Do you know these five myths about insuring cyber risks?
1. Cyber security risk ratings tools provide the best indicators of client technology risks.
Risk information vendors sell risk rating reports based on a scan of the company's website (which they term "externally observable data"). Some firms awarded an "A" grade or "98% score" for electronic security believe this means they're all set when it comes to cyber security.
(Photo: Adobe Stock)
These services — Security Scorecard and BitSight, among other examples — vary. But as one example, a service may simply take a domain name and find open ports and other publicly facing cyber risks outside the firm's firewall. Some so-called security reviews may also look at internal computer systems.
Continue on the next slide...
Cortex Expanse by Palo Alto Networks, a firm that monitors the global internet attack surface, reports in an industry brief: "Security ratings are a dangerous fantasy," rife with "inaccurate results, lousy data, no predictive power, false confidence, false security."
Issues spotted by remote electronic testing from outside of a firewall can be risky, for sure. But this testing is hardly an analysis of the state of resilience within a company.
Scans have no capability to help predict a problem and can never be entirely relied on to determine one's risk resiliency.
The shortcoming: These types of services do not do any risk assessment on any cloud computing or storage capabilities the company relies on.
While not all agents and clients turn to such an elementary risk assessment, many do. When they do, a glowing "cyber report" can often lead to a false sense of security.
If a cyber client or prospect is relying on that type of assessment, shame on you as their insurance professional. It simply doesn't tell you enough for anyone to make a complete judgment of cyber risk.
2. Clients believe the cloud protects them from most of their security risks.
Many SMBs that seek an external data review may learn little more than how well the company set up Google Gmail or Workspace or whether WordPress components are updated. It does not look at any items behind the security firewall.
Many of these same firms do not have on-premise tech infrastructure. Instead, they've turned to cloud storage and cloud computing for resources and to lessen their in-house technology load.
Continue on the next slide…
But in reality, cloud computing brings the threat of data breaches, a common problem for businesses owners who use it. Most breaches occur through the front door using lost or stolen credentials. Unless basic protections are followed, users who back up data to the cloud can inadvertently overwrite "good files" with ransomware-locked files that have been maliciously and stealthily added. A business based in the cloud does not have to worry about patching or updating the cloud servers. But they still need to pay attention to their employees' computers, among other risk factors.
In fact, the cyber risk profiles of a cloud-based and a business-based system have significant overlap. In a recent conversation, a real estate manager with 2,000 units asked me: "Why do I need anything else when I'm in the cloud?" It's a fallacy that "cloud" means "safe."
3. Clients think hackers do not care about their small businesses.
Fact: Small and midsized businesses are prime targets for cybercriminals. Their data is a goldmine — even better, they typically lack a robust security infrastructure. Targeted information includes Social Security numbers, bank account information, confidential business information, credit card numbers, and medical records. In addition to stealing sensitive information, cybercriminals attack for profit.
Ransomware and the payments criminals can get from it are part of a growth industry. Some statistics:
(Photo: Adobe Stock)
- 43% of data breaches target small businesses.
- 61% of all SMBs have reported at least one cyberattack in the previous year, according to Cyber Security Magazine.
- 40% of small businesses (with 250–499 employees) surveyed by Cisco experienced a cyberattack involving eight hours or more of downtime.
4. Agents think a mountain of technology jargon will impress clients and prospects.
In reality, nothing could be further from the truth. Many "solutions" coming from the world of "bleeding-edge" technology are failing to connect with small and midsized businesses.
(Photo: Adobe Stock)
Perhaps they're too often using jargon to impress clients as a means to sell rather than to inform them. Industry Jargon has been shown to thrive when it provides shortcuts to useful information by peers in the same industry.
But when used unnecessarily to complicate something that is already confusing, it falls flat. Experts believe this is done sometimes to compensate for shortcomings or lack of knowledge in a particular field, and it leaves clients turned off.
The guidance we follow and give to our independent agent and broker customers is: Speak business, focus on strong business outcomes, and seek to be understood.
Here's a free article from Harvard Business Review on how to deal productively with jargon: “Does Your Office Have a Jargon Problem?”
5. Business owners and other cyber insurance clients or prospects can't wait for the next "homework assignment."
They are eagerly waiting with bated breath to fill out the insurance company's updated cyber info form. They don't have enough email already, so they are impatiently waiting for an unlabeled, third-party link to visit an online diligence portal about cyber security with 100 detailed questions.
(Photo: thodonal/Adobe Stock)
That was sarcastic, for sure, but not far from the truth: Insurance company underwriters are asking for risk information already provided to be updated for a routine renewal.
Insurers are requiring every prospect to attend a webinar, acknowledge receiving numerous documents about cyber risks, and/or take "quizzes" to test their knowledge of cyber risk.
In fact, clients don't necessarily want or even need knowledge about cyber risk. Yes, they need to know how to operate efficiently. But what they really want from their insurance companies, agents or brokers, and cyber assessment firms is protection rather than knowledge.
Independent agents and brokers serving small and medium-sized businesses (SMBs) must keep up with twists and turns in cyber risk and cyber insurance. If they don’t, their clients and prospects can turn to “do it yourself” or other less-than-adequate tools to evaluate and report cyber information about their companies.
To combat this, read the above slideshow for the five myths about cyber risks, along with more relevant information that agents can share with clients.
Dean Mechlowitz is co-founder of TEKRiSQ, a firm that transforms small and mid-sized business cybersecurity preparedness to simplify the way organizations protect themselves. As an enterprise software and tech-focused sales leader in insurance and other industry sectors, Mechlowitz has worked with startup firms and Fortune 100 companies. He is a cybersecurity authority with experience auditing large enterprises for NIST (National Institute of Standards and Technology) performance. He can be reached at [email protected].
The opinions expressed here are the author’s own.
Copyright © 2022 ALM Media Properties, LLC. All Rights Reserved.