Council Foundation Logo Leaders Edge

August 4, 2017

Small and mid-sized businesses (SMBs) tend to be less concerned about cyber risks when compared to their larger counterparts. According to a recent Webroot Study, less than 30 percent of SMBs properly manage their IT security and underestimate their cyber risks.

It is clear that SMBs are leaving themselves vulnerable, and that cybercriminals are increasingly targeting them due to lax cybersecurity practices. In order to examine how cyber insurance solutions can help small businesses recover from a cyberattack, House Representative and Chairman of the Small Business Committee, Rep. Steve Chabot (R-Ohio), held a hearing to discuss the challenges small businesses face in selecting a cybersecurity insurance policy and the hurdles insurers must overcome to offer variable and comprehensive cyber security solutions.

While SMBs understand the growing cyber-risk for SMEs, allocating the appropriate resources to protect their data is difficult to justify for many.  Nonetheless, a statement on behalf of Willis Towers Watson explains 61 percent of data breach victims are businesses with less than 1,000 employees, according to the Verizon Data breach report.

With this being the case, cyber insurance for SMEs would seem like a no brainer while in reality, Eric Cernak, vice president and cyber risk practice leader at MunichRe, estimates that only 19 percent of small businesses in the U.S. purchase a standalone cyber policy, compared to 75 percent of large companies. In turn, The U.S. National Cyber Security Alliance found that “60 percent of small companies go out of business within six months of a cyber-attack.”

The Willis Towers Watson statement explains SMBs tend to be less concerned about their cyber risks for three main reasons: They’re not a target for attackers because they don’t believe they have valuable data; they outsource data storage which will completely transfer risk and potential liability; and they have adequate technology security controls. All of these reasons are generally false. A cyber-policy is certainly a method of risk transfer, but the process of purchasing a standalone policy can serve as a front-end solution to assess current cyber-risks as well.

While cyber insurance for small business can provide front and back-end solutions for preparing for and recovering from a cyber-attack, the insurance industry has several problems of its own. A lack of historical data makes predicting, hedging and pricing risk very difficult, and the possibility of an aggregate attack on a cloud service provider could cripple the insurance industry. A recent joint report by Lloyd’s of London and Cyence, a cyber risk analytics firm, found that a hypothetical aggregate cyber-attack could result in losses of $53 billion in just 2-3 days.

While the cyber insurance market is still in its infancy, more insurers have entered the market and companies are beginning to ask the right questions when it comes to cyber risk. Recent large-scale cyber events such as WannyCry and NotPetya have certainly put cyber coverage on the map, but the problem is far from solved. Cyber insurance should never be viewed as a sole means of risk mitigation. Instead, it should be implemented as a measure of last response.

When the moment comes, will you be ready?