Why aren’t more businesses buying cyber insurance?
Today we have with us our first guest, Mr Mark Robinson, who is the managing director of Henderson Insurance Brokers and also a specialist in cyber insurance. Mark works in Leeds in Harrogate and we’ve worked together on projects for several years. What’s really useful is getting that retail perspective on how people are getting on with cyber, what people are facing and your experience of what people can do to sell more really. So I guess we’ve got some changes coming from the privacy framework that we all speak about and that will be a big driver towards the end of this year, as people begin to move towards getting ready for that. I guess what’s also interesting is what you’re doing with your clients in order to get that on their radar really.
Mark: I think one of the issues that you’ve touched on there is the lack of sales of cyber liability. The first thing we, as retail brokers, have an exposure to is the errors of omission. This is an issue whereby we don’t discuss the issue of cyber with our clients and therefore it’s not on their radar at all. In the event of a cyber breach or a data loss, the first person they point the finger to is there insurance broker and obviously if we have failed to mention it, there is an error of omission there. Or linked with that is if we miss sell a cyber insurance policy. So, if we don’t have a correct understanding of wording, in the terms of the cover and we miss sell it to them, well that can be almost as bad as not selling them a cyber policy at all.
So one of the things I’ve been tasked with across the Henderson Group is to develop a cyber strategy. The number one key point for us is education, and I think that’s true across the entire cyber security sector.
So what does that look like? Do you mean internally with your account holders or with your clients?
Mark-It’s across the board, so the first thing we’re looking to do is to educate within our business. So this is account handlers, our account executives that are going out to meet with the clients. I can say this because I used to be one, account executives are very structured in what they do. So, they will have or they will go into a client meeting that we know- and they’ll know how it’s going to run. Because we will have gone through it in our heads several times. Rightly or wrongly, there are two types of meeting an account executive goes to, a renewal meeting or a new business meeting. In a renewal meeting, you want to get in and out as fast as you can with renewal instructions and try to avoid any questions that’ll throw you off track! A new business meeting is to get in and out as fast as you can and to hopefully strike a new deal with the business. What we avoid, is any difficult questions that we don’t know the answer to…
Just before you go there, I think what you’re saying is, that it’s likely that the if the account executives feel comfortable about talking the digital risk and the various types of exposure, it won’t be missed.
Mark- Absolutely. So that’s where the education comes in, we need to make sure that our guys are educated enough to the extent where they can feel comfortable to go in and have that initial conversation about cyber insurance.
That’s where it starts that level of comfortability.
Mark-Absolutely. The issue is they’re frightened they’re going to be asked a question by the client and they don’t know the answer to that question and all of their credibility goes out of the window. So number one is the education piece, that’s a big part of it all. Once they understand the simple heads of cover and how it would be triggered that’s half the battle. Once our staff are educated, our staff can educate the clients. Another issue and again, an issue that is sector wide is the press reporting of UK cyber incidents. The UK press are getting better at reporting UK based cyber threats and breaches, but certainly you talk about two years ago, even just last year; if a client ever asked for an example of a claim, you ended up pointing them towards UBER’s claim or Playstation’s claim, or something that’s happened in the US. That’s fantastic and frightening, but does that really relate to a manufacturing firm, absolutely not.
I think that failure to resonate with the examples you’re giving to them, it doesn’t relate to them. As the consumer and purchaser, if they don’t feel that what you are offering them isn’t relevant to their business, you’re never going to sell it.
Mark- That’s it, it all comes down to the fact that as a sector, brokers and insurers as a sector aren’t making it easy for them to buy cyber insurance, because we aren’t making it very clear to them. We’re not making it clear to them what it is. It’s difficult to obtain, because of the amount of information that’s required…
Are you talking about the size of the application?
Mark-Yeah, exactly. We still for whatever reason, pigeonhole businesses. I.e. a technology business, manufacturing business. In all honesty is there such thing as a technology business anymore? A stand alone technology business, probably not. All businesses use technology now.
I think so, in some of the earlier videos, I’ve talked about businesses that have gone from non digital to digital enabled. I think you’re absolutely right, it’s very rare that businesses don’t do six or seven functions that have a digital risk attached to them and a cyber policy could help mitigate them against those activities. I think you’re absolutely right that the way that people are presenting the risk from a cyber liability approach, might be slightly misleading. It might be more effective for people watching this who are brokers, to perhaps look at profiling their activities. So looking at online banking, email, portable devices and helping account executives understand that, as opposed to going in with an eighteen page cyber application form and saying can you fill this out. Talking about cyber threats is a very ineffective way of selling the policy. If you’re talking about claims that aren’t relevant to them and talking about cyber liability threats that they don’t feel they have exposure to, you’re going to struggle to make a sale. Just going full circle in this, I guess what you’re trying to do at Henderson’s is to try to change the way your account handlers actually raise this issue. Through the educational activities that you’re doing, they’ll feel more comfortable in how to raise it and present it in a different way and the client has a better experience of learning about it.
Mark- It becomes an informed decision, rather than buying ‘this’ because it’s the new thing to buy.
You made a really good point that- So, I started in cyber and then transferred from technology to digital risk insurance about six years ago. Initially at that time, I was trying to sell policies, directly to the insured, it was insanely difficult because nothing was in the press. At the time, it was the FCA who were responsible with privacy and then the ICO formed. The Information Commission Office, you’re right, because you have to be registered with them and they do a lot about publication and notification, it really has gone from not being in the news to headline press. I think that’s really raised the awareness for the insured. They understand now that it’s a real threat. However, there still is that gap between value and what you’re putting onto the table. That’s got to be when the penny really drops.
We have got privacy law and regulatory framework coming out, which is going to make it more challenging and costly should a breach occur. I do really think there is a gap between the everyday business to which you would have thousands of within your organisation and the amount of people who buy cyber which is actually very small. You say the word ‘cyber’ to people and they believe that implies only if they rely very heavily on selling products online and if they’re not, then they don’t feel their digital risk exposure is a threat. One thing that we do a lot of here, is talk more about digital risk than we do cyber threats. I think that’s a really good tip to take away from this chat we’re having now. Try profiling your businesses and get your account executives to focus on the business’s individual threats.
Mark- I think the term cyber, as you mentioned, gets thrown around a lot, which puts a lot of people off when they don’t see themselves as a technology business. Generally, a cyber liability policy covers data, which extends to include paper records. Even so much as leaving a laptop on a train or in a taxi, or putting a file in the bin rather than confidential waste, is potentially a data breach.
Here’s the other massive point, most smaller and medium businesses, will outsource these responsibilities. They use third parties to hold that data or store on a cloud and often even for the shredding of business documentation. So the risk is usually out of their hands, but it’s still a very real risk and they will be responsible if something happens. I think you’re right, understanding that is really important.
Going back to what we were saying about profiling, we’ve seen such an increase in social engineering and I imagine that you don’t have many clients who don’t use online banking or are exposed to malware or ransomware. All of those things are covered by a digital risk insurance policy, but again people are shying away from it because they don’t understand that they are exposed. I think that’s really interesting piece where brokers can have more traction, by identifying, well do you have email? Yes? Then, these are the things you’re exposed to!