We are happy you’ve come to this page to find all of the brokers’ responses to the questions we asked for Advisen’s 2017 Cyber Guide: The Ultimate Guide to Cyber Service Providers.
It was very important for us to establish a home for all of these answers even though we were not able to entirely use them in the guide.
As a reminder, below is the list of brokers included. Answers in their full, mostly unedited glory follow. Enjoy.
- Ben Beeson, Lockton Cyber Risk Practice Leader, Lockton Companies
- Adam Cottini, Arthur J. Gallagher Managing Director, Cyber Liability Practice, Arthur J. Gallagher & Co.
- Anthony V Dagostino, Willis Towers Watson Head of Global Cyber Risk, Willis Towers Watson
- Shannon Groeber, JLT Specialty SVP, Cyber E&O Practice, JLT Specialty
- Vince Josaphs, INSUREtrust SVP, INSUREtrust
- Christopher Keegan, Beecher Carlson head of the Cyber Liability Practice, Beecher Carlson
- Bob Parisi, Marsh Cyber Product Leader, Marsh
- Meredith Schnur, Wells Fargo SVP, Professional Risk Practice, Wells Fargo
- Spencer Timmel, Hylant VP, Cyber and Technology Risk Practice Leader, Hylant
Ben Beeson, Lockton
Brokers play a valuable role in connecting buyers and their needs with insurers. How can brokers encourage the growth and evolution of the market?
A broker’s role is not only to provide risk advice and facilitate insurance placement. Brokers are the market makers in emerging risk classes such as cyber where little or no actuarial data exists, and creative thinking is needed to develop innovative insurance solutions. Helping to accelerate the growth of the market larger brokers have begun to invest in tools and technologies that will drive a greater understanding of both their own and outside parties’ datasets.
How much does a broker lend to the product offering of carriers? Are you regularly communicating market need/demand?
It is incumbent upon the broker to ensure that the market remains relevant to their clients’ needs. Typically brokers will seek to amend domestic carrier products as required, although in the London market brokers will sometimes go further and create and develop the product themselves.
What do you look for in a cyber service provider? Do you partner in any way with the infotech industry?
Fundamentally we look for partnerships that provide value to our clients in seeking to mitigate cyber risks. Ideally these relationships will also drive a better insurance outcome.
What do you make if the insurance industry’s start to offer solutions bundling insurance and infotech?
I believe that this is probably the way forwards that is needed to address the small business sector where investment in mitigation has been low. The insurance market is in a very strong position to incentivize stronger enterprise security as it has done historically in other risk classes.
What are your observations regarding the growth in the market over the last couple of years, and where do you see it headed?
Growth has no doubt been strong but steady hampered somewhat by the insurance market’s risk aggregation concerns and an inability to accurately price risk. Knowing the emergence of certain technologies to address these concerns, as well as increased buyer awareness and demand for broader products to address IOT consequences for example, I do think growth will accelerate substantially over the next eighteen months.
In your experience what do clients benefit from the most among the services currently offered? The least? Is there something missing?
Depends on the size of the business. Smaller businesses, that might lack resources, have no doubt benefited greatly from turn key products that provide both services and insurance. Larger firms however often have their own vendor relationships and the value is solely risk transfer from the balance sheet.
In your cyber practice are you beginning to offer, or look to offer, components such as insurance data & analytics consultation?
Yes absolutely. However, this is at its early stages and more work must be done to link data analytics technologies with insurance outcome for buyers to really understand the value.
Cyber coverage requires a high level of expertise. What advice would you give to buyers about selecting the right broker to guide them through the process of evaluating policy language and assessing risk?
Many brokers tend to want to focus on understanding insurance products but very few actually understand the risk context. A good way to try to evaluate a broker is to focus on their process and how that addresses risk identification and quantification regardless of insurance placement.
Adam Cottini, Arthur J. Gallagher
Brokers play a valuable role in connecting buyers and their needs with insurers. How can brokers encourage the growth and evolution of the market?
As a consultative cyber broker, Arthur J. Gallagher & Co. has the expertise, experience and analytical tools that can encourage thoughtful growth and evolution in an ever-changing cyber risk environment. Communication, collaboration, and a clear direction encourage growth by emphasizing intelligent and thought provoking dialogue and analysis. After a complete evaluation of an organization’s cyber risk exposure, priorities must be set, followed by a strategy to implement changes and supported by appropriate documentation. Further, a commitment to on-going monitoring and periodic re-evaluation is essential.
This process will be driven by analytics and trend analysis, along with gap analysis studies focused on isolating known deficiencies in insurance programs and isolating new exposures as they become apparent. Cyber brokers will continue to evolve as consultative and holistic cyber problem solvers, including providing impactful preventative solutions through strategic partnerships. Brokers will help to drive insurance carriers to offer even more innovative products designed to evolve with the changing technological environment.
How much does a broker lend to the product offering of carriers?
