It is well known that small and medium businesses face an ever-increasing risk of cyber attacks. Sixty-three percent reported they had experienced a cyber breach in the last 12 months, when Ponemon surveyed them in the fall 2019 prior to COVID-19 lockdowns.
The damage from an attack can be a crippling blow to a small to medium business (SMB). The average cost of a breach to an SMB is $175,000, to say nothing of the business interruption and potential harm to the company’s reputation, according to a 2020 claims report from NetDiligence.
Further, as compared to larger companies that come equipped with dedicated security teams and large information technology budgets, SMBs are often not fully prepared to withstand a cyber assault.
This year, COVID-19 came with its own share of cyber exposures. Remote work became a major security consideration stemming from the COVID-19 pandemic. The rise in compromised remote desktop protocols, leaked credentials, Internet of Things (IoT) credential stuffing, and more attacks in general, are all reflected in the 400% spike in cyber attacks reported by the FBI in the early days of lockdowns in April 2020. Further, home WiFis are not as secure as workplace protocols, driving up the average total cost of a breach by $137,000 in 2020, according to Ponemon.
Forty-three percent of SMBs passed on standalone cyber coverage believing their current business policy covers damage from cyber events.
Fortunately, standalone cyber liability coverage can help offset some of the financial pain of these business-crippling incidents. While many SMBs do have some form of cyber coverage, far too many believe that their current business insurance, such as general liability or errors and omissions (E&O) policies, will cover the subsequent expenses that arise from a cyber breach.
A recent Deloitte study on challenges in cyber insurance growth found that despite the ever-increasing severity and frequency of cyberattacks, the gross written premium level of dedicated cyber insurance policies remains relatively flat with growth falling below expectations. Annual premiums for cyber insurance overall are around $2 billion and 42% of this total comes from the limited coverage included in standard commercial policies.
Despite the threat of cyber perils and lack of adequate coverage, SMBs are often passing on standalone insurance. The reasons range from lack of knowledge of what standalone cyber coverage provides to erroneously thinking their current business policies will cover damage from a breach. Forty-three percent of SMBs passed on standalone cyber coverage believing their current business policy covers damage from cyber events, according to the Deloitte report.
COVID-19 highlighted the danger of cyber exposures, raising awareness of the growing problem cyber threats present to SMBs. Now, more than ever is the time to empower insureds with the right cyber coverage.
So, how can brokers move their portfolios into adopting more standalone cyber coverage? Outlined below are the key challenges and possible solutions to help brokers and agents place more cyber risk and better protect their clients.
1. Help clients understand the threatscape and severity of it.
Challenge: Due to their size, SMBs are less prepared in terms of technology, technical knowledge, and experience. In fact, according to a March 2020 study by the Cyber Readiness Institute, only 46% of business owners provide any training to help workers be cyber secure when working from home.
SMBs simply don’t fully know the risks, don’t train employees, don’t have procedures and contingency plans in place, don’t always have backups (or the right ones), and generally possess low cybersecurity awareness.
And cybercriminals are turning their gaze from large enterprises with vast databases to the low-hanging fruit that is small business. According to the Verizon 2019 Data Breach Investigations Report, 43% of all cyber attacks target small businesses. The bottom line: If a business has a computer with an Internet connection, it is at risk. All it takes is something as innocent as a trusted vendor sending a client an invoice–and that client could find themselves submitting a fraudulent payment to a cybercriminal, or even falling victim to a ransomware attack.
Solution: Educate and train. Sixty-seven percent of cyber breaches are caused by credential theft, errors, and social attacks, according to the Verizon’s 2020 Data Breach Investigation Report. Agents can provide relevant information, news, statistics, and claims scenarios, to show the likelihood of a cyber breach and the effects of an attack respectively. The more this information is tailored to show the impact on the specific client, the better.
Further, agents can encourage cyber awareness training including employee simulation testing to best prepare insureds for an eventual attack. Running 11 or more training courses over four to six months can reduce phishing click-throughs by 65%, according to the 2020 Webroot Threat Report.
