5 keys for SME cyber insurers to improve insured protection and loss experience

Insurers' basic services aren’t providing adequate protection against the cyber exposures small and mid-sized businesses now must address.

Here are five key services cyber insurers might consider adding to their SME cyber risk management programs. (Photo: Shutterstock)

As small businesses have reconfigured their operating models to address mandated shutdowns and social distancing requirements arising from the COVID-19 pandemic, their cyber-related exposures have grown more complex and left them even more vulnerable to costly attacks

As a result, many insurers are seeing a spike in cyber-related losses from SME (small and mid-sized enterprises) clients beyond the elevated levels already associated with these accounts and further erosion of their cyber-insurance loss ratios. When these policies renew, these rate-sensitive buyers may be unwilling or unable to accept substantial premium rate hikes, leaving insurers the option of either losing the business or revisiting the loss control services available under their SME cyber-insurance programs.

Although many insurers now providing cyber coverage for small businesses do include some loss-prevention and mitigation services as part of their packages, they often don’t go beyond standard non-invasive (“outside-in”) scanning of public information. 

Unfortunately, these basic services aren’t providing adequate protection against the heightened exposures small and mid-sized businesses now must address. Besides easy-to-implement modules for actively monitoring email traffic and flagging suspicious websites, these services now must address remote work arrangements, supplier and trading partner risks, employee training and incident responses. 

Here are five key services cyber insurers might consider adding to their SME cyber risk management programs. 

  1. Enhanced inbox security. With cyber threats evolving constantly, popular off-the-shelf protection software may still leave insureds vulnerable to attacks. Most SMEs lack the IT infrastructure to make sure standard inbox protection software packages and updates are installed in all devices and universally maintained. New solutions for small businesses include inbox scanning tools that are automatically updated to check emails for malicious links and the expanding array of attack techniques used by cybercriminals. These systems leverage artificial intelligence to accurately analyze content for signs of social engineering. 
  2. Automated browser control features. Effective cyber risk management also calls for robust solutions that block employees from visiting dangerous websites and inadvertently accessing malicious code. They also can encrypt users’ web traffic to prevent unauthorized access by potential cybercriminals. Tools deployed by larger employers typically are controlled by their system administrators and prevent employees from navigating to phishing, drive-by-download, and potential malware-infested sites, such as porn, gambling, and other websites unsuitable for work. New generations of these tools help smaller employers without IT resources to address these exposures, which have potentially more catastrophic consequences to their business. 
  3. Cyber risk resources for remote workers. For SMEs, as well as all employers, the expanded use of remote workers during the COVID-19 pandemic greatly increased their cyber exposures. To address these heightened risks, small employers can take advantage of solutions that expand firewalls to home devices, public Wi-Fi protections that wrap unencrypted HTTP traffic in HTTPS, and password manager capabilities that help all workers generate more secure passwords. Best practices for managing cyber risks also call for employee instruction and compliance regarding appropriate home routers and settings, suspicious email message and website recognition, and related internal reporting practices. 
  4. SME safeguards against vendor/supplier cyber exposures. Large employers have already implemented risk management strategies to address vendor-related cyber-exposures. For instance, they typically insist upon assurances from their SME trading partners with respect to cybersecurity and protection. Similarly, SMEs need to make sure they know how to check the cybersecurity policies and practices of their trading partners, vendors and any suppliers with which they share online data, tools, resources or conduct financial transactions. New online audit tools and interactive best practices checklists can help SMEs comply with customer requirements, as well as assess and manage potential cyber exposures associated with their trading partners. 
  5. Trackable employee cyber risk training. Whether an employer’s workers are located onsite or perform their duties remotely, training remains a critical element of effective cyber-protection. New educational platforms geared for SMEs provide interactive training modules, including testing based on real-world cyberattacks, phishing simulations, as well as special instructions for remote workers. Completion of this training by individual employees and other workers, as well as their scores, can be monitored and validated centrally by designated managers and supervisors.

The list of cyber risk management tools and resources available to SMEs continues to grow, enabling more of these employers to address the increasingly complex and evolving exposures they face on a daily basis. When paired with appropriate cyber risk insurance, they provide more effective protection against potentially devastating attacks. 

At the same time, innovation in cybersecurity for SMEs has produced versatile and effective tools that can be integrated with coverages at costs readily justified by insurer growth and profitability goals. The good news is that carriers now have the opportunity to significantly expand these services to provide genuine loss control, with benefits for both their top and bottom line.

Josh Riley, CPCU, RPLU, is head of insurance at Paladin Cyber. He joined the firm in 2018, bringing more than 15 years of experience in commercial property and casualty insurance, focusing on sales, underwriting and program design. Previously, he was an associate at Markel for eight years, where he managed the technology and cyber underwriting practice, evaluating and addressing cyber risk for a wide range of U.S. employers, from sole proprietors to large hospital systems and municipalities. He can be reached at jriley@paladin.insure.


Dig Deeper