As a consultative cyber broker, Gallagher is focused on understanding our insureds’ unique exposures and identifying a slate of solutions across the cyber risk spectrum. Starting with preventative solutions, Gallagher seeks risk management solutions from insurance markets to assist our clients with proactively managing cyber risk. However, Gallagher also partners with cyber risk service providers to offer additional preventative cyber risk solutions so that our clients have the depth of accessibility needed to effectively approach preventative cyber risk management. As a consultative broker, we communicate our clients’ needs to markets and we also communicate to our clients about the complexities and challenges of a fluid marketplace. We seek to influence changes in the cyber insurance market using data analytics, thought provoking analysis, and claims trends that ultimately will allow us to offer the best possible cyber insurance and cyber risk management products and services.
What do you look for in a cyber service provider? Do you partner in any way with the infotech industry?
Information Security providers are a valuable part of a holistic solution to cyber risk. Our consultative approach to cyber risk includes a vast array of partnerships with information security providers as well as other critical service providers. We partner with providers to offer preventative services such as IT healthchecks, vendor contract management, vendor vetting/tracking, and incident response planning. We seek to partner with highly respected and sought after preventative providers and response firms serving the cyber insurance market. Our clients have access to providers representing multiple disciplines such as:
| Preventive | Response |
|---|---|
| Network Assessments | Breach Legal Advisory |
| Incident Response Planning/ Business Continuity Planning | Forensic Investigations |
| Compliance Readiness (emphasizing Vendor Contract Management and Vendor Management) | Notification / Credit & ID Monitoring |
| Technology Solutions | Public Relations / Crisis Management |
| Training and Employee Awareness (emphasizing Social Engineering) | Legal Defense |
What do you make of the insurance industry’s start to offer solutions bundling insurance and infotech?
Bundling preventative services with insurance solutions is without a doubt growing in importance. The insurance carriers are viewed as leaders in offering solutions that their insureds can use to mitigate cyber risk. The insurance carriers will equally benefit by encouraging deployment of cyber risk prevention. It is important, however, to realize the breadth of cyber risk expands well beyond insurance. There still are challenges that the insurance market will encounter trying to accommodate all insureds, who have varying degrees of information technology needs and aptitude.
What are your observations regarding the growth in the market over the last couple of years, and where do you see it headed?
The growth in the cyber insurance market is clearly on the rise with brokers and markets across the board adding staff to manage client demand for cyber insurance and risk management solutions. Growth estimates by various outside sources indicate a robust cyber insurance market exceeding $8B in Gross Written Premium in just a few years. Much of the growth will encompass new exposures that may not be contemplated in the more commonly purchased “traditional” cyber insurance products on the market today. There will be a need to integrate new and evolving risks with consequences that are not fully contemplated in the “traditional” cyber insurance policy. These consequences will include physical injury and property damage as a result of a cyber event.
In your experience what do clients benefit from the most among the services currently offered? The least? Is there something missing?
The most sought after policy feature of a cyber insurance policy is the Data Breach Response coverage and the valuable services surrounding a prudent, sophisticated and professional breach response. Included in this insurance coverage are response costs provided by highly qualified breach service providers including Breach Legal Advisory, Forensic Investigators, Notification Services, Credit & ID Monitoring, Public Relations / Crisis Management.
Most clients appreciate the preventative services offered by many insurance companies; however, these services tend to be underutilized. Often the reason for underutilization focuses on skepticism surrounding the breadth of service provided or the intrusive nature of a service offered by the insurance company.
This is an area where a consultative insurance broker can offer value to a client either through better communication or management of the insurance company service, or integration of a broker service to either complement the carrier offering or to be used as an alternative.
In your cyber practice are you beginning to offer, or looking to offer, components such as insurance data & analytics consultation?
The Gallagher Cyber Liability practice has developed proprietary risk analytics focused on source, quantity and quality of data to assess or estimate risk. The high-quality data that we have compiled is impactful, relevant and allows Gallagher to offer a sophisticated tool for assessing cyber risk. As an ever-changing area of exposure, cyber risk modeling is a key indicator of risk and augments analytics previously based purely on peer purchasing patterns.
Cyber coverage requires a high level of expertise. What advice would you give to buyers about selecting the right broker to guide them through the process of evaluating policy language and assessing risk?
It is important that clients choose a consultative cyber insurance broker that has a philosophy of focusing on cyber risk management advisory and robust insurance solutions. As part of their brokerage services, clients should expect access to risk management tools and resources to navigate the ever-changing landscape of cyber risk. Thought leadership is of the utmost importance. A broker who can assist in a holistic review of cyber risk will better position clients to be prepared for a cyber event. As part of a broker engagement, a consultative broker should offer a due diligence process designed to bring together all relevant functional areas within an organization to assess cyber risk preparedness. We believe that a simple framework utilizing a thought provoking checklist will encourage organizational communication, establish clear direction, and highlight key priorities.
In addition, implementing a cyber insurance policy requires an appreciation of the breadth of policy language. It is important that organizations review their cyber policy and make sure that they understand exclusions (especially bodily injury and property damage) but also follow the conditions of the policy to maximize recovery and avoid missteps, particularly at the time of a breach. To handle a breach most effectively, the following prudent response steps should be considered:
Anthony V Dagostino, Willis Towers Watson
Brokers play a valuable role in connecting buyers and their needs with insurers. How can brokers encourage the growth and evolution of the market?
