Do I Need Cyber Liability Insurance as an Insurance Agent?

Cybercrime is on the rise, and small-to-medium-sized businesses (SMBs) are prime targets. Further, the insurance industry is a favorable target because it hosts a large database of sensitive information on the agents, clients and companies it employs and with which it partners.

Managing the risks facing your business is vital to safeguarding your livelihood and clients, and a robust cyber liability and data breach program is part of that protection strategy.

Most Common Cyberattacks on Insurance Agents

As cyber criminals are usually after the same kind of sensitive information, the methods they use are also consistent across all industries:

• Phishing – Hackers create fake emails, text messages (smishing) or phone calls (vishing) from an employer, friend or organization, which seem legitimate and trick users into clicking a link, downloading software or disclosing private information.
• Stolen login information – A hacker illegally obtains login information and tries it on different websites to see what they can steal from the person.
• Data breach – When a hacker breaks into a network or software database and accesses private information to steal money, gain further access into the system or sell it to other cybercriminals.
• Business email compromise (BEC) – A criminal impersonates a professional counterpart to trick an email recipient into sending sensitive financial information or wiring money, which can defraud a business’s employees, partners and customers.
• Ransomware – An infectious software that disrupts a network and device or seizes specific files until the user pays a ransom to the hacker.

Here are some examples of these incidents:

Stolen Device

A criminal physically steals a phone or laptop and then breaches it when they return to their cybercrime lair.

Phishing Email with Fake Call Center or Bad Link

A cybercriminal sends a convincing email with a payment confirmation receipt. It is not a real purchase, and the email prompts you to call the phone number with questions or to reverse the charge. A hacker answers the phone, acting as a call center representative, and asks you for your credit card information, saying they need it to reverse the purchase when really they are trying to obtain it to steal money.

Phishing emails can also trick a user into clicking a link, which is laced with malware and infects their device and software.

Lack of Two-Factor Authentication (2FA)

A 2FA system, also known as multi-factor authentication (MFA), adds another step to an account login. The first step is to enter a username and password; then, you need another device connected to the network to confirm your identity and gain full access. A hacker who illegally obtains login information can get into a network without a 2FA system pretty easily, but it becomes harder with one, as it often sends a code or touch notification to the real user’s phone.

Using the Same Password Across Different Platforms

A hacker steals one username and password from a data leak and uses it to log in across many platforms. If you use the same password for almost everything, they can access many of your network and website accounts.

Disgruntled Employees or Contractors Who Still Have Access

Unhappy employees cause nearly 30% of all data breaches, whether due to purposefully creating exposures or accidentally sabotaging the company while attempting to download client data in an unsecured manner.

Third-Party Partners

Relying on people outside your agency comes with huge risks, as your business’s other sensitive data will also be on at least one other device, making you a bigger target if the vendor were to experience a cyber incident. If the third party were to face a cyberattack of its own, you and your business would likely be more exposed to threats. Also, depending on how much you rely on them, it can heavily impact your operations.

What Can Happen When You Don’t Have Cyber Insurance?

Below, we’ve described three common scenarios demonstrating how an attack happens, how quickly things unravel and the consequences of not having cyber liability and data breach insurance.

Taking the bait on a phishing email leads to malicious malware.

A cybercriminal poses as a vendor of an online service you already use and sends you a fake receipt for a routine monthly charge. However, the payment amount looks higher than normal, and the email is convincing enough to lead you to click the link and investigate the charge.

The link is laced with malware that immediately downloads onto your device and spreads undetected through your agency management system (AMS). The malware steals data and damages your laptop’s software systems.

As the situation unfolds, there is action you can take, but you can’t stop this alone. Without breach response assistance, you have no support in minimizing the damage.

In the aftermath, you face severe losses and an expensive recovery process. You have no agency to help you retrieve the lost funds or data and will also be liable for your clients’ losses.

You are responsible for these costs, which can amount to tens of thousands of dollars. Without the financial coverage of an insurance policy, you face paying these expenses out-of-pocket. Plus, you’re left to deal with the reputational damage on your own.

An unsecured network leaks login information and gives way to a data breach.

One Friday afternoon, you work at a coffee shop for a few hours. The café’s Wi-Fi network is unsecured, and a hacker gains access to login information for your different internet accounts.

The criminal accesses very sensitive information — such as financial accounts, credit card information and Social Security numbers — of you, your clients and your business partners. They commit funds transfer fraud and sell other personal information on the dark web.

Without a comprehensive insurance program, you likely don’t have access to a credit monitoring and notification system for your database to alert you, your clients, law enforcement or an incident response team to a breach. If you had such a system, you and other parties would be notified of nefarious activity as soon as it was detected and could identify precisely what data has been compromised.

In the aftermath, very little of the lost funds and data are recoverable without an agency to help you retrieve them. You also have no financial safety net to help you cover your losses to your business or investigative services.

You will also be held liable for your clients’ and business partners’ losses, and they will likely take legal action against you. And without third-party liability coverage, you will pay out-of-pocket for their losses and your own counsel.

A hacker spots code vulnerabilities in your CRM software and halts your operations.

