Cyber Savvy Broker: Derek May

As technology transforms the economy, businesses of all sizes must navigate a new kind of risk: digital risk.

The most successful brokers must prepare to help their clients navigate these complex risks. Our "Cyber Savvy Broker" series highlights forward-thinking brokers with the knowledge and skills to help their clients navigate this digital transformation.

This month, we spoke with Derek May, Vice President of Technology & Cyber at HUB International. In our conversation, Derek shared which industry should consider purchasing higher limits, which clients are the most challenging to work with, and how he interacts with clients well before renewals to ensure there are no surprises.   

What is the most important thing you look for in an insurance policy outside of price?

It’s ransomware or extortion coverage. Second to that, it’s the cybercrime or social engineering element. 

Those are the two areas that I hone in on because there have been a lot of fluctuations in where the markets have been and where they are today. Some insurers still offer full coverage and some added coinsurance clauses. If you're not careful, you might think you're offering a policy that provides full limits and coverage in a specific area, but in a claim, you might find out that that's not the case.

Which buyers are the easiest or most challenging when working with your clients?

It has changed dramatically in my 12 years in this industry. About six years ago, I’d see many people with arms crossed in our meetings. Many IT guys were unhappy to be in a meeting about cyber insurance. Their CFO or CEO would pull us in because they thought it was necessary. 

More often than not, the IT guys were trying to reassure us that they knew best and could protect the systems better than an insurance policy could. It took a while to change that narrative to say, “No, we're not competing against each other; we're actually working with you.” We want to create a safety net if there's a human error and systems are compromised. 

Once we got them on our side, the conversation flowed quite well. IT guys are our biggest champions now. They're the ones who want the policy in place because they see the value and understand that it's not competing with them. 

As far as working with difficult clients, they don't necessarily understand the risk and come into that conversation thinking they don't have any risk or will not get hacked. When talking to these clients, I systematically show them how a cyber attack could happen and expose them to some of the realities of their cyber risk. It all comes back to how they enter that conversation if they come in with an open mind. 

Which industries do you work with most frequently, and what are the most significant risks they face?

A large portion of my book is technology. Tech companies are in an ever-changing environment and typically push the envelope of what they're trying to do from a tech perspective. It can open the door for more exposure—especially for tech companies digitizing personal health records or other personally identifiable information.

My role is to educate them on their evolving risk and get underwriters on board to understand that the risk is palatable to underwrite at a decent rate.

Outside of tech,  I see many wide-ranging accounts, from mining and auto dealerships to retail and hospitality. 

Most businesses would agree that they're all subject to the same risks. No one is immune to ransomware or business email compromise, and everybody uses technologies that could be targeted. Therefore, I wouldn't point out any particular risks for one industry since everybody has similar risks. Some are just less aware of those risks than others.

Is there an industry that still needs to adopt cyber insurance that should?

There's some room for auto dealers to grow in the limits they purchase. From what I've seen, they tend to have low limits that can easily get exhausted.

It’s one of our bigger challenges for that sector, and it's something that we continue to educate them on. When I present to auto dealer groups, I stress that we’ve seen quite a few full limit losses in the sector due to the low limits carried. I emphasize, given the rising claim costs, that they would be well-served to have more protection in this area, so they’re less likely to pay anything out of pocket in the event of a cyber incident. That said, we understand there's a balance between what their budget will allow and what they’re willing to insure.

It's a constant struggle, but we have seen some movement lately with larger dealers exploring different options. Overall, they have room to grow with respect to being appropriately insured.

Do you like getting involved, or do you prefer to let your clients work directly with insurers to mitigate risks during their policy period?

We're heavily involved, especially in the renewal process, so that we can guide clients regarding their security. We review the application with a client and provide suggestions. We work hand in hand with the insurers and the client to understand what the insurers are looking for and to ensure that, when we go to renewal, they're already prepped so there are no surprises.

How do you keep your clients up-to-date with essential cyber protections to avoid the most likely incidents and claims?

We provide guidance from a security perspective for the must-haves that our clients need in place that will lead to a successful renewal. We work in advance to review the client’s security posture and have the client understand the insurer’s expectations so that any items can be addressed well in advance of renewal. 

We also recommend they log into Coalition Control and the technology services provided by Coalition and partner discounts offered. Those have been quite valuable, and clients have appreciated the additional support that Coalition brings.

How does your role change when one of your clients experiences a claim?

We pride ourselves in being an internal breach coach. Obviously, the client has an external breach coach in the privacy lawyer, but we try to coach them through some non-legal issues. 

We've had cases in the past where there has been a conflict of personalities. In that instance, we help them navigate by suggesting that a different representative be appointed or work with a different firm where there's a greater comfort level. Being an internal breach coach is hugely valuable to our clients so they know we haven’t pushed them off to the insurer and said, “Good luck.”

Improve your cyber knowledge with Coalition

Cyber insurance is one of the fastest-growing insurance products and a massive opportunity for brokers to grow their book of business. Coalition's Cyber Savvy program equips you with the tools and knowledge to deepen your cyber risk expertise and advise (and protect!) your clients. 

You can access more free Cyber Savvy Broker resources to continue learning.