It is imperative that brokers understand industry differentiation, connectivity between the evolving threat landscape (particularly as respect the human element), the insurance marketplace and the maturity level of a client’s approach to cyber risk management. Buyers understand insurance is a great risk transfer vehicle and coverage needs are changing as organizations increasingly rely upon on a connected world. Brokers need to innovate and be facilitators between market supply and client demand. Also, there is still a massive population of companies that do not buy cyber insurance. As such, continued education around risks and coverage as companies increase in size and sophistication is crucial
How much does a broker lend to the product offering of carriers? (Are you regularly communicating market need/demand?)
We pride ourselves in constant mutual communication with markets. The two-way sharing of trends and demand is critical to help evolve the market, drive innovation, and meeting the needs of our clients.
What do you look for in a cyber-service provider? Do you partner in any way with the infotech industry?
Part of Willis Towers Watson’s approach is to tailor and customize solutions for our clients based on their specific exposures. As such, experience, credibility, breadth of resource, and adaptability are key when we are looking for cyber service partnerships because this allows us to deliver superior solutions to clients. To this end, we currently utilize a number of technology partners across the globe. Because the threat landscape is ever-evolving and our clients are in different stages of their cyber risk management strategy, we are continuously exploring and expanding our partnerships, as well as offerings to clients.
What do you make if the insurance industry’s start to offer solutions bundling insurance and infotech?
Cyber insurance has evolved greatly over time so as coverage expands to address different risks, bundled services can help clients mitigate and respond to these risks effectively if done right. A lot has been done in the incident response space but there is still progress to be made in the industry as respects solutions for cyber-related perils.
What are your observations regarding the growth in the market over the last couple of years, and where do you see it headed?
The growth over the last few years has been astonishing and it’s exciting to see the different buy cycles evolve based on a client’s current posture. A lot of different numbers around global premium growth are in the media but we can be sure that this trend will continue as regulation, contractual requirements, and coverage solutions continue to evolve.
In your experience what do clients benefit from the most among the services currently offered? The least? Is there something missing?
Aside from having the right coverage, on the incident side, organizations, apart from the large global companies, benefit most from experienced legal counsel consultation and effective forensics appropriate for the type of incident. As noted above, services tend to be lacking outside the data incident peril. So, the most beneficial aspect for clients would be the experience of privacy counsel in dealing with regulators – because these attorneys spend day in and day out working with state AGs, OCR, etc., they know exactly what those regulators are looking for in terms of a response, what will be put under the microscope in terms of what led to the breach to begin with, and it adds a larger degree of credibility to the overall investigation in the eyes of those regulators.
In your cyber practice are you beginning to offer, or look to offer, components such as insurance data & analytics consultation?
Analytics are central to Willis Towers Watson’s solutions offerings. Therefore, the natural progression of our models is around the quality and sources of data. We constantly look to refine our models and sources to address clients’ needs. A perfect example is the 2016 release of the income loss modeling capability of our proprietary Cyber Quantified model.
Cyber coverage requires a high level of expertise. What advice would you give to buyers about selecting the right broker to guide them through the process of evaluating policy language and assessing risk?
Buyers, regardless of their organization’s size, should look for a broker with true global presence and an experienced risk advisory team dedicated to the space. Resources with in-depth knowledge of coverage options (that span across products such as property, Kidnap & Ransom, products liability), benchmarking, analytics, claims advocacy, and solutions outside of insurance, such as, tools to address human behavior risk, are critical as this landscape continues to changes.
Shannon Groeber, JLT Specialty
Brokers play a valuable role in connecting buyers and their needs with insurers. How can brokers encourage the growth and evolution of the market?
At JLT, we view ourselves as the representative and advocate for buyers, and understand that it is crucial to properly communicate the goals and objectives of the specific buyer to all markets that intend to participate in the evolution of the cyber market. There’s a significant subset of the buying community who’s risk financing goals wouldn’t be property addressed with an off-the-shelf forms without negotiation. We play a critical role in advocating for the goals and objectives of our buyers, and challenging the carriers to continue to evolve. There’s also a fair amount of conceptual ideas that are created in a vacuum, without any demand to match. While they may indirectly benefit the product and the community of buyers, it can also distract from the demand from buyers for other enhancements that will be truly meaningful or that will provide the momentum to propel the product forward.
How much does a broker lend to the product offering of carriers? Are you regularly communicating market need/demand?
At JLT, we believe that an effective program is one that matches a buyers goals and needs with a carrier that has the flexibility and understanding of how to respond to those goals and needs. The brokers at JLT are constantly challenging underwriters to think about coverage in a different way, either based on the explicit goals of our clients, or based on our vast experience with policy language and claims response.
What do you look for in a cyber service provider? Do you partner in any way with the infotech industry?
The meaningful qualities fall into similar categories that we use to evaluate carriers, and that buyers should use to evaluate brokers: experience/expertise, positive client referrals, consistent output/deliverables, partnership approach. JLT has created our Cyber Consortium to capitalize on service providers for thought leadership and innovative solutions.
What do you make if the insurance industry’s start to offer solutions bundling insurance and infotech?
On paper, it makes sense and should improve a buyers’ risk profile. The number of cyber security and related providers has grown exponentially, as have their solutions. Vetting and recommending providers that exceed a buyers’ expectations on a consistent basis can be a full time job in itself, and is yet to be seen how dramatically the use of any particular solution improves the buyers profile or reduces the cost of a future breach. It can also be nearly impossible for buyers to take advantage of the myriad service offerings that may lead to complete avoidance of a cyber event.
