1 — DO NOT buy additional limits of coverage based on the worst case scenario. Think instead about what type of situation your company could respond to and buy limits for that situation. For example, if you’re an early stage fintech or digital health company with access to personal financial or healthcare information, could you actually respond to a massive breach of the information you have access to? Most likely not as your reputation would be shot. So don’t waste money on limits thinking about that worst case scenario, think about the small breach, outage, ransomware, or other technology failure that you could respond to.
2 — DO NOT buy coverage or additional limits just because a client asks you to. Ask them what specific risk they’re concerned about and how the insurance coverage they’ve asked for supports that risk transfer. Many times your clients have a generic set of insurance requirements they place on all of their vendors but they may not be relevant to the products or services you provide for them. A few years ago, a fintech client of ours was working with a large bank who required a $50mm umbrella policy for all vendors. When we pushed back and explained to the risk manager what the company actually did, she agreed to remove the requirement. We see this frequently when it comes to professional and cyber liability as many of your clients don’t understand what those policies actually cover.
3 — DO NOT buy insurance instead of implementing best practices when it comes risk management and safety. Sometimes we get the question, “why should I put up cameras, I buy insurance to cover theft,” or “why should I educate my employees on spearphishing, I buy cyber crime coverage.” The biggest driver of insurance costs is insurance claims. Insurance isn’t meant to be a replacement for risk management, it’s one piece of the risk management puzzle.
4 — DO NOT buy insurance to provide primary coverage against failures by your vendors or subcontractors. Your insurance should be a safety net to protect your company when your vendor’s or subcontractor’s insurance program does not properly respond or exhausts the limits. Risk transfer is only as good as the financial mechanism to support the risk transfer. It’s important as a risk management/insurance broker that you help your clients take a proactive approach to vendor and subcontractor due diligence.