I believe we are part of a very noble and fundamental industry; without insurance, commerce cannot exist in its modern form. Commerce in return supports the communities we live in.

In the event of a claim our client’s first point of contact is us, not the family lawyer, not their accountant but us - their broker.

So when you get that call, text or email “we’re having a ransomware attack!” How will you respond?

Sit, pause and dwell on that thought for a moment.

Considering that this event could very well be the death of your clients’ business, your answer could be the lifeline it needs…

Will your first thoughts and comments be?

“Bugger… I was going to talk to you about that next renewal.”

“You may recall I mentioned it, but you didn’t really show much interest.”

“I didn’t bring it up as it’s not cheap and you’re quite price-conscious.”

“I think we might have some cover under your liability package.”

“Hold fire, I’ll call the helpline and get the experts on to it right away.”

Given how many businesses are taking out cyber Insurance, the likelihood of the latter response is sadly quite small.

We know our clients are vulnerable and an attack could cripple them; we know that attackers are targeting small businesses, not just large international corporates; we know the larger corporates spend millions on systems and IT defences that are still breached, while our clients have limited resources in comparison to protect their businesses.

We know all this, yet market statics clearly show we are not selling enough Cyber, so:


Do we believe it is the insurer’s job to educate us, is it up to our clients to ask for it or do we need broker principals to make a directive to sell it?

 I talked to one old associate recently to find out that his entity had been hit twice on two separate occasions in the last 18 months, yet they didn’t put cover in place until after the second event with the excuse being: “We had really good systems and processes in place, which were then made more robust after the first breach”. A cyber and privacy policy was never discussed by their broker. Even after the second attack, they had to request to get a quote.

Do we not have enough time to read through the various wordings, or are we scared that cyber insurance has so many variables, and in essence its own language, that it’s all too complicated. Are we scared to admit that we don’t really understand it enough to bring it up with a client?

Social engineering, phishing, water holing, phreaking, tailgating, baiting… these are not marine terms, but terms we need to be all over in this new cyber world.

Whatever the issue or reason, it really is not good enough. We are our client’s insurance professionals and they and their businesses rely on us. How many times has “not being kept informed” featured in the top five reasons clients leave a broker?

I’ve read quite a few articles now, along with policy wordings; I’ve worn out Google and have harassed a few underwriters - does that make me a cyber expert? Heck no! Do I see a real need for clients to have a solid cyber policy in place? Affirmative! In fact, I truly believe that cyber is becoming as important and fundamental as business interruption.

IBANZ posted a link to a thought provoking article titled:  “Five things brokers often overlook in cyber insurance policie”’ by Nick Economidis.

His bullet points were:

  • Breach response expenses: “Pay on behalf of” or “Indemnity”?
  • Breach response expenses for suspected breach events?
  • Business interruption: Period of recovery/extended period of recover
  • Breach response: panel vendors
  • The service behind the policy

Overall, it is quite difficult to compare current market wordings due to varying industry phrases, cyber jargon and different terminology used by each Insurer implying a difference of risk and/or cover.

What is not difficult to grasp is that the risk is not going away any time soon and in fact, it is increasing. Mandatory privacy breach notices are a likely outcome in the not-too-distant future, which will increase reputational damage, monitoring requirements and potential claim costs in these areas.

  • 28% of New Zealand businesses faced a cyber-attack in the last 12 months.  Source: Grant Thornton International Business Report
  • 60% of cyberattacks target SMEs.
  • Only around 4% of attacks in New Zealand are reported. Source: Netsafe
  • 108 Ransomware attacks occur per day in New Zealand.  Source Trend Micro & KSN Ransomware report, June 2016

A one-word solution isn’t the best way to manage cyber risk. To manage your clients’ risk you really do need to understand the client’s exposure, their key digital assets, presence and structure. To make your recommendations around the coverage they need using the most appropriate wordings.

This places some risk on placing any form of cyber cover without a detailed proposal.  

I recently spent some time discussing cyber risk with a number of non-insurance business representatives to obtain their understanding of the risks and perception. My key findings were:

  • Not one had been initially approached by their existing broker to discuss cyber;
  • A high proportion believed that a standard general liability policy would indemnify them against third party claims;
  • An almost similar amount believed a cyber-attack could potentially cause damage to their server so “that would be covered by our material damage policy”;
  • Of those that thought about their loss of income, all believed that their standard business interruption policy would cover them.

Their protection expectation from a cyber policy, after discussing the above:

  • Breach of privacy and records.
  • Virus and ransomware damage.
  • Extortion.
  • Reputation damage.
  • Spam to third parties if own system hacked and used including VoIP phone systems.
  • Cost of remediation.
  • Cost of downtime and loss of income/profits.

So if you are in the habit of selling a watered-down version of cover, or a policy that doesn’t include the likes of business interruption*, crime** and reputation cover without the knowledge, understanding and agreement of your clients, both you and your client could have a problem. As mentioned earlier all things are not equal with cyber, so double-check the sub limits and insurable clauses.

Business interruption*

Does the policy cover just the period of interruption or the full period of recovery while the business builds itself back up to its pre-loss situation? Is the insurable period sufficient?


Does the policy include this or is it an optional extension; additionally what is the limit of indemnity, the full sum insured or a sub limit? 

Monitoring costs:
Following the Equifax breach in the US, recent reports have indicated a cost of US$15 - US$30 per month for a fully-fledged identity and credit monitoring service per client.  Experts are also suggesting credit monitoring especially around credit cards should be maintained for anywhere up to two years.

Looking at your clients’ customer numbers, using these figures how far will a sub limit of $50,000 or $100,000 really go? Based on my findings you would not be able to meet standard business expectations.


The reality is that we are in a digital age and businesses in New Zealand are exposed and under-protected. The only real way to educate the market is through brokers and insurers.

We don’t need to be the experts; we just need to educate ourselves enough so that we can educate and protect our clients.

December 2017