Small Businesses Need Cyber Insurance Too
Why are we still trying to convince thousands of companies to buy cyber insurance?
As you read this column, another Fortune 500 company is likely in the middle of another widely reported hack, data breach or phishing scam. But what about the many small businesses that fall victim to the same attacks? Their stories might not make the news, but these attacks are happening and the impacts are usually much more significant, often devastating.
We recently received a call on a Sunday afternoon from a small-business client in the construction industry who had just experienced a cyber breach. The insured’s computer system had been down for a couple of days, and they finally realized they were not going to be able to recover on their own. The company had been a victim of a ransomware attack. (Ransomware is a type of malicious software that threatens to publish the victim’s data or perpetually block access to it unless a ransom is paid.) This call, unfortunately, was very familiar. You might think that smaller businesses, with far less data than Fortune 500 companies, would not have to worry about cyber targeting. Not true. In fact, they’re often considered prime targets because they don’t have the resources or expertise to respond.
According a report released by The Ponemon Institute in September 2017, the percentage of small businesses reporting cyber attacks increased from 55% to 61% from the prior year. The most prevalent attacks against smaller businesses are phishing/social engineering and web-based attacks. This year’s Ponemon study revealed that cyber attacks were more targeted, severe and sophisticated. The institute went on to lament that the average size of breaches for small businesses involved 9,350 individual records—a nearly twofold increase from an average of 5,079 records the year before.
After talking with our construction client, it was pretty clear to us the company was unprepared for the attack—and unable to conduct business in its wake. The client was looking for some magical force to guide it and help restore its data, which had been locked up. Ideally, we would have referred our client to its insurance carrier for business recovery assistance, but, unfortunately, the client had declined the coverage. In this day and age, brokers and insurance companies should be selling cyber insurance to almost every business.
Some form of cyber coverage should be purchased by companies as routinely as they purchase other common property and casualty insurance, such as workers compensation, general liability, property and commercial auto. Most cyber coverage is relatively inexpensive when compared with other lines of insurance. More sophisticated insurance products even offer assistance with cyber breach response, alleviating some of the associated stress and anxiety. Furthermore, most insurance carriers place an emphasis on better understanding the cyber risk they will be insuring before extending a policy. This means an assessment of the company’s cyber risks is often part of the insurance purchase, which helps companies identify gaps in their cyber security and incident response plans.
Most businesses really expect their agents or brokers to find insurance carrier partners who can help quantify their cyber risks, assist in finding vulnerabilities, and advise them on the right cyber technology to deploy through approved vendor panels. And when an event does occur, the policy should respond with adequate coverage for the hard costs of the response—a forensic investigation, notifications to affected individuals and businesses, call centers and a public relations strategy to respond to the breach.
As for our client, we put them in touch with a few companies with expertise in responding to cyber attacks. After further investigation, it was determined our client had not backed up key data, which would have allowed the business to quickly restart operations. As a result, our client had to pay the ransom in order to successfully restore its data.
With all the information that has been published on cyber risks—and agents and brokers eager to sell more insurance—why aren’t businesses purchasing appropriate coverage? Advisen, which provides insurance data and technology services, publishes an annual survey of agents and brokers around the world who are directly involved in the cyber insurance business. Its 2017 survey found that a failure to understand cyber exposure hampers sales. “According to 77% of the respondents, one of the biggest obstacles to sales is that potential buyers do not understand their exposures,” Advisen reported. “Further, 56% of respondents also indicated that buyers do not understand the Cyber insurance coverages for those exposures. These top obstacles have remained constant year after year.”
The insurance community itself is also to blame. For example, there is no consistency in terminology from carrier to carrier, or even policy to policy. The term “cyber” itself is somewhat confusing, as it might mean one thing to one carrier and something else to another. I recently heard one industry expert suggest that we get rid of the cyber term altogether and just call it “data insurance.” Others say it should be a covered peril as part of property coverage or even a stand-alone policy. Keeping all these details straight makes my head spin, which is why I guess I am not our firm’s cyber expert. I do know one thing as a broker who sells cyber insurance: we still have lots of work to do.
Henry Wright is SVP and senior director of the Risk Solutions Group at McGriff Insurance Services. [email protected]