It was more than 20 years ago. The Internet as it is known today was in its infancy. Steven Haase was with an insurance agency in Atlanta focused on insuring technology companies.
“Around 1995, I saw the commercialization of the Internet. I was working with these clients and they had major exposures. I was trying to figure out what I was going to do about it,” he recalls.
The agency that started out as Network Risk Management Services is today known as INSUREtrust, a cyber liability wholesaler and Haasee is CEO.
Among his clients were several large and early Internet players; one invented online banking, one was the largest network security company. The company that invented online banking had bought a bank and started processing everything, lots of data, through the Internet.
“I’m looking at it. They have auto insurance, workers’ comp, property insurance, D&O, EPLI, but they have all this data, and all this exposure. I started shopping the marketplace to put something together. Nobody wanted to do it. There wasn’t really a good methodology for loss control, loss prevention.”
Then he got lucky.
“I happened to be at AIG visiting a friend who was president of a division, and he happened to say, ‘They gave me the task of creating a product this year, so we’ll just make yours,’ and that’s how we started.”
The policy was called Internet Security Liability Policy. Haase said he and his friend worked on the product until April of ’97.
“We went to the International Risk Insurance Management Society’s convention and launched it on April 15th of ’97. We had a big celebration in Honolulu with our famous Breach on the Beach party. We’re not sure what that is yet, but we had a Breach on the Beach party.”
About 20 people joined in the party.
And thus cyber insurance was born. In the following interview, Insurance Journal’s Andrea Wells probes what this pioneer thinks about cyber insurance now, what he regrets and sees as problems, why he thinks there is still a lot of educating that needs to be done, how the coverage and market have evolved and where he thinks cyber is headed.
Insurance Journal: After that, how long was it before carriers or other markets started to catch on?
Haase: Well, we knew there were other players out there with the same idea. They were generally about two years behind, but eventually, there were more and more carriers entering the market. We moved our business around. We did a little bit of business with ACE. We did a lot of business with Reliance National. Eventually, we wound up consolidating the program into Lloyd’s of London.
Insurance Journal: Twenty years, a lot has happened. The product has evolved tremendously. In your view, what have been some of the biggest changes since to the product and the coverage?
Haase: If I could, maybe before I talk about changes, because this’ll make more sense, it is the most confusing coverage ever. We literally talk about that at our 15 boot camps we do, as the very first thing. Most agents will readily admit that they don’t feel completely confident they can explain this coverage. It really is like explaining a manuscript package policy.
If you could imagine having 30 different manuscript package policies that you’re trying to compare, it’s very difficult. Even the words cyber liability are confusing. We came up with those words and we really regret it. Cyber means computer. Well, we cover paper files. Liability, well, we cover first party. There’s not even a simple explanation of what it is.
The changes. Well, the policy forms keep changing. They get broader. Frankly, a state-of-the-art cyber policy is probably too broad. It covers things most agents don’t even think of, and often don’t report claims. There’s evolution in the application forms. They’re already too confusing. There’s evolution in the loss control related to it.
There are industry studies, there are agency industry studies, that say they don’t understand it. They can’t explain it to the customer. The carriers can’t explain it to the broker. There’s security studies that say the CIO, the IT people don’t understand this stuff, and want to be involved, but they can’t.
The biggest problem is that gap in knowledge and how we’re going to bridge that so agents can confidently explain cyber in a fashion that really sticks and lasts. It’s very easy to go in as an agent and say, “Where did you get that coverage? Why did you buy that policy? Did anybody read the policy?” Because it’s so complicated and agents’ time are limited, it’s very difficult to do the due diligence.
Insurance Journal: That’s something I’ve heard over the years, that agents don’t understand the product enough to be able to sell it. There are still organizations that don’t purchase the coverage because of that.
Haase: That’s absolutely right. The sales cycle is very little because they go in and they know a portion of the policy. They know what breach coverage is but the value proposition goes way beyond that. It goes into domain name disputes, Facebook, website lawsuits over content, domain names. This whole list of things is what you have to present.
Secondly, you have to tailor it. You have to go in, having studied some of their exposures already. We like to use a checklist, like if you’re going to fly an airplane, make sure it has gas, tires, and all that kind of stuff. Well, we have a checklist that’s five to seven pages long, that basically asks the question about every possible exposure that could be covered under a cyber policy.
That’s one of the due diligences things you have to do. Somebody has to read the policies.
Next: Carrier and Agent Strategies and the Future of Cyber
Was this article valuable?
Here are more articles you may enjoy.