What are your observations regarding the growth in the market over the last couple of years, and where do you see it headed?
The growth over the last couple of years is consistent with our expectations when this product was first introduced and began to gain traction and value. As long brokers can continue to find solutions to match buyers’ goals and as long as carriers continue to respond to buyer demand, the growth should continue to match or exceed forecast over the next several years.
In your experience what do clients benefit from the most among the services currently offered? The least? Is there something missing?
From a general perspective, the most valuable solution is education, which can be offered from a broad group of service providers. While not invaluable, many of the recent solutions that have emerged may be valuable for only a small subset of buyers or isn’t as meaningful when scaled to reach a broader audience.
In your cyber practice are you beginning to offer, or look to offer, components such as insurance data & analytics consultation?
JLT recognized the importance of forward-looking analytics and has been offering our proprietary Cyber Cost and Volatility Analysis Model as an embedded part of our brokerage service for nearly the last year. Our model offers a different way to answer the question of how to most efficiently finance cyber risk in light of a buyers’ unique exposures and risk retention appetite.
Cyber coverage requires a high level of expertise. What advice would you give to buyers about selecting the right broker to guide them through the process of evaluating policy language and assessing risk?
Sometimes the best way to identify whether you’re with the right broker is by identifying when you aren’t – if your broker isn’t leading a methodical process or conversation that helps evaluate and assess your risk before approaching the market, that should be a red-flag that they are transacting a placement without foundational support. It’s quite likely that your needs will not be met if there’s no detailed discussion about your risk. At JLT we recognize that.
Vince Josaphs, INSUREtrust
Brokers play a valuable role in connecting buyers and their needs with insurers. How can brokers encourage the growth and evolution of the market? How much does a broker lend to the product offering of carriers? (Are you regularly communicating market need/demand?)
First, hats off to the carriers who innovate and lead to create a better consumer product. We’re continuously impressed by the creativity of the carriers’ product managers and underwriters to add and expand coverage. A market leader finds a pain point in the marketplace, whether it be an existing coverage gap, changes in the regulatory or legal landscape, or the emergence of a new threat, and they provide a unique product offering to address it. Markets who are not trailblazing per se may in time replicate, but more effectively, expand and broaden.
This is where brokerage can really play a part in driving a more competitive marketplace to the benefit of the consumer. We’ve historically been very involved in the feedback process when our carriers have rewritten their forms, sought to expand coverage, or tweaked their rating models. Brokers, particularly specialty shops, are in the unique position to holistically see exactly what factors drive buyer decisions, and how it varies by industry vertical and size. It’s easy for the markets to analyze their own successes, but to understand the areas where they’re not winning they’ll look outside of their own book and seek feedback from their trading partners. Of course some new coverages don’t make their intended impact. The time and resources deployed to products that miss the mark usually could have seem saved had the carrier sought more input from the client facing side of the industry.
Brokerages that specialize in cyber liability have their finger on the pulse of the market and can provide relevant feedback pertaining to new coverages and market conditions, as opposed to the vacuous feedback carriers have been hearing from brokerage for years, “cheaper and broader”.
What do you make if the insurance industry’s start to offer solutions bundling insurance and infotech?
In its simplest form, of course it’s valuable to offer both risk transfer (insurance) and risk mitigation (IT / security / breach prevention services) to your customer. Loss control services for instance, whether provided by brokerage or carrier, have always played a huge role in risk reduction for other lines, workers compensation for instance. It only makes sense that cyber insurance would follow suit. The industry in many cases however, has struggled with the execution thereof.
Today, almost all of the key cyber players have offered some form of value-added loss control services. Some are passive yet very effective, for instance, content driven services such as access to privacy policies, social media guidelines, and breach response plan templates.
Others offer outside breach prevention vendors with whom the carriers have contracted. Unfortunately, in some cases the vendors are aggressively upselling the policyholder. It’s tantamount to the ‘free brake inspection’ that ends with a $5000 service bill.
In most cases, the policyholder can opt-in on their own accord after binding, but here have also been examples of loss control models whereby the vendors follow up with the placing broker asking for contact information of the policyholder’s risk manager so they may give them the necessary login information to sign up. There was even a market that for a short while demanded this information as a binding subjectivity requirement. Both can be perceived as lead generation tactic, whether the case or not. Ironically, in these cases the carrier achieves the opposite of the intended result, which is reluctance for the broker to recommend or approach them in the marketplace.
Don’t get me wrong, the gratis risk mitigation offerings are immensely valuable (free pen-testing for instance), and the brokerage team should strongly tout the value therein. Many markets though, have not seen clear and measurable returns on their pre-paid investment in said value-added services. For most, take-up rates are far from the budgeted projections.
There’s an understandable reluctance however for policyholder, after binding a policy, to sign up for a voluntary free service that they feel could potentially expose network vulnerabilities and negatively affect their premium or void their coverage. Whether or not some inherent consumer distrust is warranted based on historical industry practices in other lines of business, without clear incentive it can feel as if there’s only downside, and once exposed it’s difficult to get the toothpaste back in the tube.
