In order to assess the risk they'd need to know something about how the businesses are run. For ordinary business premises they should at least have some knowledge of differences of crime rates between localities, business types likely to suffer from fraud and premises more or less likely to go up in smoke. I doubt they have such meaningful statistics on infosec yet without taking a closer look at what they're covering.