How to Highlight Your Client’s Cyber Exposure
If you are new to Cyber Insurance, it may seem like a daunting task to get up to speed on the market and exposures.  We have found that the first step in this process with a client is simply highlighting their exposures.  A simple conversation with your client on this topic can lead to the sale of a cyber policy helping you round out their insurance coverage.  The key focus areas data, contracts, and then providing some benchmarking.  By the end of this conversation even resistant clients seem to be willing to look at a cyber policy for their business.
When talking about data, we are looking to find out what kinds of data they have, how much of that data do they have, and how they protect it.  Key types of data are Credit Cards, Debit Cards, Bank Account Numbers, Drivers Licenses, Social Security Numbers, Personal Health Information, Employee Information, as well as user names or email addresses combined where they have a corresponding password.  Keep in mind that if a client accepts credit cards and says they do not hold / process / store credit card numbers or that they outsource this function – we still need to capture the number of credit card numbers they process per year as that exposure still sits with the client regardless of outsourcing.
You will want to find out the amount of each type of data for rating purposes, and ask what kind of protections they have around the data.  This could be encryption of laptops and smart phones, network monitoring systems, as well as names of vendors they use related to data.  Often when a small business outsources to a 3rd party they may have controls in place that they do not know are in place, like encryption.
Next step is asking for a copy of any contract they have in place with clients and or consumers.  Often that contract or terms of service will outline responsibilities and limitations of liability.  You will also want any credit card processors, IT providers, cloud companies, independent contractors, and a copy of their privacy policy form their website.  Each contract will outline potential exposures that may have been overlooked.  Many contracts with credit card processors and cloud storage providers limit any liability in the event of the breach and legally it would be your client’s responsibility to notify affected individuals in the event of a breach.
Additionally, I would see if they are requiring third parties to carry cyber insurance and provide a copy of the policy for review.  There is a wide range of coverage available and you want to make sure the liability coverage triggers are adequate as well as any relevant sub-limits.  This is not a tick the box coverage and there are many policies that have drastic coverage limitations.
Lastly I would provide some feedback with benchmarking.  There are a lot of tools out there where you can calculate the cost of a possible breach based on the type of data and amount of data.  Just beware that there are many breach cost calculators out there that use out of date information in their cost estimates.  With that data you can also let them know what other companies their size has purchased as far as limits, cost, and how some of their basic controls may compare.
This can be a very quick and basic conversation.  With just a few answers from your client you can give them a good estimate of their exposure, feedback on what their peers are doing, and offer potential areas for them to focus on as far as improving their contracting process or contract language.  As a reminder many policies come with a robust set of risk management tools that can help a client navigate their way forward to improve their cyber risk management.  It all starts from the first basic conversation.