Victor O. Schinnerer & Company, one of the largest and most experienced underwriting managers of specialty insurance programs in the world and a ProgramBusiness.com Annie George (AG): What was the genesis of your new Cyber package?
Matt Kletzli (MK): "We saw a general need in the marketplace for a sophisticated solution that was simply executed for the middle market and small enterprise segment. We looked at the way Cyber products were developed over the time, designed for larger accounts that required more in-depth underwriting and much broader profiles. The industry in general has struggled to try and condense the underwriting process for smaller insureds who often don't have the broad and sweeping high-risk activities found at large corporations.
"Additionally, small firms don't employ full-time risk managers to complete applications that may come with as many as 90 questions. You'll have
someone at a small operation that handles the financial aspects of the company in addition to wearing the hat of managing the insurance. A broker will review the need for Cyber insurance, and present an application that has anywhere between 40 and 90 questions, the majority of which the small business owner can't answer because they're tech-related. This will get passed on to the IT department, which has too much on its plate to take the time to complete the app. As a result, brokers are having trouble getting clients to start the process in order to offer a Cyber quote.
"Another paramount issue is that existing Cyber policies are too long and difficult to understand. It's challenging for brokers who don't handle cyber issues to get comfortable with these policies. When you look at the market, Cyber specialists have really been the core drivers of this business.
"With these obstacles in mind, we wanted to make something accessible to all insureds and to all brokers regardless of their familiarity with Cyber. We wanted to create a comfortable experience in the marketing process and in explaining the coverage."
AG: How did you accomplish this?
MK: "Our policy is written with very simple wording while maintaining its sophisticated edge and broad coverage to cover small and mid-sized businesses. Moreover, because the majority of these firms do not have risk management plans in place to respond and manage a Cyber event, the policy provides assistance here. I would say this is the key to our policy. Having expert support available when the need arises that understands the process, understands the right questions to ask, has a forensic team in the background and a PR team ready to go, and understands all the laws and jurisdictions under which the business is working or can get that information quickly is really an important aspect of Cyber coverage. There is an 800 number on the policy for insureds to call their data breach coach. Within four business hours of receiving the call, we will arrange a conference call with the insured to discuss where they believe the suspected breach occurred and the next steps involved in the process. Most importantly, the data breach coach is an attorney so all information shared by the insured is privileged.
"The data breach coach will determine if a forensic investigator is needed to dig into the system and find out what type of marks were left behind by the
hacker or whoever caused the breach. One of the challenges insureds have is to determine the source of the breach. Often an IT team will go in and, similar to a crime scene, can possibly destroy evidence because of their unfamiliarity with this type of investigative work. A forensic investigator is skilled at finding out what happened, what was and wasn't taken, and what data was accessed.
"Getting this work done early is extremely important. If the breached data falls under regulatory purview, there are specific timeframes for each jurisdiction on notifying individuals whose information may have been compromised. This is another key reason why having a point of contact as part of the insurance policy is so important. Timing is critical in discovering what happened, when it happened, and who was impacted."
AG: Is there a sweet spot for your Cyber package?
MK: "Most classes of businesses qualify for our simplified application process. Some classes of businesses will require additional information due to the nature of their operation. One group that the policy doesn't cover, as it was designed not to do so, is any business with a Tech E&O exposure. If a firm's core operation is online; for example, an online retailer, gambling site, adult site, check clearing site, payment processing company, the policy is not a fit. We did not include the Tech E&O exposure in our coverage as part of our objective in designing the product and creating a simplified application process for typical Main Street businesses. We wanted the typical business to really understand what they are getting when the policy is delivered."
The policy is user-friendly and written somewhere between a personal and commercial policy with language using "your" and "our". There are three major coverage bundles:
Digital Crime
This protects companies from deceptive electronic transfers of funds, telephone toll fraud, and cyber extortion. Electronic transfer of funds includes social engineering
fraud, such as spoofing and phishing scams. Telephone toll fraud occurs when hackers break into a firm's Voice over Internet Protocol, and route calls from the firm to premium-rate telephone numbers, such as 900 numbers or distant countries.
"We saw that many insureds are covering crime exposures under a BOP but aren't necessarily expanding it out to include emerging cyber exposures as you may with a monoline policy. There was a coverage gap for small and mid-sized insureds, so we included coverage for these types of cyber crime exposures in this bundle."
Breach Liability
This provides protection against certain lawsuits or demands related to privacy liability, website media liability, and regulatory compliance. "Anyone that accepts a credit card also accepts the best practices of the credit card industry and the contractual obligations involved. "This coverage responds to any aspect of liability that would come back to a company that has suffered a breach."
Breach Rectification
This is designed to help businesses get back on track following a business interruption or digital asset loss. "Here is where the data breach coach steps in to provide the resources needed to find out what happened, restore the data, and minimize business interruption losses and reputational damage."
Premiums for the Cyber package begin at $750 with minimum limits of $500,000 and maximum limits of up to $10 million. "There is one policy aggregate, but if the broker and client want to change the sublimit, this is possible with some sublimits subject to additional underwriting submission. Currently, the policy is available in 43 states on admitted paper through Indemnity Insurance Company of North America with filings in the remaining states pending. In the meantime, we can write on non-admitted paper in the other states
AG: How does an insurance agent obtain coverage for his or her insureds?
MJ: Through our broker portal, a broker completes an application designed to get the information he would typically already have in his client files. The broker can then get an immediate quote and present an idea of the cost for comprehensive Cyber coverage to the client. There are only 8 underwriting questions in addition to the client information. You receive a quote letter, which is bindable upon receipt of the client application. The client only has to answer one additional question regarding company internal controls, sign and send the app."
AG: How has the product been received?
Mk: "Prior to our recent launch, we worked with a limited release to ensure all was working properly and that we were delivering what the market requested. We've done really well. The average industry uptake rate is 6%, and we've well exceeded this with the number of quotes we have issued.
"We are providing something truly of value to the insured, particularly in light of the number of breaches occurring among smaller and mid-sized companies and the rise in contractual liability requests from third parties for smaller organizations to carry Cyber coverage.
"Our product is competitive, offers broad coverage, and provides experts when an insured needs them most."
Schinnerer operates on an open brokerage basis. If you've already worked with Schinnerer, there is a simplified process to obtain your portal credentials. If you haven't worked with them before, there is just some additional information needed. You can contact Jason Bucher at (816) 213-5176 or via email at Jason.Bucher@Schinnerer.com