Ten Things to Know about cyber risk and insurance: a guide for SMBs
In light of recent increases in ransomware attacks, data breaches and other cybersecurity incidents, cyber insurance is gaining attention as an effective tool to mitigate risk against bad actors. Yet a Forrester Research Security Survey 2023 found that, while 83% of enterprise security decision makers say that their firm has some form of cyber insurance coverage, only 26% of organizations had a standalone cyber insurance policy.
SMBs and Cybersecurity Challenges
Unlike large companies that often employ a CISO and have a robust in-house IT department capable of implementing a sophisticated cybersecurity program, small- to medium-sized businesses (SMBs) often rely on a skeleton crew of IT professionals—if they have cybersecurity professionals on staff at all. As a result, SMBs are often more susceptible to cyberattacks.
What to Know about Cyber Risk and Cyber Insurance
Organizations are accustomed to using insurance to finance and transfer risk but traditional insurance products typically do not respond to cyber events. Cyber insurance is intended to protect companies from the financial and operational impacts of cybercrime. It helps cover costs in the event of a cyber incident, provides immediate access to experts and gives confidence to stakeholders that the company is prepared for a cyber incident. We’ve curated 10 things SMBs should know about cyber risks and cyber insurance to help them become more cyber resilient.
- Large organizations are not the only ones at risk of cyberattacks and therefore need cyber insurance. SMBs are vulnerable too – Bad actors don’t discriminate and are extremely opportunistic. While attacks on large, well-known companies make headlines, organizations of all shapes and sizes are at risk. According to Veeam’s 2023 Data Protection Trends Report, 85% of ransomware attacks target small businesses, and many of them report paying a ransom demand as a last-ditch effort to regain their data. In fact, by analyzing Corvus’s own claims data, we found that while the average cost of a cyber claim rose along with the revenue of the victim, the smallest tier businesses ($50 million and under in revenue) have the most severe claims on a relative basis (as a percentage of revenue).
- No industry is immune to cyber threats – Again, while we see cyberattacks against some industries in the headlines more than others, any organization could be a victim. While Healthcare, Tech, and Construction are frequently-targeted industries, top targets ebb and flow depending on new vulnerabilities and cybercrime trends.
- Having cyber insurance does not put companies at greater risk of an attack or breach – Having cyber insurance doesn’t make someone a target, instead it’s because organizations exist in an interconnected world, with employees, vendors, customers and partners all part of an online ecosystem. In addition, having a poor security posture significantly increases the risk of attack.
- When deciding whether to purchase cyber insurance, it’s important to understand the real costs of an attack or breach – Cybercrime is a leading loss event for small businesses. If a data breach happens, a small business can expect to pay, on average, about $3 million, according to a study from IBM. But the real cost may be much higher when factoring in legal fees, increased IT costs, expedited security controls, brand and company reputation and more.
- When it comes to cyber insurance, your standard business liability policy or business owners’ policy (BOP) may not be enough – While these policies cover some employee-related incidents and other breach liabilities, chances are they don’t cover cyber incidents like ransomware attacks. A separate cyber insurance policy is critical to protect against cyber risks and decrease the chances of paying a substantial amount out of pocket in the event of an incident.
- SMBs should look at cyber insurance as a cyber risk management service – Some smaller companies may deem cyber insurance too costly. Companies should compare the cost of the policies and coverage, but also factor in the ancillary services they may not be able to afford through internal staffing or standalone cybersecurity consulting services. For example, many carriers provide access to risk advisors who help flag cybersecurity blind spots, proactively provide risk insights and analysis, and respond in the event of an attack or breach.
- Understand your role—and associated risks—in your industry’s supply chain – Third-party breaches (where suppliers and vendors in companies’ supply chains are attacked) have been on the increase. Organizations that are supply chain feeders to larger companies could be targets of cybercriminals, so those companies need to consider the risks and employ proper risk mitigation strategies. Micro companies, such as law firms, accountants, healthcare offices and clinics, private equity firms and other financial services companies, should also be looking closely at cyber insurance policies.
- Your customers and partners may require cyber insurance as a condition of doing business – In a recent Sophos report, 42% of survey respondents said they need coverage to work with clients or business partners who contractually require cybersecurity insurance.
- Improved security controls can help mitigate risk and increase insurability – As organizations face stricter underwriting requirements for cyber insurance coverage, companies with robust cybersecurity controls in place will be more attractive to insurers. Common security controls being enforced include:
- Multi-factor authentication (Zero Trust network access)
- Better backups
- Next-generation antivirus and/or endpoint detection and response (EDR)
10. Involve all key stakeholders when evaluating cyber insurance – Even in small organizations, it’s important to involve key stakeholders, including finance, IT and compliance, to review and understand what’s covered. It’s better to ask questions and seek clarity upfront to prevent surprises in the event of a cyber incident.
Cybercrime isn’t slowing down and ransomware continues to evolve, so now is the time to put in place strong security controls and make sure to include cyber insurance in your tool chest of risk mitigation strategies.