Lisa Doherty (pictured below) is president of BusinessRisk Partners. Todd Cusano is E&O Project Manager forBusiness Risk Partners.

Cyber liability insurance is growing by leaps and bounds—as fastas EPLI by some comparisons but in a fraction of the time.According to onlineinformation security provider Symantec, businesses of all sizewere a potential target for attackers in 2012. The largest growtharea for targeted attacks—comprising 31 percent of all attacks lastyear—was with businesses having fewer than 250 employees. Thisrepresensts a huge opportunity for agents and brokers to sell cyberprotection to small and midsized businesses. Yet cyber insurance isstill a relatively new concept that suffers from a lack ofstandardization in language, coverage and endorsements, along withthe confusing nature of the product itself. So as you approachcustomers in these markets regarding cyber coverage, keep in mindthe following four points.

1. Make ItSimple and Relevant

If you ran across a potential customer on Main Street andstumbled into a conversation about insurance, he'd probably look atyou sideways when asked if he was concerned about a data breach.The very mention of anything cyber these days often leads peopledown an uncomfortable and unfamiliar slippery path. Relying onindustry jargon makes cyber coverage feel even more removed andseem like it's only for high-tech companies or very large firms,which couldn't be further from the truth

Use simple terms and scenarios to describe data breach/privacyinsurance. For example, if you start by asking clients whether theyhave any personally identifiable information (PII) on theircustomers or employees and if they have concerns about what wouldhappen if it got out—not because of some hacker from China butrather a disgruntled employee, a frequent occurrence these days—you'll likely gettheir attention. If you talk about the problems caused if sensitivecompany data was made public—from financials to salaries—they'llprobably lean in even closer.

Read related: “CyberSecurity and Privacy: Still Evolving“

Most businesses with any employees have PII in some form oranother, making it an excellent starting point for discussing cyberprotection. All firms with payroll or 401(k) plans have SocialSecurity numbers. If they offer health insurance and medicalbenefits, even more sensitive information is on hand that needs tobe protected.

Many businesses are unaware of the growing list of regulationsgoverning the unauthorized use of PII. Because there is no singlefederal law regarding protection of personal information, 47 statesnow have their own regulations. The definition of what constitutesPII, the notification process, and fines and penalties for notreporting a breach vary by state. Most data breach/privacyinsurance will cover the costs associated with hiring attorneys andforensic IT experts, notifying customers, providing annual creditmonitoring, and any state or federal fines or penalties. If yourclients think it's not a big deal to write and send the necessarynotification letters, ask them to think again. Symantec estimatesthe cost of notification runs about $190 per record–about $10,000for a firm with a little more than 50 employees. Imagine if it alsohad to notify dozens, if not hundreds, of customers.

2. Remind ThatCoverage Extends to Media Liability

Data breach/privacy policies typically include media liabilitycoverage, a huge plus for many businesses. Virtually anything acompany or its employee does gathering and distributing informationto the public via a website or other communication (email, socialmedia, desktop publishing, etc.) is covered against claims,including defamation, libel, invasion of privacy, copyright andtrademark infringement, unfair competition, piracy, andplagiarism.

Virtually every business in America now uses these methods ofcommunication and thus has media exposure. In recent years, withmore companies actively dialoguing with consumers online, this typeof coverage is proving even more valuable. For example, when acustomer posts something to a firm's social media page that causesinjury to a third party, the company can be liable.

Read related: “Top5 Questions Clients Ask About Cyber Liability“

3. UnderstandThe Gray Areas

Customers are frequently confused when it comes to understandingcyber protection compared with other insurances. Cyber coveragescan combine third-party liability coverages with first-partycoverages. Take the case of a breach: The policy will cover theliability incurred as a result of damages to the breached parties,as well as the business interruption from the downtime the firmsuffers as a result of the breach. Some cyber products incorporateE&O; others do not. As the agent or broker, it's important toclearly understand the differences, determine the appropriateexposures and needed coverages, and educate yourcustomers.

For example, a software developer needs a technology E&Opolicy to cover liabilities that arise from providing softwareproducts and services. On the other hand, local retailers, or eveninsurance agencies, do not have a technology E&O exposure, butexposures related to acquiring, storing, and transmitting customerdata, typically credit card information and other PII. So the localretailer or insurance agency needs a data breach/privacy policy.The differences are clear.

But the line between the two blurs when a technology companythat creates tech products or services also stores and transmitscustomer data. In this case, the business needs both technologyE&O and data breach/privacy coverage, which it can purchase viatwo separate policies or with a technology E&O policy withbuilt-in data breach/privacy coverage.

Read related: “5 Steps toMitigate Social Media Liability“

Businesses that use a third party or cloud vendor that storesthe data are still responsible in the case of a data breach. Somebusinesses mistakenly believe that their property policy's businessinterruption coverage will kick in as a result of a data breach,but those policies typically exclude outages caused by computerhackers. If you're comfortable talking to your customers aboutbusiness interruption in the context of property loss, databreach/privacy insurance is essentially business interruption inthe context of an IT issue.

4. Make TheCase For Benefits Beyond Insurance Coverage

People think of insurance as repayment after the fact: If yourhome burns down, you'll get the funds to cover the damages andrebuild. Data breach/privacy insurance obviously has the componentof paying a company's liability following a breach, but the rightpolicy will also cover other essentials for the small to middlemarket customer who might not have the time or resources tounderstand proper risk control. Although every step taken isimportant, simple efforts such as firewalls will provide littleprotection in the face of an employee error, rogue employee, orlost laptops, tablets, and smartphones.

Some carriers have taken the initiative to build crucialpre-loss risk management and “first responder” services around databreach/privacy products, such as crisis mitigation, IT forensics,and legal services. With one phone call, a business experiencing abreach immediately can access a variety of experts to help manageand mitigate the impact of the crisis. One insurance carrier makessure that after purchase every policyholder is contacted by aprivacy and security advisor who will explain in detail the riskmitigation and loss control services included and how to takeadvantage of them. Things like sample business continuity plans andstate-by-state compliance data are also made available throughsecured Web access.

Imagine the recovery of a firm that makes one call to the firstresponder to coordinate risk mitigation and crisis managementversus a firm that after a breach has to begin the process ofidentifying and retaining the legal, technology and publicrelations experts needed to manage the crisis. Weeks of valuabletime would be lost in the second scenario.

So cyber coverage is not as simple as, “Here's $600,000 becauseyour house burned down.” It addresses what happened, where thehacker went, how to avoid being sued, and how to mitigate the tideof damage to your overall reputation. And if you are sued, inaddition to paying for that liability, the coverage will minimizethe impact of the lawsuit and damages to third parties.

Explain to potential customers that having the right databreach/privacy policy could effectively provide them with a team ofworld-class consultants on retainer.