While it sounds easy on paper to tightly intertwine breach prevention and cyber insurance, to understand we really to realize that while tangentially related, these are two distinct, offerings, each of which have their own sales cycle, and not necessarily on the same congruent timeline. Both are very valuable products to offer to the customer, and I’m sure we’ll see more of it offered by the insurance industry, but they should each be handled on their respective merits
For the past two decades, we’ve received the following call 3 times a week from hundreds of IT security companies. They all have the same grand plan and their pitch usually goes something like this:
Send us all of your customers. We’ll make them a better risk and all of your carriers will give them discounted premiums. Please do all the heavy lifting. You need us. Aggregation? Never heard of it.
I wonder if property insurance brokers get these calls from fire extinguisher salesman?
What do you look for in a cyber service provider? Do you partner in any way with the infotech industry?
We look for providers with a historically proven track record within their respective specialty, the ability to quickly adapt to new threats, and a suite of services commensurate with the size and shape of the customer. While that sounds like typical blocking and tackling, the rapid growth of players in the managed security industry in recent years have, in part, led to a model where their time is best spent chasing larger clients. As such, we partner with firms that can meet the needs of underserviced segments of the marketplace, often SME, by offering products and pricing commensurate with their size and shape. ‘Human Firewall’ training, for example, is a service that has made an effective and immediate privacy risk mitigation impact with our SME customers, for whom their own employees are often their biggest vulnerability. SME’s may not have access to the most expensive and sophisticated network security available, but they can really move the loss control needle forward with something as simple as providing their employees (and high level executives) with interactive training modules, policies, and procedures…hopefully helping Diane in accounting to think twice before clicking on that email with the funny cat video/ransomware.
What are your observations regarding the growth in the market over the last couple of years, and where do you see it headed?
For other insurance lines, the markets have decades upon decades of actuarial data to drive their rates and appetite, coupled with competitive market forces, and variable x factors such as changes to the legal and regulatory landscape.
For cyber, actuarial data is slim in comparison, 20 years at most, and the hazards today have little in common with those of 10 years ago. With regards to market competition, it feels lately as if for every new carrier that enters the cyber market, two existing carriers merge. It also doesn’t help that no two policies look the same. As far as variable x factors are concerned, this space is as volatile as it gets. Tomorrow some new scary cyber attack or legislative change could materially impact the entire industry. That’s the non-answer for ‘who knows’.
Here’s what we do know. We’re beginning to see faint lines drawn in the sand that will ultimately separate sustainable cyber markets from the get in/get out smash n’ grabs. A reputation for poor claim handling will still sink a carrier in very competitive marketplace. A carrier may tout to offer the broadest coverage at lowest premium, but the rubber really meets the road when the policyholder has a breach and is in crisis. In a market growing this quickly, carriers who leave an insured hung out to dry will likely be afforded few second chances from their brokers.
In your cyber practice are you beginning to offer, or look to offer, components such as insurance data & analytics consultation?
We’ve been a cyber and technology insurance specialty wholesaler for 20 years and as such have built an extensive sample set of data. The best use of our metrics however, is to provide added benefit to our customers and policyholders. Whether it be used for limit profile benchmarking, claim data, rate trends, etc., the goal is always to help educate our policyholders to ensure the most appropriate and sustainable placement.
Organizations can spend a lot of time and money looking backward at their own data analytics, or external ‘big data’ sources, hoping therein lie the magic keys to unlock some game-changing secret sauce. We find it best to use our data to help our customers move forward, with the assurance that they bought the right policy.
Cyber coverage requires a high level of expertise. What advice would you give to buyers about selecting the right broker to guide them through the process of evaluating policy language and assessing risk?
Cyber insurance is a complex product with radical variance in coverage from market to market. There’s tremendous risk to the agent for an uncovered limit loss due to improper placement. Unfortunately, in many cases, there’s still a very blasé attitude as to how it’s placed. It’s in no way standardized, yet often treated like a standard line. As a result, agents are losing their flagship client portfolios as a result of placing an inadequate, ‘off the shelf’ cyber policy without clear understanding of the coverage therein, or the market options available.
The advice I’d give to a buyer that already carries cyber is to first ask themselves if they were part of the process when it was placed, or was it a ‘throw-in’. Were their specific exposures discussed in detail at the time of placement? Were multiple carrier options presented? They should know exactly what they bought and why.
For the new buyer, in addition to the above can the agent confidently explain their cyber policy in detail, whether new or in-force, and specifically how the suite of coverages applies to their specific exposures.
To be very clear, it’s completely understandable if they can’t. To know all of the many nuances of 40+ carriers’ policies, coverages, sublimits, claim handling culture, and underwriting sensibilities, as well as the almost daily changes in cyber threats, new exposures, evolving coverages, market exits, historic cycles, and regulatory and legal landscape would be a full-time job. That said, the agent should then be bringing in a specialist for whom it is a full time job.
Christopher Keegan, Beecher Carlson
Brokers play a valuable role in connecting buyers and their needs with insurers. How can brokers encourage the growth and evolution of the market?
Educating buyers as to what the risk is and how it may develop on the future has been critical in having cyber buyers understand the risk and be willing to purchase cyber insurance. Creating tools to evaluate and measure for each company is critical.
