Cyber attacks are on the rise across the world. From WannaCry to Equifax, the impact has affected countless individuals and industries alike.
While cyber attacks tend to be associated with large companies — Sony, HBO, and most recently with Equifax — the truth is no one is too small to be immune from a cyber attack threat. And as cyber criminals and their attacks evolve over time, there is a dire need to be prepared.
In the U.S., the economy remains robust due to the small- and mid-sized businesses (SMBs) across the country. But like their larger counterparts, the risks remain the same — just somewhat scaled back. Vendors they work with can be exposed, putting the company at risk; business interruption puts the company's financial side in danger; and human error exists across the board, regardless of company size.
Put simply, more than 28 million small businesses and their 56 million employees are increasingly vulnerable.
For SMBs still wary of whether they need cyber insurance, the Insurance Information Institute's recent report, Protecting against #cyberfail: Small Business and Cyber Insurance, may quell any hesitations. Keep reading to explore the cyberthreat landscape for SMBs, the growing demand for insurance, and what resilience looks like going forward.
While negligent employees or contractors caused most data breaches experienced by SMBs, almost one-third of companies in the Ponemon survey could not determine the root cause. (Photo: Courtesy of III)
SMBs are at risk, with a heavy financial impact to boot
True to their name, small businesses are defined as firms with fewer than 250 employees. Yet, half of all SMBs in the U.S. experienced a data breach in the past year, and 55% experienced a cyber attack; nearly 40% of businesses have experienced a ransomware attack in the last year, and of these, more than one-third lost revenue.
The majority of the 1,093 data breaches tracked in 2016 affected the business sector, with nearly half (45.2%) of the total number of breaches impacting companies, according to the Identity Theft Resource Center. The Federal Bureau of Investigation's Internet Crime Complaint Center reports that losses from cybercrimes totaled $1.3 billion in 2016.
As many SMBs operate on a tight budget, the financial implications can cripple an SMB on a greater scale than a large business. In the aftermath of an incident, SMBs spent an average of $879,582 due to damage or theft of IT assets; additionally, disruption to normal operations cost an average of $955,429.
Creating an affordable product that SMBs will be willing to buy is a key component in the insurance offering. (Photo: Shutterstock)
Cyber solution insurance for SMBs
While larger companies are more likely to purchase coverage than smaller organizations, demand for coverage is increasing across the board as companies become more aware of their exposures and the financial impact of an event.
For example, Hiscox found that larger companies are more likely to be insured than smaller ones (48% versus 37%), but more than half of both groups intend to buy or to enhance their coverage in the coming months. By industry sector, retail and wholesale, manufacturing, technology and financial institutions appear to be some of the biggest SMB buyers of standalone cyber insurance coverage in the U.S.
As such, the market has responded to the needs of SMBs. Endorsements are added to packages and policies that these small businesses already buy, such as their business owners' policy (BOP) or commercial property policy. These endorsements add various coverages not already addressed in the existing policy.
Creating an affordable product that SMBs will be willing to buy is a key component in the insurance offering. Since different industry sectors represent different levels of exposure — a small convenience store versus a medical doctor's office, for example — pricing will vary depending on the type of SMB.
Typical cyber-related coverages can include:
- Data breach response and liability: Covers the expenses and legal liability that arise from a data breach.
- Computer attack: Covers damage to data and systems caused by a computer attack, such as a virus or other malware attack of denial-of-service attack.
- Network security liability: Provides defense and liability coverage for third-party lawsuits alleging damage due to the insured inadequately securing its computer system.
- Media liability: Covers defense costs and damages for claims asserting copyright infringement and negligent publication of media while publishing content online and via social media channels.
- Funds transfer fraud: Covers losses from the transfer of funds as a result of fraudulent instructions from a person purporting to be a vendor, client or authorized employee.
- Cyber extortion: Covers the "settlement" of an extortion threat against a company's network, as well as the cost of hiring a security firm to track down and negotiate with blackmailers.
In addition to up-to-date threat intelligence, insurers are seeing increased demand among insureds for risk assessments, employee training and preventative hardware or software services. (Photo: Shutterstock)
Resilience requires risk management
Risk prevention and mitigation services are an increasingly important part of the offering made by cyber insurers to their policyholders as they look to build and encourage resilience.
Insurers are also becoming more convinced of the value that services such as awareness training, network security and data protection can bring in controlling losses, though there is a long way to go before they reach their full potential. In addition to up-to-date threat intelligence, insurers are seeing increased demand among insureds for risk assessments, employee training and preventative hardware or software services.
For SMBs in particular, offering a risk management or training solution where they can learn more and keep themselves up-to-date on current threats is perhaps the most valuable. Industry experts say that SMBs need to be as proactive as their larger counterparts by conducting proper risk assessment and quantification; investing in a cyber-savvy culture; insuring cyberthreats they cannot mitigate; and allocating enough capital to cyber defenses.
As this critical part of the economy becomes more aware of the risks and exposures they face, there is a growing acceptance that insurance has an important role to play in mitigating some of the costs that arise from breaches and attacks. Mixing coverage with a cyber-savvy culture will best position SMBs to protect their assets in the future.
Related: Cyber risk and reputational harm