On a number of occasions I got questions (from brokers/clients/insurance carriers) on the length of the process that it takes for a first time buyer to actually purchase a cyber insurance. Sometimes the process takes just a couple of weeks, especially when there is a business need to have a cyber insurance in place to comply with contractual obligations (i.e. services or products will not get sold without the insurance). However, in the majority of cases it takes quite some time (up to multiple years) before the company decides to actually purchase cyber insurance. In this article I will try to explain why I think it takes companies a long time to come to a purchase decision.
Although, the explanation itself will be applicable on a lot of sales processes, I feel this is especially relevant for cyber insurance as this is still a relatively new line of business when compared with for example property damage & business interruption insurance, general liability insurance, D&O insurance (director's and officers's liability) & crime insurance. These have been well established insurance products (literally around for ages) and purchased by companies for a large number of years and the continued need for these types of insurance will seldom be a point of discussion within the companies.
If you are reading this article and are by now put off by the fact that I called it a sales process, please continue reading because this will soon be turning into a buying problem instead of a sales problem. When your company is affected by this "problem" this might leave it vulnerable without the backing of an insurance. In my view the purchase of a cyber insurance is a very viable option to transfer a large portion of the cyber risks in an economically responsible way to insurance companies and it would be unfortunate if it is not available for your company when the cyber risk manifests itself (in the event of for example a ransomware attack or a data breach).
When we continue the article it will be a lot about the buying side. But it goes without saying that your insurance advisor should be very knowledgable about all topics concerning cyber insurance and should be able to guide you through the process, give you excellent advise and provide you with top notch insurance coverage in case you decide to purchase cyber insurance (which you should :-)).
5.4 Stakeholders
As an insurance advisor in the field of cyber insurance, I felt already in the early stages that we needed to onboard as much people as possible on the client side in the initial phase of discussions on the topic of cyber insurance for their companies.
When I read the book "The Challenger Customer" in 2016 a number of puzzle pieces fel into place with what I experienced in practice when discussion cyber risks and cyber insurance with clients. The book is based on CED research (formerly named Corporate Executive Board, now a part of Gartner) which provides a number of valuable insights.
One of the things their research shows is that on average 5.4 different stakeholders (people or even committees) are involved in the decision taking of a typical B2B purchase. As an insurance advisor you are typically not in contact with this entire group on a ongoing basis, but mostly a small subset.
Customer Purchase intent
A second thing that CED analysis reveals with respect to this group of stakeholders is that there is a correlation with respect to the likelihood of a purchase and the size of the buying team. When you look a the graph you will notice a big drop in the likelihood when there is more then 1 team member involved and an even further drop when the team size becomes bigger than 5 team members.
In the book this is called a oneway ticket towards indecision. And this is something which is very recognisable from what we see in practice. In number of cases there is no feedback from clients on the progress and there does not seem to have been a clear decision within the company on whether or not to purchase insurance coverage.
Personally, I prefer a substantiated Yes or No over indecision!
Customer Purchase Progress
A third interesting finding by CED is the moment on which clients are reaching out to suppliers. For a typical B2B purchase this averages out at 57% of the way of the purchase process.
Personally, I found this very interesting (expected to be earlier in the process) and this means that we as risk advisors need to find a way to provide our valuable insights (on risks / coverage / pricing / claims data / prevention) to our clients even before they approach us. Access to these insights will enable them to make more informed decisions. This is also one of the reasons for setting up this website.
Divergent Mental Models
To get a better understanding of the effect of the 5.4 stakeholders it is good to know that each of these stakeholders has its own: goals, priorities, means & metrics. A nice way to illustrate this is by the use of a Venn diagram. Although, there are 5.4 stakeholders the used Venn diagram is restricted to 3 evenly placed circles to create a more clear visualisation. The overlap of the three circles is the single point of agreement between the 3 stakeholders. The bigger the overlap is, the more likely you will get a collective yes from the group.
An example of different metrics would be the quantification of risk. The chief information security officer (CISO) may have a different understanding of what the relevant costs and business income loss in case of a cyber incident are than the Chief Financial Officer (CFO) who oversees the entire business.
Customer Purchase Process
In the book the customer purchase process is described as three phases:
- Phase 1: The customers status quo
- Phase 2: Individual willingness to explore alternate course of action
- Phase 3: Group consensus on high-quality deal
A lot of the conversations between the respective stakeholders will be done at respective intervals and places where we as insurance advisor are not present. That's why we regularly need to check in to inquire whether or not additional assistance/information is required.
During the different phases it is good to special attention to those stakeholders that the book calls Mobilizers. These are the type of persons that can influence the other stakeholders within the company and help with the alignment between the stakeholders. As mentioned earlier the main point of contact of an insurance advisor will be the person (stakeholder) that manages the insurance portfolio. In some cases these are professionals dedicated to risk and/or insurance management on a full time basis or for a large portion of their working week. In other cases it might be a person in the Treasury or Legal department where the procurement of insurance is "only" a small part of their daily work. You might encounter people who feel that the decision to purchase another type of insurance is not theirs to make.
What does this mean in practice?
In the paragraphs above I have tried to explain why I feel these processes need their time to be completed. For a large group of our clients we have been successful in completing this path together and in the vast majority of cases this has led to the purchase of a cyber insurance.
During the respective stages we try to have as much interactive sessions with the client as possible in order to understand the different needs of the stakeholders. Topics that we address are amongst other the following:
- Kickoff with preferably all stakeholders in initial phase (insurance buyer, IT security, Legal, Finance, Business representatives)
- Set the stage, make sure that everybody has the same view on what cyber risks and cyber insurance are.
- Explain coverage (traditional vs cyber) there are still many misconceptions)), why is a new insurance required.
- Share insights (for example real live claims examples & expected loss amounts).
- Explain that cyber insurance is complementary to IT-security and not a replacement (and vice versa)
In the PDF below you will find all the graphics of this article in one easy file.