Cyber Security Marketing Strategies: The Insurance Challenge
By Stacy Willis
Let's begin with an old tool to explain difficult ideas: a car analogy.
When you buy a new car, you also have to think about the car insurance you're going to buy along with it. Insurance coverage varies — there are a number of different types you can purchase, from plans that cover the costs of repair after an accident to comprehensive plans that also cover losses such as weather damage or theft. In addition, purchasing insurance doesn't give you a license to drive as recklessly as you want just because you know that your insurance company will cover the costs if you get into an accident.
Similarly, just as car insurance isn't a one-size-fits-all solution, cyber insurance is not the panacea to all of a company's IT problems.
Unfortunately, developing effective cyber security marketing strategies around cyber insurance is challenging because your audience generally doesn't completely understand what it is that they're purchasing. Many companies think they can just get cyber insurance, and it will cover all of the damages if their IT systems are attacked or breached.
This attitude, however, represents an extremely naive view of what cyber insurance is and the threats that companies face from holes and vulnerabilities in their cyber security practices. In order to successfully market cyber security products or services to companies without a deep base of IT experts, you need to emphasize the following three points through your messaging strategy.
Message No. 1: "Cyber Insurance Doesn't Make you Immune"
As mentioned above, having insurance — cyber or otherwise — isn't a license to behave as recklessly and negligently as you want. For one, your premiums will likely go up after the first few incidents that your insurance company covers. Additionally, if you behave negligently enough, your insurer may refuse to cover the resulting incident at all.
Many car insurance plans, for example, typically include clauses that deny coverage after an accident if the driver was behaving recklessly, such as using drugs or alcohol, or falling asleep at the wheel. Additionally, many home insurance plans require policyholders to implement basic security measures, such as smoke alarms and carbon monoxide detectors, before agreeing to provide coverage.
As with car and home insurance, cyber insurance policies typically require the policyholder to implement basic cyber security measures. These measures can include things like drafting governing cyber policies and procedures, written incident response processes, and plans for disaster recovery. Just like health insurance won't stop anyone from getting sick, make sure to communicate to prospects that cyber insurance doesn't actually stop them from getting breached or suffering from work stoppage.
All this means that companies shouldn't feel drawn to cyber insurance just because they're hoping for a way to avoid dealing with other cyber security issues. When developing your marketing strategies regarding cyber insurance, it's important to reaffirm through your messaging that clients and prospects can — and should — do more than simply purchase a cyber insurance policy. Use real-world examples that they can understand and draw parallels between like the examples of car, health and home insurance.
Message No. 2: "Cyber Insurance Doesn't cover everything"
Just as even the most generous car insurance policy will have an upper limit on what it will cover in the event of an accident, cyber insurance providers typically have an upper limit on the payout they will provide in the event of a hack or data breach. For example, Target's cyber liability insurance policy only covered 36 percent of the $252 million in expenses that the company suffered after its data breach in 2013.
If current clients and potential prospects are seeking to purchase cyber insurance, help them through the buying process. Make sure that they investigate their proposed plan thoroughly in terms of the average and maximum payouts that the insurer provides. Once they've obtained these numbers, they should compare them to the projected cost of a data breach at their company. Provide them content that makes it easy for them to do this.
Estimating the costs of a cyber attack is never an easy task, and most of your prospects are trying to figure out how to do just that. The repercussions go far beyond the immediate impact of the breach and into secondary effects that may include plunging stock prices, business deals that fall through, hits to the company's reputation and lost productivity. Provide them with the tools they need to understand just how exposed their cyber insurance is leaving them.
The key here is to be very careful about your messaging. Fear has been proven to be a pretty terrible motivator, so you shouldn't rely on just that. Make sure to approach the topic from a positive perspective and aim your messaging to how a company can protect themselves further rather than trying to scare them.
Message No. 3: "Cyber Insurance Isn't a Get out of Jail Free Card"
Finally, you should stress to your clients and prospects that cyber insurance is a supplement to a company's good risk management practices, not a replacement. Your clients absolutely shouldn't take their cyber insurance policies as a free pass to download every executable file they encounter and respond to every suspicious-looking email.
Unfortunately, many companies do see their cyber insurance policy as license to do just that—a phenomenon that insurers call "moral hazard." However, this will inevitably lead to conflict, and perhaps legal action, down the line as insurers try to argue that these companies were negligent under the terms of their policy. A common stipulation in many cyber insurance policies is that companies must do everything within their power to avoid a breach from occurring.
Your audience should also be aware that even the most lenient insurer probably won't be willing to cover all of the damages that a company suffers after a cyber attack. Typically, "external" losses, such as damage to intellectual property and reputation, and lost customer data, aren't covered under cyber insurance plans.
Find ways to help your audience understand their own insurance policies. Many people will get lost in the legal jargon and give up trying to understand what is covered. Help guide them through their policy and tell them what to look for and what it means.
Remember, You Need to Educate Your Audience
Although cyber insurance is a wise choice for many companies, any business interested in a cyber insurance policy must understand the caveats presented above before making any decisions. That means it rests upon your shoulders to impress upon your clients and prospects the limitations of cyber insurance and reaffirm the importance of having standard cyber security practices (and potentially your product or solution) in place.
Wondering where to begin?