How much does a broker lend to the product offering of carriers? Are you regularly communicating market need/demand?
We are partners with the underwriting community. We often get asked about products in the development phase and what would differentiate cyber products in the market and where there are gaps in coverage that are key to markets. Expanding coverage by asking for extensions of cover on a one-off basis often turns into an innovation that becomes mainstream. This happens a lot
What do you look for in a cyber service provider? Do you partner in any way with the infotech industry?
We do partner with the InfoTech industry. For breach vendors we are looking to partner with the firms we think are the best at what they do in order to bring value to our clients and lower the cost of response and reputational damage to our clients. For pre breach, we are looking for services that can sit alongside an insurance product and be easily provided to IT through a treasury or risk management channel. We think they have to be priced appropriately or be complimentary in order to be effective and be types of services that SME companies may not have access to.
What do you make if the insurance industry’s start to offer solutions bundling insurance and infotech?
The idea makes more sense for the SME market than for larger companies that have their own relationships with IT Security vendors. Insurers and brokers get to see a lot of services and there is limited information on the effectiveness of certain services. There is room for a consultative role
What are your observations regarding the growth in the market over the last couple of years, and where do you see it headed?
Growth has been robust and will continue as more companies identify risks which are not only privacy related.
In your experience what do clients benefit from the most among the services currently offered? The least? Is there something missing?
Breach response training and breach response are the most valuable. IT services that companies are usually already buying such as virus protection are usually not helpful. Some of the new big data tools might be something that might help that is not being offered.
In your cyber practice are you beginning to offer, or look to offer, components such as insurance data & analytics consultation?
Yes. We have been providing analysts for a while and will continue to develop analytics tools. We believe that these services should be kept at a high level in order to keep the insurance decision as part of the process, but keep it high level rather than large consulting projects.
Cyber coverage requires a high level of expertise. What advice would you give to buyers about selecting the right broker to guide them through the process of evaluating policy language and assessing risk?
There are slightly different skills for different size clients. Smaller clients are going to be more transactional and want a broker who has access to a number of carriers where they have negotiated a broad policy and are not getting the off the shelf coverage. For larger clients, depth of experience, ability to provide advice on program gaps across and entire programs, analytics which can be customized to specific industries and companies, broad knowledge of what is available from the entire marketplace and an ability to negotiate price and coverage is key.
Bob Parisi, Marsh
Brokers play a valuable role in connecting buyers and their needs with insurers. How can brokers encourage the growth and evolution of the market?
This is not as simple as it sounds. That being said, a simple answer is that the broker should be clearly articulating to its clients that cyber risks are risks that need to be managed, they are not a problem that the client can spend its way out of by purchasing more technology.
Cyber risks exist along a spectrum, and companies use people, processes, and technology to manage those risks. But at some point, additional technology, people, or processes no longer have a positive impact and may actually add to the risk. It is at that point, where risk transfer plays its role. By helping clients understand the role that insurance can play in managing the residual cyber risks, the broker creates a potential buyer of cyber insurance.
So while brokers can encourage growth by creating demand, it is only half the equation. Demand has to be met by supply — a product that adequately addresses the needs of the buyer.
The broker needs to be pushing the market to respond to these needs and not simply slapping a cyber label on policy and assuming that one-size-fits-all. By clearly articulating the demand, brokers can assist the market in developing products that respond — be it more fulsome event response coverage or broader business interruption coverage from cyber perils like the failure of a company’s supply chain.
But simply identifying a demand doesn’t always mean that a supply can be found. Brokers need to assist carriers in better understanding cyber risks.
Brokers also can enable growth in the market by helping carriers streamline the underwriting process. Cyber carriers lack the actuarial data that their P&C brethren rely upon in their decision making. As such, the underwriting process for a cyber placement is often seen as burdensome and convoluted. By working with carriers to identify the information needed to a consistent set of questions on critical issues — filtering out questions that provide no real insight — the broker is better able to prepare its client for approaching the carrier and the carrier is better able to evaluate the underwriting risk of a particular applicant.
How much does a broker lend to the product offering of carriers? Are you regularly communicating market need/demand?
Brokers are the voice of the client to the cyber market. We hear what the client is asking for. Our job is to communicate that clearly to the carriers.
What do you look for in a cyber service provider? Do you partner in any way with the infotech industry?
The InfoTech and cyber arena is rife with “3 guys in a garage” all claiming to have been the head of some government or law enforcement agency’s cyber unit. As such, a number of considerations must be considered before recommending or collaborating with a cyber/InfoTech vendor.
First, does their product or service address a problem or need of my client?
Second, does the vendor have the necessary credentials/expertise?
Third, is the vendor financially stable and able to deliver the product consistently, with the ability to meet expected demand?
Marsh has collaborated with several best-in-class-vendors, particularly in areas where we can help clients better understand their cyber risk.
What if the insurance industry starts to offer solutions bundling insurance and infotech?
We would welcome any development that enables our clients to access broader, more robust cyber coverage.
What are your observations regarding the growth in the market over the last couple of years, and where do you see it headed?
