Protecting Your Agency and Educating Your Clients On Cybersecurity

By Bill Fahy | May 20, 2019

It’s no secret that having the right technology is critical to being a successful independent agent. But as independent agents embrace technology, they must also be aware of the risks for cyberattacks and know how to protect their business.

Taking the necessary steps to be cybersecure gives agents another clear advantage — they are then better able to educate their small business clients on how to purchase the best cyber insurance while meeting the ever-growing list of compliance regulations and requirements which differ from state-to-state, but are becoming more stringent in all states.

And now agents must be aware of a new emerging risk: the compliance requirements being imposed upon them via their carrier and brokerage contracts due to their status as an affiliate of the carrier or brokerage.

Every Business Is a Target

When it comes to cybersecurity, there’s much for agents to take in. A recent McKinsey article warns: “While awareness is building, so is confusion. Executives are overwhelmed by the challenge [to defend themselves from cyberattacks]. Only 16% say their companies are well prepared to deal with cyber risk.”

The report found that businesses are “at risk of collateral damage from untargeted malware and attacks on widely used software and critical infrastructure. And despite all the new defenses, companies still need about 99 days, on average, to detect a covert attack. Imagine the damage an undetected attacker could do in that time.”

Cyberattacks touch businesses of all sizes and are now prevalent in small and medium sized businesses (SMBs), which often are not as proactive or well protected as larger businesses. Criminals know they are easy targets. According to a Hiscox 2018 Cyber Report, 47% of small businesses suffered at least one cyberattack in the past 12 months, and 44% of those suffered two to four attacks.

Spam, ransomware and phishing are currently the most common forms of cybercrime that small businesses face, and according to Inc. Magazine, “60% of small businesses fold within six months of a cyberattack.”

These statistics not only show that independent agents need to protect their own business, but also that there is a growing market in commercial lines for agents, especially those who are educated on the risks associated with technology and systems, cybersecurity strategies and coverages available.

Agency Protection

Independent agents who don’t have a cybersecurity strategy for their agency should invest in it now — before selling cyber protection policies to others. It is vital to protect clients as well as your own business. This includes building a strategy around protecting agency data other than a basic firewall. It’s necessary to define agency data and prioritize the most classified information to be protected first, in addition to identifying where the agency is vulnerable before criminals do.

Along with building a strategy, training employees at all levels is essential. Employees, not systems, remain one of the greatest risks for businesses today. For example, phony emails that trick employees into compromising passwords and/or private information is a common entry point for hackers, who may gain access to agency funds as well as customer data.

The IIABA’s ACT Agency Cyber Guide includes several tips for agencies to protect themselves and meet growing compliance regulations:

  • Perform an in-depth risk assessment — what needs to be protected and why?
  • Test and assess the vulnerability of your system.
  • Develop internal and external written security policies, for staff and third-party service providers — educate every one on these policies and procedures in the event of a cyberattack.
  • Have an incident response plan — make sure everyone is on the same page and assign someone to be in charge of cyber attack responses.
  • Conduct staff training and teach staff how to be vigilant.
  • Implement Multi-Factor Authentication where needed so only permitted staff has access to critical files.

The Right Cyber Policy

Look for a policy that provides coverage against cyber extortion and offers proper limits to cover the myriad of post-breach response expenses, including legal fees, notification costs and reputational repair.

Solid, comprehensive cyber-related policies cover (and should be in place for agents and their clients):

  • Data breach response and liability, including expenses and legal liability arising from a data breach.
  • Computer attacks, such as a virus or other malware or denial-of-service attack that cause damage to data and systems.
  • Network security liability, with defense and liability coverage for third-party lawsuits alleging damage due to inadequately securing a computer system.
  • Media liability, including legal defense costs and damages for claims asserting copyright infringement and negligent publication of media while publishing content online.
  • Funds transfer fraud, including losses from the transfer of funds as a result of fraudulent instructions from a person purporting to be a vendor, client or authorized employee.
  • Cyber extortion, including “settlement” of an extortion threat against a company’s network, as well as the cost of hiring a security firm.
  • Regulatory fines and penalties.

According to RPS Executive Lines Producer Adam Connor, “the average policy cost is roughly $2,900 annually. The cost of a standard Personally Identifiable Information (PII) attack without any coverage can reach over $232,000 and will grow significantly higher if the company is caught up in a lawsuit as a result of the breach. Just tallying the cost of a forensics investigation, security remediation, and a breach coach to give legal advice can total close to $170,000.”

Risk Placement Services Inc. (RPS), for example, has comprehensive coverage plans offering up to $1 million of protection against a multitude of data breach risks, with higher limits available to qualified agencies. (Note: RPS is a strategic partner of SIAA and writes many cyber policies for and with SIAA member agencies.)

Selling Cyber Coverage

Cyber risk and data breach coverage is a fast-growing niche in commercial lines and should be considered by independent agents looking to expand their books of business. Selling the right coverage — to small and medium-size businesses like themselves — means agents need to be educated.

Well-educated independent agents will develop proactive cybersecurity strategies and invest in cyber coverage for their own agencies. They stay informed of the regulatory requirements in their state, and also continue to review their carrier and brokerage contracts for the compliance standards they are required to uphold. Then, they will be able to provide the best information to their clients to prevent devastating losses and write a cyber policy tailored to their needs.

Ongoing cybersecurity means staying in the loop about risk management and training to keep both staff and clients informed, and being aware of an ever-changing threat that can negatively impact agencies and small businesses for years to come.

About Bill Fahy

Fahy is president of SIAA MarketFinder. SIAA is the largest alliance of independent insurance agencies in the country. Email:

Was this article valuable?

Here are more articles you may enjoy.

From This Issue

Insurance Journal West May 20, 2019
May 20, 2019
Insurance Journal West Magazine

Agency Technology; Markets: Cyber & Security