In this three part series, Ben Grosser (Head of Carrier Partnerships, Pathpoint) interviews cyber insurance expert Michelle Chia (Head of Professional Liability and Cyber, Zurich North America) to learn more about the cyber risks most affecting small businesses today, the role cyber insurance plays as a risk management tool, and how to approach matching your small business client with right policy.
Once a business understands their risk and how cyber insurance can help protect them, they must make sure they pick coverage that is right for them. There are many factors that go into picking the right policy for a business.
BG: We always say, “if you’ve read one cyber policy, you’ve read one cyber policy.” How do you recommend navigating picking which coverage is best for your business, if they all look different and have different endorsements? How can they decide what is most important and what the product really looks like in terms of the breadth of coverage?
MC: There are many different aspects that organizations should consider. It really comes down to “What are my core concerns when it comes to a cyber event, and how does that policy address those concerns?” Companies need to assess which cyber risks have the potential to hinder their business operations and what the associated costs of those threats are. Based on that assessment, they should look at insurance policies that address those exposures. For a company with online sales, the most concerning impact might be business interruption or ransomware. On the other hand, a medical office company might be concerned about losing information, HIPAA violations, business interruption, or ransomware events.
BG: How much can small businesses expect to pay for cyber insurance?
MC: Pricing is typically based on three main pieces of information:
Depending on your annual sales, the price of cyber coverage could range quite substantially from $100 to several thousand dollars. If you’re in a class of business with a bit more sensitive information or have a very large income dollar per hour, then that’s going to increase cyber coverage cost significantly.
For example, a medical office that has $25m in revenue annually, has patient records, and wouldn’t be able to provide medical services if they experience a cyber attack, their premium would be much higher than a candle maker who makes $500k in candle sales per year.
BG: Will I be able to get coverage if I don’t have a perfect risk posture today?
MC: No one’s perfect! It’s hard to be perfect given the evolution of technology. Technology continues to improve every day, so it’s unlikely that an organization would implement all the new shiny tools that were released recently.
From a risk mitigation standpoint, we really consider the sophistication of the organization. If it’s a small business or they have fewer resources, we don't compare them to a Fortune 50 company able to tap into expert resource networks.
As mentioned in a prior interview, Zurich is in the business of helping businesses protect themselves. We provide both risk mitigation services and risk transfer solutions, because those are two important factors to risk management, especially when it comes to cyber risk. With the purchase of a cyber insurance policy, you do get the benefit of specific pre-breach services. For example, we have a relationship with ZenOpz™, a leading third-party cyber security and network monitoring consultancy. Not only do we encourage companies to have controls in place, we are committed to helping our customers access risk mitigation resources.
The information in this publication was compiled from sources believed to be reliable for informational purposes only. All sample policies and procedures herein should serve as a guideline, which you can use to create your own policies and procedures. We trust that you will customize these samples to reflect your own operations and believe that these samples may serve as a helpful platform for this endeavor. Please consult with qualified legal counsel to address your particular circumstances and needs. Zurich is not providing legal advice and assumes no liability concerning the information set forth above. Any and all information contained herein is not intended to constitute advice (particularly not legal advice). Accordingly, persons requiring advice should consult independent advisors when developing programs and policies. We do not guarantee the accuracy of this information or any results and further assume no liability in connection with this publication and sample policies and procedures, including any information, methods or safety suggestions contained herein. We undertake no obligation to publicly update or revise any of this information, whether to reflect new information, future developments, events or circumstances or otherwise. Moreover, the sponsors remind you that this cannot be assumed to contain every acceptable safety and compliance procedure or that additional procedures might not be appropriate under the circumstances. The subject matter of this publication is not tied to any specific insurance product nor will adopting these policies and procedures ensure coverage under any insurance policy.
This article is not intended to provide specific legal or regulatory advice or suggest the adequacy or appropriateness of any particular insurance product. Insureds are always advised to seek the advice of their own legal and risk management advisers with respect to potential liabilities or the adequacy of any insurance product.