Benchmarking – it’s an integral tool in the broker’s toolbox. It’s a great way to start discussions about risk transfer and to grab the attention of the risk manager. It’s particularly useful for well-established lines of business, where take-up rate is strong and historical loss information is plentiful. But when it comes to newer lines of insurance business, like cyber liability, there are risks inherent in benchmarking that brokers need to be wary of.
Any broker or agent in the business of selling cyber insurance to middle-market firms will likely have heard the following come out of a risk manager and/or business owner’s mouth (or at least something very similar): “We’re a middle-market company with only $25 million in revenue. No cybercriminal is going to have any interest in us. They’re only going to target the giants like Google, Amazon, or the big banks. Why would they have any interest in us?”
This widely held and unfortunately misguided belief has led to many risk managers in the past choosing not to extend their often fairly static risk management budgets to cyber insurance. They’ve always bought property insurance, commercial general liability, directors’ and officers’ (D&O), and workers’ compensation – but many haven’t budgeted for cyber liability risk, and, until quite recently, many held the belief that they didn’t need to. They relied on the strength of their IT network security, and the fact that they didn’t believe they were real targets.
“More and more risk managers are starting to realize that’s a faulty strategy,” said Richard Fernandez, executive vice president, professional lines, AmWINS. “The reality is, middle-market firms are perceived to be really low hanging fruit because they don’t have the sophisticated infrastructure to protect themselves against hackers who are trying to penetrate their systems, encrypt their data, or embed some sort of ransomware or malware into their networks. Middle-market organizations are starting to understand this exposure better, and as a result, more companies are purchasing cyber liability insurance.”
Once the risk manager is convinced about the need to purchase cyber insurance, the next key question they’ll consider is: “How much limit should I purchase?” In a different line of business, like commercial property, this might be where a broker or agent could bring benchmarking into play. But Fernandez warns caution when trying to benchmark cyber liability limits.
“We can tell you what limit your peer in the industry bought, but we can’t yet tell you if what they bought is correct,” he told Insurance Business. “Cyber insurance doesn’t have a 50- or a 100-year tail. It’s really only been purchased widely in the last half-dozen years, and we still have the issue of risk managers opting not to buy cyber insurance because of budgeting issues and cost inflation in their other vital lines, like D&O and property insurance. Essentially, we think it’s a bit of a disservice to buyers to only benchmark cyber liability limit. We don’t want to give them a false sense of security that buying what their peer group or their industry has historically purchased is the right amount.
“What’s much more imperative for insureds to understand are the potential loss costs and the loss cost escalation. What does the worst-case scenario look like if they have a breach? Modeling that for clients requires cooperation with insurance carriers, claims groups, and breach attorneys, who will share with us the costs of post-breach forensics, credit monitoring, average settlements, defense costs, and breach costs. We want to be able to put together the whole mosaic, so that we can say to clients: ‘Here are X number of breaches in your industry group. This is what the pay-outs looked like. Therefore, you should consider purchasing X amount of limit.’ That’s a much more powerful statement than simply saying: ‘You’re in healthcare, and the average middle-market limit purchase if $20 million.’”
This type of data-enhanced and consultative benchmarking is much more likely to turn a tentative risk manager buyer into a confident risk manager buyer. It also gives those risk managers more supportive ammunition for when they’re requesting their annual risk transfer budget and trying to convince organizational purse holders of the prevalence of cyber liability exposure.