TURNING RISK INTO REWARD: THE CYBER OPPORTUNITY
The number of devices connected to the internet, currently at 15 billion, is expected to double over the next eight years.1
The exposure of being an employer is dynamic and untenable for a small employer, which is why PEOs are so crucial to businesses. While core PEO responsibilities such as payroll, procurement of workers’ compensation, and human resources are foundational value propositions to assist employers, in addition to these areas what makes one PEO more attractive than another in the selection process? What is the biggest problem to solve for your client company? Maybe it’s safety. Usually, the area where they lack the most understanding and support is in cyber defense. Every client of yours is a sitting duck for a hacker and you can help.
Traditionally, PEO offerings and services provided within the client service agreement (CSA) revolve around responsibilities such as workplace safety, hiring practices, human resources, and employment-related insurance offerings such as workers’ compensation, health insurance, and 401k. For example, employment practices liability insurance (EPLI) associated services have grown substantially within the PEO model over the years. An exponential number of client companies are provided EPLI whom either did not have it prior to meeting their PEO or would never have bought on their own based on cost. While I do not have empirical evidence to back this statement, I believe the pick-up rate for small employers in a PEO model versus traditional model to buy EPLI or not is at least three-fold if not more within the PEO community. Deals are won and lost maybe not solely on this offering, but certainly the weighting of it has become heavier as the importance of coverage without an excessive retention is paramount.
Just in January of 2023, newsworthy hacks of companies such as T-Mobile, Mail Chimp, Pay Pal, Chick-fil-A, Twitter, and the FAA have been made public. Events like these have made employers aware that cyber espionage is all around us, and the need for protection in this area is real.
In a recent survey by the global insurer Allianz, liabilities from activities in the cyber realm topped the chart in terms of top threats in 2023 for employers. According to the Allianz Risk Barometer, cyber incidents (34%) and business interruption (34%) are the top concerns of businesses in 2023.2
Additionally, business interruption and political risks are indirectly associated with cyber exposure as well.
As a result, the move by employers to purchase cyber insurance has been swift. “During 2021, insurers writing stand-alone cyber coverage reported approximately $3.2 billion in direct written premiums on the Cyber Supplement. The stand-alone cyber insurance direct written premiums for 2021 increased by 94.7% from the prior year, and the total number of stand-alone policies reported in 2021 increased by 31.8% from the number written in 2020,” reports NAIC. 3
This vulnerability to our clients creates a specific need that a PEO’s internal and external insurance team can address. It should always be assumed that a licensed agent must present quotations, discuss options, and bind premiums as these are insurance policies in the name of the client company.
THE BENEFIT TO THE CLIENT COMPANY
AIG wrote the first internet security liability policy in the spring of 1997, so in terms of lines of insurance, it is a new entrant. It has transitioned from a “nice to have” to “vulnerable if not bought” over just the last 10 years. The main difference between cyber policies is that they are all different. Coverage, retentions, triggers, sub-limits etc. are all manuscript in nature by carrier, with many different types of products offered. For the most part, cyber insurance covers a range of basic cyber threats to include:
While these are the main insuring agreements that provide actual limits of liability to clients, the services that are part of these offerings are paramount to their worth. After all, if you get hacked, who are you going to call? Services within the policy to protect the client company should include:
Breach notification to consumers
Setting up a call center after a breach
Public relations expertise
Credit monitoring and restoration
One of the items that is huge is notifications after a breach and maintaining compliance with all the different state rules on privacy. Laws in this realm are being enacted on such a rapid basis that it is virtually impossible to keep up with unless partnered with professionals that focus on this line.
Reports indicate that only 19% of the businesses you come across have “Cadillac” coverage, another 55% have some (<$600k limit) and 28% are looking for something and normally unsure of what that may be. We can then surmise 83% of small businesses are bare or potentially is inadequate.
Prospects for cyber can be understood in three general buckets on this front:
Typical profile is <$3m in sales and either has no current cyber coverage, scoring or hotline. Insurance policies may be in play with limits <$600k and areas of concern such as ransomware sub-limited. Policies have basic limits and afford cyber “duty to defend” services.
These are accounts that are >$10m in sales or have greater risks that should be appropriately covered by higher end services and insurance limit. Examples of these types of firms are those that store large amounts of person information such as law groups, health care providers and financial sector groups. Policies have greater limits ($1 million) and afford cyber “duty to defend” services. In addition, cyber scores, hotlines and sometimes threat-protect software are provided.
These are accounts >$10m of sales and necessitate broader and excess limits in their programs. Offerings in this realm can provide limit up in excess of $1m, a multitude of different retentions for differing causes of loss, more substantiated business interruption limits and in essence a cyber “special ops” team if a breach occurs. Post claim services such as forensics and rebuild of data sources. Cyber scores, hotlines and sometimes threat-protect software are provided.
It is our role as salespeople to understand the greatest needs of our clients and to bring products and services that address these needs. Cyber is a wave that is getting bigger by the day with event after event bringing it onto the front pages of our newspapers and therefore the front burner of our client’s perceived enterprise risk. If something happens to them or their business, who are they going to call? Just like PEO has done with areas such as EPLI and 401K, we have the chance to educate and protect clients and sell some lives doing it. Let’s go!
Libertate Insurance LLC Orlando, FL
1 Freedman, David H. (2023, January 27). A Pandemic of Cyberattacks. Newsweek.