The loss of confidential customer and employee data remains thetop cyber-related concern for smaller businesseswhereas, for large companies, their biggest concern shifted in 2017from data breaches to managing reputational and regulatory risks,according to USI Insurance Services' 2017Cyber Security and Data Privacy Study.

Damage to the reputation of an organization that experiences abreach can be catastrophic or minimal — it depends on the public'sperception and understanding of the event. Engaging the rightpeople at the right time to communicate a well-thought-out messageis the first step to managing an organization's reputation in thewake of an incident and is a critical part of an incident responseplan.

Related: 6 ways cybersecurity will impact insurers in2018

The 2017 study, based on a survey of decision-makers (equallyrepresenting large companies with annual revenue of more than $100million and smaller firms with revenue of $5 million to $100million) provides unique insights into how firms of many sizes viewcyber and privacy risks, the challenges companies face whenreviewing their exposures, the prevalence of impostor fraud andransomware attacks, and the ways companies are dealing withbusiness interruption threats due to malicious cyber attacks.

The study also reveals that more companies are expandinginformation technology budgets, purchasing insurance, anddeveloping incident response and business continuity plans toaddress the increasing complexity and frequency of cybersecurityrisks and data privacy incidents. 

Escalating risks: Ransomware, data breach &impostor fraud

Of the survey participants representing smaller firms, 32%confirmed being a target of impostor fraud; 25% reported beingtargeted by ransomware attacks; and 32% reported experiencing adata privacy incident, all in the past year.

The fact that money moves quickly in today's fast-pacedtransactional environment has led to a massive uptick in impostorfraud incidents, also known as social engineering or business emailscams. In many of these cases, fraudsters, pretending to be tradingpartners or employees of the same company, employ scams to divertcompany funds to hacker bank accounts. 

According to the survey, large businesses that were the targetof impostor fraud in the past year experienced a financial loss of between $100,000 and$500,000. Smaller business losses from impostor fraud ranged from$25,000 to $250,000. Although smaller businesses were less likelyto have been targeted, overall half of the targeted businessesreported suffering monetary loss, the survey shows.

Related: 3 best practices for a layered cybersecurityprogram

Large businesses are more likely to experience a data privacyincident and ransomware attack, although theft of portable devicesor hard drives by someone external to the organization was morelikely to occur at smaller businesses. Cyber extortion andransomware attack losses were under $250,000 for a majority ofsurvey participants; however, approximately14% of large businessesindicated their losses were more than $1 million. USI expects thefrequency of ransomware and cyber extortion threats to increase andbecome more severe for businesses of all sizes in 2018.

The cost of dealing with cyber incidents continues to grow, andso does the concern over less, easily quantifiable losses. Amonglarge companies, the study showed a notable increase in concernsabout maintaining reputation and compliance with regulations. Thisconcern jumped to the No. 3 spot, with 20% of respondentsindicating they were worried about it compared to just 9% in 201.Reputational harm includes the loss of revenue that often follows acyber incident announcement.

Insurance & risk management

Businesses need to take aggressive steps to ensure their cyberrisk management practices, third party service providers andcyber insurance policies are equipped torespond effectively to ransomware attacks. These steps must alsoinclude putting together a robust response plan listing allorganizational losses and any potential liabilities resulting froman attack. 

According to the survey, the majority of smaller businesses(82%) reported purchasing cybersecurity and data privacy riskinsurance to protect from financial loss and 74% cited preparingfor a data privacy breach as their top reason for buying thecoverage. Less than half of smaller businesses reported havingpurchased impostor fraud coverage as part of their insuranceportfolio.

Also, a majority of smaller businesses cited finding a policy tofit their unique needs, followed by cost, as the most significantchallenges to acquiring insurance to protect against cybersecurityand data privacy. Notably, the survey shows 30% of smallerbusinesses are unsure of how to begin looking for cybersecurity anddata privacy risk insurance.

USI recommends that companies undertake a cyber risk assessmentto identify the strengths and weaknesses of their data securityplan, develop appropriate strategies for improvement and speak toan experienced cyber broker. While purchasing cybersecurity anddata privacy insurance is an important step, it should be used intandem with developing and testing a comprehensive incidentresponse plan.

Visit USI'swebsite to access the executive summary and a copy of the fullcyber report.

Related: Cyber insurance soaring as risksrise

Dena Cusick is USI National Practice Leader Technology,Privacy, and Network Risk Practice ([email protected]). Paul King is USI ManagementProfessional Service National Practice Leader. ([email protected])