Canadian Underwriter

5 client objections to buying cyber, and how to overcome them

November 14, 2022   by Philip Porado

System hacked sign on computer screen

Print this page Share

When it comes to risk, your clients can be full of excuses. That tendency to deflect is particularly acute when discussions turn to cyber coverage.

“My favorite one was ‘We outsource everything,’” which implies someone else was taking on all the company’s risks, including cyber risk, said Morgan Grady, who works in business development for San Francisco-based cyber insurance and security provider Coalition.

During a webinar last week, she called the global cyber market “one of the fastest growing segments in the commercial insurance industry,” driven by the reliance of nearly every business on technology.

Grady addressed five objections frequently heard by brokers discussing cyber coverage with clients:


Objection 1: We’re too small (or very local).

“Places like local flower shops, contractors, medical practices — these are going to be the organizations that nowadays are likely the largest targets for bad actors,” she said.

However, owners of these small businesses tend to think large retailers and other companies that store reams of customer and process data in their systems are in greater need of insuring against a cyber attack.

Although cyber criminals do often hit large conglomerates, they also go after targets of opportunity, such as small- to medium-sized businesses. “The basic technology stack, such as email, payroll and benefits all lives online,” Grady said. “And these types of [businesses] don’t have budget to spend on top-of-the-line security practices.

“So the paradigm of ‘I’m not a target for cyber attacks’ is irrelevant, because bad actors are looking for low-hanging fruit.”


Objection 2: We don’t rely on technology.

To debunk that argument, just point out you reached the client by email. And then explain how people have ceased to see older technologies such as email as a risk.

“Most basic services, like calling texting and emailing, can present an entry for cyber criminals,” said Grady.

Firms that don’t view themselves as technology-dependent likely also use finance or payroll programs; many manage their orders and inventories online.

While these business owners believe the hardest things to replace are physical assets housed at business sites, Grady disagreed. “It’s easier to replace the physical items in the store than it is to replace employee payroll data and years of financial history,” she said.


Objection 3: I’m already protected from cyber threats.

Many insureds try to protect themselves, but cyber criminals – particularly those using email phishing attacks – often exploit human error rather than the tech systems’ vulnerabilities.

“Even if you have the shiniest new bells and whistles…people are always the weakest link in this chain,” Grady said.

What’s more, breaches at managed service providers (MSPs) that work with multiple client organizations, can hurt companies that contract with them. And, Grady noted, MSPs’ insurance won’t necessarily protect their clients.

“Do you really think that their insurance is gonna cover all those individuals? Most likely, it’s not,” she said.


Objection 4: I’m covered by my existing policy.

Cyber coverage may sometimes overlap with the coverage contained in a general liability policy, but Grady noted cyber coverage in a CGL policy is not comprehensive. Standalone cyber coverage is important in particular situations, such as when a customer sues following a breach, because it can pay for things like defense costs and damages.

“That breach response…really helps during a time that is likely the most stressful in a company’s history,” she said.

Coverages can also address loss of business income, which is particularly important for entrepreneurs. “If you’re down for a week, or month, are you able to sustain yourself?” she asked.


Objection 5: Standalone cyber coverage is expensive.

This one can be hard to deflect, Grady conceded, but emerging modular coverages are making pricing a bit more affordable for companies with focused risks.

And that’s good, because global incident data her firm’s compiled showed a 20% increase in companies’ average losses – which is now just under US$200,000.

“Even a medium-sized loss could potentially bring your entire business down if it’s a small- to medium-sized business,” she said.


Feature image by