner with to sell your products. “An insurance agency deals with a lot of carriers,” Rixford points out. “What if one of those carriers has a breach? Technically it’s the agent’s responsibility to keep that client data secure.”
Small agencies have less money to spend on damage control. Contrary to popular belief, smaller businesses actually have “all the more reason why they should buy the coverage—they don’t have the assets to protect themselves and cover their bottom line,” Wayne says.
That applies to both protecting your business against a security event in the first place and dealing with the fallout if an event occurs. “The large agency or large carrier has invested the time, effort and money to at least try to put up some security front,” Rixford says. “Smaller agencies don’t have the money, the infrastructure, the time, the effort, the knowledge to create a technology resistant to someone trying to attack them. They’re vulnerable; they don’t update their patches; they don’t have security practices in place.”
But cyber threats can infiltrate even the most secure of systems—and smaller agencies are also less equipped to deal with the aftermath of a breach. All but three states have cyber laws on the books, and according to Rixford, state fines can reach anywhere from $1,000-$100,000 per incident. In some areas, including California, every individual with leaked information is considered a new incident that carries a minimum fine of $1,000 each.
“If you breach 500 people, that’s $500,000,” Rixford says. “There are massive fines tied to this. Most companies, whenever they don’t have a cyber or some kind of liability policy that covers cyber, they don’t survive. One incident will take a business out.”
And even if an agency can handle the costs associated with notification and credit monitoring, “the time cost involved with going through the rules and figuring out what type of letter needs to be provided could be a huge time drain beyond the actual dollar and cents cost,” Wayne says.
Independent agencies rely on maintaining a sparkling reputation. If you’re selling cyber coverage to your clients, going through the process of securing it for your own agency will give you a leg up when making the sale.
“You’ve learned by doing,” Thornton points out. “You’ve gone through that same analysis of what is our exact exposure? What data do we have that would be classified as PII or PHI? What drives the sale at the end of the day is when an agent really understands the exposure, they can really answer the client’s questions more easily.”
Most of ProWriters’ independent agency clients initially sought cyber coverage after already working on selling it to their clients, Thornton says. “For most of them, as they started to sell the product to their clients, they realized ‘Wait a minute—I’ve got that exposure too,’” he says. “If you’re selling this to your clients, you should be taking that same exposure seriously. The last thing you would want to see happen is you have a breach of your own and you mismanage it or don’t have a policy.”
Beyond setting an example for your commercial clients, having adequate cyber coverage is now necessary to ensure the trust of your entire customer base. “Can you imagine saying, ‘As your trusted advisor who you entrust with your entire financial future, we just lost all your information’?” Rixford asks.
“People are very sensitive about their personal information, and word gets around in a smaller town,” Wayne agrees. “If an agency has this type of public relations black eye, it could be devastating. If there’s another agency and they didn’t have this type of issue, a customer will choose that other agency.”
Jacquelyn Connelly is IA senior editor.