cu | How do successful brokers sell cyber insurance? They make cyber products relevant to the client by identifying exposures. Some brokers have been less successful in trying to sell the cyber product because the companies to which they were selling didn’t necessarily see the exposure as relevant to them. When brokers have taken the approach of selling cyber as a 21st century crime product, when they talk about the potential for modern-day businesses to fall for wire transfers and scams such as that, they tend to have been more successful. That type of ex- posure seems to be more relevant to dif- ferent types of industries. For me, it’s all about relevance. Brokers should not try to sell a generalist product, in the same way they would to all of their types of clients, because different types of clients have different types of cyber risk.
cu | Traditional cyber policies used to focus on privacy risks for industries like healthcare and retail. Is that still the case?
Healthcare would be much more privacy-exposed than, say, construc-
tion because the healthcare industry
is collecting relatively high-value data. But cyber is about way more than just privacy. If you explain to your clients that cyber risk exists outside the realm of just privacy, there’s much more to talk about; the conversation should become quite
a lot more open. The issue we’ve seen is that, as the privacy market within the U.S. has taken off, brokers and insurers in Canada have used the same talking points to try and articulate what cyber risk is to other clients – clients who don’t necessarily have a privacy exposure. While Canada and other territories do have privacy laws, they don’t tend to be enforced in the same ferocious manner
as U.S. privacy laws. Many clients, regardless of whether or not privacy laws are in place, just don’t collect private data.
cu | What are the main
areas of cyber risk?
We’ve seen three main areas of cyber risk: theft of data (privacy), theft of mon- ey (cybercrime), and damage to digital assets (system damage and business interruption).
cu | Can you provide an example of an industry with business interruption or cybercrime exposure? Manufacturers weren’t really in that first camp of traditional cyber buyers, because manufacturers don’t tend to collect consumer data. For many years, if you were a broker with manufacturing clients, the cyber conversation was shot down because the manufacturer would say, ‘We don’t collect data therefore we don’t have a cyber risk.’
But what we’ve seen develop in recent years are attacks against manufacturers in which the hackers are not trying to steal data, they’re simply trying to freeze the network. If they can freeze a network, it can stop manufacturing operations; that can cause immediate financial loss from a business interruption perspective. Tied in with this, we’ll see manufacturers get hit with ransomware attacks whereby the attackers will lock down the systems and demand a ransom in exchange for the systems to be freed up.
cu | How about crime?
Crime is slightly different because crime tends to be relatively industry-neutral insofar as crime involves theft of funds. So businesses will tend to wire funds electronically, depending on whether they need to buy stock, pay vendors,
                        canadianunderwriter.ca | February 2020 19