SMALL DOESN’T MEAN SMALL
WHEN IT COMES TO CYBER RISK
Five ways that agents can sell more cyber coverage
and protect small business clients
By Robert Holt
Some believe that only large corporations are at risk. That’s a misconception. No target is too small in the world of cyberattacks. Not only are small businesses just as susceptible as bigger companies, but they often face more risks because they lack sophisticated protections.
According to Verizon’s 2021 Data Breach Investigations Report, 61% of small businesses reported at least one cyberattack during the previous year. A cyberbreach can lead to severe financial losses and diminished consumer trust. For small businesses, an attack can be catastrophic.
As the risks increase, there is no better time for agents to make sure clients are protected. But convincing small business customers to get insurance coverage can be a challenge. There’s often a lack of awareness about the threat itself. Many think their firms are too small to be on criminals’ radars. Others assume cyber products aren’t a good fit for their operations or think their current standard BOP or E&O policies provide adequate protection.
No matter how you look at it, most small businesses underestimate their risks. They may view cyberattacks too narrowly, not understanding that various cyber schemes like phishing, ransomware, and social engineering are proliferating.
The risks are significant. Employees themselves can be gateways for hackersto infiltrate businesses. Technology vendors present another risk. If a business shares customer data with a vendor that experiences a breach, the small business can still be responsible for protecting customers’ information. And depending on endorsements, BOP or E&O policies might not cover a particular type of attack.
But selling cyber coverage comes with its own challenges. It is a fairly new line of business. It’s important to get up to speed on different coverage models, including what they cover. Many resources are available to help agents understand different policies and associated small businesses risks.
The PIA and The PIA Partnership recently launched Winning@Cyber-security Defense, a resource created to educate agents and their clients about the most common cyber dangers faced by small and mid-sized businesses, as well as the business practices and insurance coverages that can reduce these risks. Agents can also reach out to the carriers they work with for information and guidance.
In addition to cyber risk education, here are five ways agents can sell more cyber coverage, ultimately protecting their small business customers.
- Every discussion about cyber starts by asking good questions. Asking the right questions will help uncover customers’ true cyber exposures. A good discussion enables them to see how vulnerable they are. Questions can include:
- How much consumer data do you have?
- Do you store their data in your system, the cloud, with a vendor?
- Do you have employees that work from home?
- Do you deal with vendors that access your consumer data?
- What do your vendor agreements say about data protection?
- Can employees use their own devices?
- Can you talk about the importance of your business’s reputation?
Cyber coverage shouldn’t be an add on. It’s important that it’s not viewed as something tacked on at the end after discussing BOP, workers comp and other more mainstream coverages.
In addition to asking questions, agents should be prepared to answer questions, too. There are many things a small business owner will want to know:
- Why do I need a stand-alone policy if my BOP policy has an endorsement?
- Why would I need cyber insurance if I don’t have a technology business?
- Exactly what is cyber insurance; what does it cover?
- I’ve never been attacked; why do I need cyber insurance now?
- Why hasn’t anyone else talked to me about cyber risk?
It can be helpful to brainstorm possible customer questions to be prepared with the answers that small business owners need.
- Show them the money; help clients understand how much a breach can cost. Money talks, especially when you’re convincing business owners they need cyber coverage. They might not understand the financial toll. Different types of attacks can come with different price tags. For example, if a small business is hacked and customer data is compromised, it can cost $141or more per record to rectify. If a hacker steals data from 1,000 customers, that adds up to $141,000-plus.
In a ransomware attack, the small business’s files are locked and only released with a ransom. Ransoms can range from the low thousands into the hundreds of thousands. In a social engineering scheme, an employee can be tricked into wiring money to a hacker’s account. The damages can be significant.
- Real stories make a difference. Examples from similar businesses can make what may seem like a hypothetical cyber risk and ground it in reality. For example, if an agent works with a family restaurant, a real story about a hacker stealing credit card information can be very meaningful. Including how much it cost the restaurant to recover from the attack, as well as how insurance could have made the difference, is critical.
But all case stories don’t have to be negative. There are many positive business stories of those that had cyber coverage and were able to re-cover from an attack. If a business owner sees their peers purchasing cyber coverage, it could be a good incentive for them to also buy a policy.
- Complex options call for simple solutions. With a new product like cyber, clients are going to have a lot of questions. Presenting a quote is not enough. It’s important to be very detailed about what types of attacks are covered and which ones are not.
Review insurers’ responses based on premium, as well as coverage terms and conditions, limits and deductibles. Read through proposals with the client so they can truly understand how the policies work. Compare them to each other and provide guidance on which coverage is best, based on the risks. For example, if a business does not handle sensitive information from clients, but their workforce is mostly remote, they might want a policy geared more toward ransomware rather than data breach protection.
- Take a comprehensive view of the business risks. Cyber coverage shouldn’t be an add on. It’s important that it’s not viewed as something tacked on at the end after discussing BOP, workers comp and other more mainstream coverages. Cyber risk should be part of the core conversation, part of the prime risk discussion. It’s important to help clients understand that insuring cyber risks is just as important as insuring a fleet of cars or their business property.
If an agent doesn’t bring up cyber with their clients, they should expect that someone else will. Though cyber insurance is a new coverage, it’s no longer a “nice to have;” it’s table stakes. Agents need to make sure to include cyber in their discussions with small business customers and offer holistic risk protection.
The author
Robert Holt is vice president, Products and Services, at the National Association of Professional Insurance Agents (PIA), where he oversees functions related to the development and marketing of products and services for members of the association to drive revenue. He is a sales leader and is at the forefront of bringing B2C marketing ideas and analytics along with marketing automation technology to the insurance advising and sales process.