This interview is part of a special report published by Insurance Business Canada.
Michael Kalakauskas, Trisura’s assistant vice-president and product manager of professional liability and cyber liability, recently shared his perspective on key cyber trends and what brokers need to keep in mind.
IB | What key market trends should brokers be aware of in the cyber insurance space in 2019?
I would place key market trends into two different categories: cybersecurity trends and cyber coverage trends. Both categories should be front of mind for brokers, not only in 2019, but in the years to come as well, as they allow brokers to think of exposure, risk and insurance solutions simultaneously.
From a cybersecurity trend standpoint, the sheer volume of cyber attacks and compromised personal information on a worldwide level is at an all-time high and will only continue to grow with the expansion of things like company interconnectivity, the Internet of things, the use of cloud services, artificial intelligence and machine learning, automation, and small to medium-sized business vulnerability.
These trends are at the heart of cybersecurity and point to the need for all organizations to increase their security and awareness in protecting themselves against cyber attacks and data breaches. Cyber criminals and attackers are only getting more sophisticated, so as an industry, we need to keep up with, and respond to, emerging threats. Another important trend from a cybersecurity standpoint is the evolving landscape of international data privacy laws and government/regulatory body involvement.
From a cyber coverage standpoint, brokers need to be aware that third-party liability coverage for data breaches is only one piece of the overall cyber insurance puzzle. The trends from a coverage standpoint – and the biggest causes of current cyber claims, in Trisura’s experience – are ransomware, social engineering and business interruption. Not all businesses carry large amounts of personal data that data breaches might target; however, all businesses are dependent on computers, cell phones and the internet, ultimately making them vulnerable to different types of cyber attacks.
The one thing all companies do hold is employee data, so all companies are exposed to a potential data breach. Our experience, though, is that the coverages I mentioned are the ones most sought after by small- to medium-sized businesses. It is easier to target small- and mid-sized companies, as they may not have adequate security measures and resources in place to protect themselves. Small companies must reassess their security position and ensure adequate measures and controls are implemented to safeguard against today’s cyber attacks.
IB | Which client groups should be the target markets for cyber insurance this year?
All client groups! All businesses – small, medium or large – have cyber exposures, and each company should be having conversations with their insurance broker about adequate cyber insurance coverage and risk transfer options.
That said, I would prioritize some of the industries that have not previously bought cyber insurance on a widespread basis. Industries including finance, banking, healthcare, retail and hospitality – all well known for holding and using personal information – have already been exposed to cyber insurance and the risk of data breaches; however, industries like construction, transportation and manufacturing, as well as smaller professional offices, are slowly being exposed to the importance of cybersecurity and need more awareness in this space.
At Trisura, we are trying to increase the exposure of cyber insurance with all our small- to medium-sized business clients, regardless of industry type. As mentioned, it is easier to target small- and mid-sized companies, as they may not have adequate security measures and resources in place to protect themselves. Trisura has a large surety book that comprises clients of all sizes in the construction industry – for example, builders, developers and contractors – and with them being more reliant on technology and computers, it is imperative we offer cyber solutions as part of their overall insurance and surety bonding package.
Likewise, we insure many small- to medium-sized professional offices for E&O and directors & officers liability and are currently trying to target them for cyber coverage as part of their insurance portfolio.
IB | How can brokers overcome the “it won’t happen to me” mentality held by many smaller businesses in reference to cyber attacks?
All businesses, regardless of size and industry type, have cyber exposure. Regardless of whether they hold or store their customers’ or suppliers’ personal data or corporate information, they have data on all of their employees that is at risk. Furthermore, all companies are reliant on computers, cell phones and the internet, and therefore would be susceptible to loss in the event of a cyber attack like ransomware, a hack, data loss, payment diversion or phishing, malware, and software or hardware failure.
Cyber attacks are indiscriminate. Even if it’s not from an attacker, one of the biggest forms of cyber exposure is the error of an employee clicking the wrong link, sending an email to the wrong person or leaving an unencrypted laptop or cell phone at a public place. Cyber exposure could come from anywhere, and if it were to happen, it could give rise to significant financial loss.
My rule of thumb is to advise businesses that cyber attacks are not a matter of ‘if ’ but more of ‘when’ – and whether the company is able to withstand the financial impact of such an attack or loss. If the company is not equipped to sustain such an attack, or the business would like some additional protection, then cyber insurance is a key to their risk management process, no matter the size of their business.
IB | What are the key differences between cyber as a stand-alone product and as an add-on? In which situations should brokers consider one option the better choice for clients?
The key difference between a stand-alone cyber product and an add-on by endorsement is the quality of the coverage and of the claims service. With a stand-alone cyber policy, you are getting a dedicated product – and limits – with specific and broad coverage and, most likely, access to a comprehensive cyber response team that can help navigate any claim or cyber incident. Most add-on cyber endorsements cover such a limited amount, and language tends to be very restrictive. Furthermore, add-ons usually contain such a small limit of liability, or the limit itself is shared with the main policy limit.
My hope is that add-ons become less and less used in the industry and that all clients – again, regardless of size and operation – purchase a stand-alone cyber policy to properly cover themselves. Another advantage of a stand-alone policy is that it is most likely being managed by a dedicated and experienced cyber underwriter. A true cyber underwriter can not only help with exposure and risk identification, but can also tailor the cyber policy and coverage to the specific needs of the client. Most add-ons are offered by underwriters in the professional liability or casualty space, and they may not have any expertise in the field whatsoever.
IB | What are the vital elements of a good cyber insurance policy, and which elements are particularly important for different clients?
Overall, good cyber insurance provides coverage for both an insured’s first-party and third-party losses associated with a network security breach, or the loss, theft or unauthorized disclosure of personal information or confidential corporation information. The coverage should include expenses related to breach notification, extortion threats, public relations, credit monitoring, forensic investigation, defence costs, the costs of judgments or settlements, regulatory claims, business interruption, and media liability, among other things. Every business has an exposure and should be protected accordingly. Exposures come in the form of employee information, customer information, internet access, electronic and network activities, and the overall use of technology.
Specifically, the most important element of any good cyber insurance policy is the claims handling service and response team associated with it. A cyber insurance policy should give clients access to experts in all fields of cybersecurity and make them feel comfortable throughout the whole process, whether it is a full-blown claim, a possible breach or a system hack. A good response team should include law firms and breach coaches, forensics and investigation professionals, public relations and communication specialists, and breach notification, identity repair and credit monitoring firms.
Legal experts can help minimize the risk of litigation and fines in the wake of a breach. They can provide legal advice based on your specific incident, such as determining how to notify affected individuals, government agencies, third parties and others who may be impacted. The law firms and breach coaches can also manage breach response teams and oversee all aspects of the response.
Forensic and investigative providers can advise your organization on how to stop the current data loss, prevent further harm and secure evidence as necessary. They can also determine where, when and how the breach or hack occurred, analyze data sources to determine what information has been compromised, and assist in data restoration.
Public relations providers can help develop both the internal and external communications needed during an incident, as well as oversee crisis management services. They can also provide advice on how to best position the incident to key audiences, update social media and help manage media questions related to the issue.
Breach notification providers can help in the form of credit monitoring, credit reports, call centre services and direct mail campaigns.