2. Clarify Policy Coverage
Challenge: Insureds often don’t know what’s covered and what’s not. Further, by not offering the right solutions against cyber perils, agents could find themselves liable. Most commercial general liability (CGL) policies and even endorsements to those policies often don’t cover the vast range of cyber threats. A CGL or E&O policy might cover some part of the damage, such as accidental property damage to a server. Even current CGL coverage that maps to a specific threat or event may not be covered as policies are murky and small businesses don’t have the time nor the resources to sort it out with their carriers.
Endorsements may augment coverage for a wider range of damage due to a breach but often have lower sublimits that leave the client exposed.
This is especially important as ransom amounts are increasing, cyber events are becoming more crippling, and downtimes are becoming longer and therefore more expensive. Further, these factors, along with COVID-19 and generally higher loss ratios are hardening the market, making ubiquitous coverage less affordable or even possible.
Solution: Align risk with policy coverage and limits and tailor fit the coverage. Agents should get to know the threats and their potential impact on an insured. While this may be obvious, cyber threats evolve and new attack methods are introduced with increasing frequency. A good place to keep up with the latest cyber threats is the Cybersecurity and Infrastructure Security Agency.
Next, agents should drill down into a client’s readiness to deal with those threats. They can arm themselves with tools such as cyber assessments to help insureds shape a cyber defense plan and hone in on the right cyber coverage.
Once agents have identified which threats are the greatest dangers to a client, they can match their vulnerabilities to specific tailor-fit coverage so they can mitigate their cyber risks. For example, if an insured doesn’t transact online or retain customer records digitally, then high-limit ransomware coverage becomes a lower priority vis-a-vis general cybercrime protection. Conversely, a business retaining sensitive customer information needs thorough coverage to defend against ransoms, reputational harm, potential litigation, and government fines as well as hedge against business downtime.
3. Provide A Support System
Challenge: When a cyber breach happens, an insured needs to direct their entire focus on recovering quickly to minimize the damage. Take this example: An employee of a small retailer accidentally opens a phishing email which triggers a ransomware attack. The company does zero transactions online, yet is now compromised. They need to pay $30,000 in Bitcoin within 48 hours to get their systems up and their customer data back in their hands. They don’t have the cash. They don’t have a Bitcoin wallet. Their backups are compromised. They can’t sell. All of their time and focus is now on this. How will this business get back on its feet?
Solution: Today most carriers offer a suite of support services alongside their standalone coverage offerings. They include preventative planning, breach response services, and post-breach support.
Preventative actions include working with all involved parties–insureds, carriers, and brokers–to create a cyber breach plan. Carriers often provide free cyber business assessments that identify a company’s weaknesses with recommendations on actions to improve cyber hygiene before an attack occurs.
These plans also include employee response training and key action steps in case of a breach.
Many carriers offer robust breach response services. These include providing a “breach coach” that acts as the point person and expert to guide your client back to health.
Other services include forensic experts to help curtail the damage, legal counseling to deal with potential legislation violations (including complying with the California Consumer Privacy Act and the European Union’s General Data Protection Regulation), and sometimes even public relations experts to help curtail the reputational damage to the insured’s business.
Agents and brokers can empower their clients to take full advantage of these offerings helping map which services best align to the unique needs of the individual insured.
Stand Alone, Together
As the costs associated with cyber attacks continue to increase, the market for standalone cyber policies is starting to harden. Further, as loss ratios increase due to factors such as increased ransom payments and business interruption costs, and pricing and underwriting keep evolving, policy costs will swell. Here’s why:
Now more than ever is the time to empower SMBs to better understand cyber threats and stay protected with the right cyber coverage.
Agents and brokers can do their part by educating insureds of the threats, shortcomings of coverage, and the real solutions available to them today. This includes articulating coverage as relevant to the needs of the SMB, creating training and breach action plans, and reminding insureds of the services available to them that come with standalone cyber coverage.
This viewpoint was originally published by Insurance Journal Magazine. It is slightly edited in this version.
This content was originally published here.