The growth has historically come in spurts, although for the past several years, we have seen sustained growth. Typically, the growth has been driven by some event or circumstance. The last few years have seen growth driven by data breaches and privacy regulations. The next round of growth is likely to come from the client’s recognition that they have a much broader cyber risk — one that touches the very core of how they do business. So we see the demand and growth coming from the need to provide broad business interruption cover triggered by a cyber event, including true contingent business interruption and not merely the Outsourced IT service provider extension that is currently offered by cyber carriers. We also see the demand and growth coming from the new perils and risk associated with the Internet of Things.
In your experience what do clients benefit from the most among the services currently offered? The least? Is there something missing?
Service benefits vary greatly depending on the client — how they are organized, their size, what industry they operate in etc… In the SME space, for example, clients benefit greatly from the event or breach response services that come with a cyber policy. Larger clients, especially in the B2B space, have benefitted from the expanded business interruption trigger of system failure.
In your cyber practice are you beginning to offer, or look to offer, components such as insurance data & analytics consultation?
Marsh has rolled out a suite of products and tools that assist clients in assessing, quantifying, and modeling cyber risk.
For example, we have developed a proprietary information security self-assessment that evaluates the relative maturity of a client’s information security policies and protocols. This assessment has been socialized within the cyber market as an acceptable alternative to the carriers’ cyber insurance applications.
We have collaborated with a risk analytics firm to create a threat and vulnerability model that allows a client to benchmark itself against its peers.
Marsh also offers a detailed coverage gap analysis that can identify a client’s key cyber risks and where its current insurance portfolio does or does not respond.
In addition, Marsh provides financial loss modeling on privacy and data breach scenarios as well as business interruption scenarios, which gives clients more information in which to make better risk transfer decisions.
Cyber coverage requires a high level of expertise. What advice would you give to buyers about selecting the right broker to guide them through the process of evaluating policy language and assessing risk?
A cyber broker’s role is a bit different than a broker in more traditional lines of coverage. The cyber broker is often called upon to assist a client in identifying its cyber risk. This “identification” process can take several forms along a spectrum from being deeply engaged in the client’s examination of its risks to simply assisting in filling out an application for insurance.
In those instances where the broker’s engagement is significant, a substantial amount of time and effort is spent assisting the client in better understanding its risk. This process often entails working with the client to conduct an assessment of the entity’s controls and protocols –often first working with the risk manager in identifying the right stakeholders within the entity, including colleagues in IT, information security, physical security, procurement, compliance and legal, not to mention treasury and finance.
As a result, clients should look for a broker that has made a serious commitment to its cyber risk practice. Clients should expect a mix of not just seasoned insurance professionals but also advisors with underwriting, legal, technology, and industry-specific expertise. Clients should look to whether the broker has invested in both the sales and claims advocacy areas — it’s one thing to get a ‘good’ deal when you purchase coverage, but that deal is only truly a deal if the policy responds when its needed.
Clients should expect their cyber broker to be able to assist not just in the negotiation and placement of a policy, but perhaps more importantly, in the identifying, assessing, and quantifying of their cyber risk.
Meredith Schnur, Wells Fargo
How much does a broker lend to the product offering of carriers? (Are you regularly communicating market need/demand?)
The broker plays a major role of both communicating the different product offerings and market approaches to their clients and the other way around, presenting our clients to the cyber market. Product and service offerings vary and it’s not a one size fits all solution. An educated broker needs to know their client well enough to understand which markets would be the best fit. It is such a crucial role. The carriers need to answer to evolving exposures faced by our clients, and it’s our role to seek amendments, enhancements and updates to current cyber policies in order to ensure current and future privacy and network risk exposures are covered.
What do you look for in a cyber service provider? Do you partner in any way with the infotech industry?
Wells Fargo Insurance has collaborated with several experienced service providers to provide value-added services to our clients. These services include assessments, incident response plan review, facilitating of tabletop exercises, phishing exercises and general consulting on all things related to cyber risk. Our approach to vetting vendors is a stringent one as our reputation is on the line when referring our clients to vendor partners. Does the vendor have the product or service to fit our client’s need? Does that vendor have the necessary experience level? Does the vendor have a good reputation in the market? These are all questions we ask ourselves prior to connecting any vendor with our client. We do not like to be the guinea pigs – a long track record and stability is what we are looking for in our vendor partners.
What do you make of the insurance industry’s start to offer solutions bundling insurance and infotech?
For the small business sector, I think this is an absolute necessity. We would advocate the offering of any value-added solution to clients in this segment to assist in risk mitigation and ultimately reduce the financial loss incurred as a result of a breach.
What are your observations regarding the growth in the market over the last couple of years, and where do you see it headed?
We have witnessed consistent growth over the past few years, mostly driven by highly publicized data breaches and over this past year, ransomware attacks. We spend most of our time educating our clients on specific exposures they face to privacy and network risk, and also discussing the future of cyber risk. Companies of all sizes are now well aware that cyber risk exists, and that they need to contemplate a risk transfer product in the event of an incident. In the future, the discussions will turn from recognition to truly understanding the entirety of their risk profile and how their insurance program as a whole can answer, including elements of business interruption, bodily injury, property damage, contingent business interruption and system failure.
In your experience what do clients benefit from the most among the services currently offered? The least? Is there something missing?