A cybercriminal spots a coding vulnerability in your customer relationship management (CRM) system and injects malicious ransomware.

The ransomware quickly shuts down the system’s functionality completely and locks files. You are unable to manage clients’ policies and prospect outreach; your client service portals are also not working.

For the release of your systems and data, the hacker demands a payment of $6,000.

It is difficult for you to negotiate a lower ransom payment without an expert response team. Not only will you likely have to pay the expensive ransom, but you will have no financial support to cover it.

You face severe business disruption costs from this shutdown — such as lost revenue, operational restoration and reputational damage. Part of the first-party coverage from a cyber liability insurance program would cover these losses and investigative forensics.

You will also face third-party liabilities for your clients’ losses, legal protection and compliance fines, as you likely did not meet regulatory data protection standards. Without a comprehensive cyber program, these costs are solely on you.

Cyber Security for Insurance Agents

A comprehensive cyber liability insurance policy gives your business a safety net in each of the situations outlined:

Financial Support

The kind of financial support that comes from any insurance policy. Your policy will cover losses, legal fees, regulatory fines, recovery and investigative services, reputational repair and more.

24/7/365 Breach Response Assistance

You have access to a team of cybersecurity professionals you can contact instantly in the event of an attack.

Data and Credit Monitoring and Communications

A system that detects and alerts you and affected parties of suspicious activity and identifies the data and records that have been compromised in an attack.

Data Recovery

One function of a breach response team is finding and retrieving lost data during an attack.

Ransomware Negotiation

An incident response team guides policyholders through negotiating lower ransom payments and covers the ransom’s cost.

Forensic Analysis

Part of the financial support a policyholder receives is paying consultants to investigate an incident, determine the cause and assess the damage. This information can help you learn from your exposures and better mitigate cyber risks going forward.

Reputation Management

A policy can help you cover the losses of damaged brand loyalty and hire PR professionals to help you restore your reputation among clients and prospects.

Important Considerations When Shopping for a Cyber Policy

Tips and what to expect when looking for a cyber policy:

Cost

The average cyber liability and data breach insurance program for SMBs is between $500 and $5,000 annually; various factors account for the large price range, so it is best to speak with your insurance expert to identify the best fit for your needs.

Eligibility

Insurance providers have a set of criteria for business cybersecurity practices that determines qualifying coverage.

“A” Rated Carriers

Insurance carriers that are “A” rated have the financial stability and strong reputation to cover their customers’ claims.

Cyber Liability Policies vs. Cyber Endorsements on Errors and Omissions (E&O) Policies

Cyber liability and data breach insurance can be purchased as its own plan to offer financial support with value-added services to give the policyholder a comprehensive risk management, insurance and response program.

Many value-added services are usually eligibility requirements to qualify for cyber coverage, but some programs offer resources, such as:

• Safety awareness training – Cyber experts will teach you to detect threats, such as identifying phishing attempts.
• Risk assessments – Experts help you identify gaps and vulnerabilities in your organization’s cybersecurity.
• Compliance support – A risk management support team will help ensure you meet all legal and regulatory cybersecurity compliance requirements — such as privacy and data protection laws.

However, cyber coverage is often added as an endorsement to professional liability or E&O policies. These endorsements typically cost less than a standalone cyber policy but come with lower coverage limits and more exclusions.

When shopping for cyber liability insurance, you’ll want to carefully research the details of your policy options and ask questions to each policy’s agent.

Exclusions

While most cyber liability plans include first- and third-party coverage, many instances are not covered. These exclusions could be based on location or certain types of attacks, such as acts of terrorism. Potential future lost profits and loss of value due to intellectual property theft are also not usually covered.

NAPA’s Cyber and E&O Insurance Programs

The National Association of Professional Agents (NAPA) offers Cyber Liability & Data Breach Insurance designed specifically for insurance agents, which starts at $199 per year.

Program highlights: 

• Easy quote and purchase process
• “A” rated carrier
• 24/7/365 breach response hotline
• Coverage limits up to $2 million
• First- and third-party expenses covered
• And more

NAPA also offers Agent E&O Insurance starting at just $26.25 per month.

Program highlights:

• “A” rated carrier
• Free continuing education (CE)
• Instant online application and proof of insurance

The information contained herein is offered as insurance Industry insight and provided as an overview of current market risks and available coverages and is intended for discussion purposes only. This publication is not intended to offer legal advice or client specific risk management advice. Any description of insurance coverages is not meant to interpret specific coverages that your company may already have in place or that may be generally available. General insurance descriptions contained herein do not include complete Insurance policy definitions, terms and/or conditions, and should not be relied on for coverage interpretation. Actual insurance policies must always be consulted for full coverage details and analysis. Gallagher publications may contain links to non-Gallagher websites that are created and controlled by other organizations. We claim no responsibility for the content of any linked website, or any link contained therein. The inclusion of any link does not imply endorsement by Gallagher, as we have no responsibility for information referenced in material owned and controlled by other parties. Gallagher strongly encourages you to review any separate terms of use and privacy policies governing use of these third party websites and resources. Insurance brokerage and related services to be provided by Gallagher Affinity Insurance Services, Inc. (License No. 100310679 | CA License No. 0783129).