Editorial Note: Due to a reporting error, a statistic was inproperly attributed in an earlier version of this article. Cybersecurity Ventures has predicted that cybercrime costs will reach $6 trillion annually by 2021, not Ernst & Young, as was previously reported.
During a July 26, 2017 hearing before the U.S. House of Representatives Small Business Committee, Chairman Rep. Steve Chabot (R-Oh.) stated that cyber threats have become a critical concern for the country’s 28 million small businesses, with the Justice Department recording nearly 300,000 cybersecurity complaints in 2016 alone.
"Cybersecurity has been one of this Committee’s top priorities," Chabot said in his opening statement. "We’ve held numerous hearings and worked on meaningful legislation to ensure small businesses have every possible resource to protect themselves against a cyberattack."
The entire 90-minute hearing, titled "Protecting Small Businesses from Cyber Attacks: the Cybersecurity Insurance Option," was streamed live via the House Small Business Committee’s YouTube channel.
Chabot underscored the need for government action to support small businesses in particular in fending off cybercrime, which mirrors language and priorities previously outlined by President Donald Trump.
"Cyber theft is the fastest growing crime in the United States by far," Trump said during an October 2016 campaign speech to the Retired American Warriors PAC in Herndon, Va. "As president, improving cybersecurity will be an immediate and top priority for my administration. One of the very first things I will do is to order a thorough review of our cyber defenses and weaknesses."
Trump’s predecessor also described with urgency the need for leadership in fighting cybercrime. President Barack Obama worked with Congress to pass the Cybersecurity Act of 2015, which was intended to create tools and communications necessary to strengthen the country’s cybersecurity stance.
Since then, dramatic cybercrime events like the WannaCry ransomware worm and the Petya virus have illuminated deep cybersecurity vulnerabilities. What's more, Cybersecurity Ventures, a leading researcher and publisher covering cybercrime, has predicted that cybercrime costs will grow from $3 trillion in 2015 to $6 trillion annually by 2021.
Insurers talk, Washington listens
The property & casualty insurance industry was well-represented at the July 26th House subcommittee hearing.
Zurich North America’s Senior Vice President and Head of Specialty Products Errors and Omissions Erica Davis said her staff and colleagues are focused on identifying risks and delivering solutions for customers.
"Zurich is committed to staying at the forefront of the cybersecurity issue, as both the likelihood of a security breach and costs continue to escalate," Davis said in her testimony. "As the cyber threat landscape continues to evolve, companies across all industries find themselves increasingly vulnerable to potential harm from a security or privacy event."
She added that the anticipated losses from a cyber breach come from such services and needs as:
- Forensics costs.
- Consumer notification and credit monitoring.
- Business interruption losses.
According to Ernst & Young, half of all businesses doubt whether they can quickly identify suspicious traffic over their networks. (Photo: iStock)
Eric Cernak testified on behalf of the Reinsurance Association of America (RAA) and the Property Casualty Insurers Association of America (PCI). He helped the committee understand the current lay of the land with regards to cyber insurance policy offerings.
"More insurers have become interested in offering cyber insurance over time," said Cernak, who is vice president and leader of the U.S. Cyber Privacy Risk Practice at Munich Re America. "Less than a dozen insurers offered some cyber insurance in the early 2000s compared to more than 70 in 2016. Reinsurance risk transfer options for insurers with regard to cyber may also become increasingly available."
Cernak acknowledged that the cyber insurance market is still in its infancy, and that small businesses in particular have been slow to realize the need for cybersecurity protections. Small business owners also struggle to devote resources to this looming threat.
"Small businesses would benefit greatly from better understanding the risks presented to their operations by cyber-related exposures and the cyber insurance option to address those risks," Cernak said. "Almost every business now relies upon at least one computer to conduct business, whether it is for accepting payments, designing parts, or servicing customers. It is important for small businesses to better understand their reliance upon technology and the impact to their operations should it not perform as expected due to a cyber event."
The American Insurance Association also is watching these proceedings with interest.
"In today’s increasingly interconnected world, cyberattacks can affect any business, regardless of size or industry," AIA's senior counsel Angela Gleason said in response to Wednesday’s hearing. "As cyber risks continue to change and evolve, businesses must evaluate their individual risks and vulnerabilities, and the cyber insurance market must be allowed to grow and innovate to meet those needs."
Stark lack of preparedness
Ernst & Young reported earlier this year in its 19th Global Information Security Survey that businesses nationwide are underprepared to detect, thwart and recover from a catastrophic cyber breach. Consider that:
- 44% of businesses lack a Security Operating Center (SOC).
- 64% of businesses have little or no cyber threat intelligence program.
- 55% have little or no vulnerability alert system.
"Cyber attackers have evolved their tactics, techniques and procedures," EY Americas Cybersecurity Principal Chad Holmes said in a statement about the company’s plans to team up with Microsoft to help businesses secure protect their digital assets. "Organizations must protect their vital information during a time of digital transformation, without slowing down innovation and business development."
EY is among several organizations stepping up to helping insurance and finance professionals get in front of cybersecurity threats. IT specialists such as New Jersey’s Micro Strategies, for instance, are promoting a multifaceted cybersecurity strategy that includes solutions for internal systems, shared networks, data storage and more.
"Prevention is better than the cure," Tony Trama, Micro Strategies’ director of security solutions, said in a recent press release. "Business leaders need to ensure they optimize their security programs to manage risk rather than simply focusing on compliance."