In the small business segment where resources are not as robust, clients are taking advantage of technologies, level 1 assessments and the crafting of incident response plans. In the larger business segment, tabletop exercises, communication plan simulations and incident response plan review are the most popular. The carriers that offer these services at no additional cost to the client are absolutely those viewed as solid insurance partners. We would like to see more of that. We have seen clients pay for these services as well, with the assistance of reduced rates offered by the carriers. In the pure technology offering space, I still think there is a long way to go – communication between information security and risk management has come a long way, but there is a wall up between the two. Until those two worlds have to collide, it’s difficult to sell or push any use of technology through the risk management chain.
In your cyber practice are you beginning to offer, or look to offer, components such as insurance data & analytics consultation?
Yes – we currently offer our clients an abundance of resources and information pertaining to privacy and network security risk. Some of these resources include breach expense calculations, including potential business interruption loss, coverage gap analysis and resources for employee training and spear-phishing exercises. When providing a coverage gap analysis, we consult and provide insight on possible overlaps and gaps in a client’s overall insurance program. As other lines of coverage begin to offer more robust cyber related coverage, it is imperative to keep reviewing this on a consistent basis.
Cyber coverage requires a high level of expertise. What advice would you give to buyers about selecting the right broker to guide them through the process of evaluating policy language and assessing risk?
Buyers should focus on brokers who have shown a consistent commitment to a dedicated cyber practice within their organizations. Broker teams need to evolve as fast as the changes in the cyber risk environment, and it’s important for that broker to stay educated on all topics in order to parlay that information to clients. Being able to assist clients with identifying their risks in this area is key – and the first step. Securing a robust insurance policy that will answer to exactly what is expected, is the next step and the main role of the broker. The devil is in the details and if a broker is accepting the policy as is, there will be vulnerabilities and gaps in coverage. Lastly, and not least, it’s important for your broker partner to be able to provide pre-breach and post breach advice and consulting. Our main role is to make sure the insurers are noticed, updated and the policy responds as intended. Just as important is our ability to round up a breach response team for our clients when and if that incident occurs, regardless of what day or time it is. Making sure that process goes smoothly and in accordance with how pre-breach plans have been laid out, will make all the difference.
Spencer Timmel, Hylant
Brokers play a valuable role in connecting buyers and their needs with insurers. How can brokers encourage the growth and evolution of the market?
Buyers need to focus on what drives revenue, profitability and shareholder value for their organization. As such, brokers play a valuable role as conduits of change by advancing countless buyers’ real needs to the market via a unified voice. The market will only be successful and sustainable if the needs of the buyer are pushed upstream to the underwriting community. The growth and evolution of the market for Cyber will be influenced by the effectiveness of both education and awareness at the broker level and developing value added services beyond just broking a policy.
How much does a broker lend to the product offering of carriers? Are you regularly communicating market need/demand?
Hylant’s cyber risk team communicates market demands to the market on a daily and individual account basis. The demands of clients continually shift so effective communication with underwriters is critical to matching up the right product with the right customer. At Hylant, we pride ourselves on individualized placements that meet the unique needs of our customers.
What do you look for in a cyber-service provider? Do you partner in any way with the infotech industry?
Our cyber-service providers must provide real individualized value, availability and commitment to a long term relationship. Yes. The partnerships we have formed are meant to provide our customers with a more efficient and comprehensive approach to loss prevention, loss mitigation and claims management.
What do you make if the insurance industry’s start to offer solutions bundling insurance and infotech?
The blending of Infotech services as part of the insurance has been an expected progression, as more traditional lines of insurance regularly offer services for an insured to improve their risk profile. The challenge in cyber will be adoption and can we increase the percentage of insureds that actually utilize the offerings. Organizations that have advance collaboration between the risk management and IT security teams will implement and benefit most from these Infotech services.
What are your observations regarding the growth in the market over the last couple of years, and where do you see it headed?
The challenges will be many and the growth opportunities are significant. Specific to data privacy coverage, growth in the US domestic market will remain strong, while markets with international capabilities will invest to catch the next waves advancing global privacy laws. I expect exponential growth tied to system interruption and BI/PD caused by cyber security events.
In your experience what do clients benefit from the most among the services currently offered? The least? Is there something missing?
Currently, one of the large benefits of Cyber risk is the education of business owners, boards and Executive level management to help better identify their risk, detect an issue sooner and respond in a more efficient and cost effective manner. What’s missing is a compass to guide customers to the right solutions for their individual risks and navigating through the numerous Infotech service providers that have flooded the market.
In your cyber practice are you beginning to offer, or look to offer, components such as insurance data & analytics consultation?
While sometimes it proves to be challenging because of the ever-changing threat landscape and the difficulty to predict individual frequency, data analytics is a key component of our ability to provide cyber risk offerings. These tools allow an insured to pull the decision making process down from the clouds and to develop a well thought out actionable plan.
Cyber coverage requires a high level of expertise. What advice would you give to buyers about selecting the right broker to guide them through the process of evaluating policy language and assessing risk?
To provide the highest level of expertise in evaluating contract language and assessing risk, your broker should have first-hand experience with cyber security and data privacy claims. A tremendous amount of value is lost when consulting, placement and claims are separate verticals. A buyer should engage a broker that plays a key role throughout the entire process from risk identification to claims advocacy.