Your agency is the target
Most of the cyber conversation in the industry is framed from the placement side: how to talk to your clients about their exposure, how to position the coverage. This article is about you. Your management system holds dates of birth, driver's license numbers, SSNs on commercial accounts, banking information on premium finance arrangements, scanned ID images, and a decade of email correspondence about all of it. That is exactly the kind of data attackers value.
A credible standalone cyber policy and a thin endorsement on your BOP can look similar on the page and behave very differently when the bills start coming in. Three reasons a real cyber program belongs in every agency's coverage stack: it responds to first-party costs of your own incident (forensics, breach notification, business interruption while your producers cannot quote or bind); it picks up third-party defense and indemnity when clients or regulators bring claims against you; and it addresses cybercrime (wire fraud, social engineering, deception), one of the most contested overlap areas between cyber and crime coverage.
Two claim scenarios worth sitting with
Consider an agency whose office manager receives an email that appears to come from a long-time carrier contact, asking her to update wiring instructions for the agency's premium trust account. She updates the routing information without a callback. Three days later, $180,000 in client premium has been wired to the wrong place. The agency's BOP cyber endorsement carries a $25,000 cybercrime sublimit. The gap between the loss amount and the limit is real and the impact is immediate.
A second scenario. A producer clicks a link in a routine-looking certificate request. Ransomware encrypts the management system. The agency is offline for six days. Forensics costs run $90,000 by week two. Breach notification to 14,000 clients (the file holds SSNs, driver's licenses, household data) runs another $75,000. The BOP endorsement carries a $50,000 first-party limit. A standalone policy sized for the exposure would have responded differently.
Questions worth raising with whoever placed your cyber coverage
- Is the cyber on our program an endorsement or a true standalone policy, and what is the limit on each of the three buckets (first-party, third-party, cybercrime) separately?
- How is social engineering fraud treated on the current form, and what controls (callback verification on wire changes, dual authorization on payments above a threshold) does the carrier expect us to have in place to keep that coverage in force?
- Are breach notification, regulatory defense, and reputational harm capacities sized for the number of client records we actually hold, or are they sublimited to numbers that would run out in the first week of a real event?
The agencies that get hit do not get hit because they are big targets. They get hit because they are reachable ones.
Where E&O ends and cyber begins
The single biggest gap in most agency programs sits between E&O and cyber. E&O is professional liability; it responds when something about how you did the work creates a claim. Cyber responds when something about how your systems were configured, accessed, or compromised creates a claim. The two policies can look like they overlap; they generally do not in the places that matter. What an E&O policy typically excludes for cyber is worth its own conversation. A program that holds up under pressure has both lines placed deliberately, with attention to where one ends and the other picks up.
Cyber is one of the coverage lines where the difference between a thin endorsement and a real standalone policy shows up in the worst possible moment. Happy to walk through your current setup.