As Cyber Risks Grow, So Does the Need for Small Business Coverage

By Jeff Holmes | April 20, 2020

With cyberattacks on the rise and many small businesses unaware of the dangers, independent insurance agents are in a good position to educate clients about their risks, recommend preventative measures, and provide protection with a cyber insurance policy. Recent statistics should be eye opening for any small business and a good way for agents to start addressing their needs.

The 2019 Global State of CyberSecurity in Small and Medium-Sized Businesses of the Ponemon Institute surveyed 2,000 businesses and found 76% of the U.S. small and medium-sized businesses (SMBs) were attacked within the last 12 months, up from 55% in 2016. There was also a rise in attacks involving deception with phishing (57%), stolen devices (33%) and credential theft (30%).

The 2019 Hiscox Cyber Readiness Report, which included 5,400 businesses, found that more small firms were attacked during the year and cyberattack “incidents are up from 33% to 47%. For medium sized firms, the proportion has leapt from 36% to 63%.” The Hiscox report stated, “Small and medium-sized firms are much more likely to have suffered multiple attacks this year, and the proportion of small and medium firms that have had an attack has increased 59%.” The report also found that the mean cost of the largest single incident increased almost six-fold, from $34,000 a year ago to just under $200,000.

When these incidents occur, not only does a business have its client and prospect files, names, addresses, credit card numbers, private data and payment methods stolen, but their brand and reputation can be damaged, losing their customer’s trust.

Plus, the recovery costs will put 60% of affected companies out of business within six months, according to the National Cyber Security Alliance. These costs include legal fees, computer forensics cost, ID monitoring and protections for their customers, public relations costs, ransom costs to buy back data, data restoration costs, litigation costs, regulatory fines, payment card fines from credit card companies, and more.

Any small business that uses computers, mobile phones, and accepts credit cards is vulnerable to attack, regardless of its location, size or type. To make cybersecurity a priority, a combination of prevention and insurance coverage is needed.

Cyber Insurance Policies

More firms are buying cyber insurance policies, with 41% of all firms reporting that they have cyber insurance, up from 33% a year ago, according to the Hiscox report. But these are still low numbers across the country. Independent agents should arm themselves with the statistics on cyber attacks and explain the critical nature of adding a cyber protection package to all business clients. While adding a cyber security policy to a business owners policy, or BOP, is an option, this approach may have coverage limitations. Stand-alone policies are recommended to ensure the appropriate levels of coverage for all types of businesses, as Sean Kevelighan, CEO of the Insurance Information Institute, explained.

“Keeping consumers educated about the value and need of stand-alone cyber insurance coverage is absolutely critical given today’s environment of small businesses being under constant threat or attack,” he said. “Insurers are bringing both value and security to their small business customers as long as they can help clients understand how cyber coverages work.”

After sharing statistics and general information on cyber, independent agents should be asking clients if they can afford to risk a cyber attack. They can help ensure clients make an educated decision via face-to-face meetings, phone calls, and by providing informative articles and FAQs on their website or in e-newsletters and social media channels. The renewal period for a BOP is also a perfect time to discuss the stand-alone cyber coverage option.

Safeguard Points of Entry to Small Businesses

Hand-in-hand with providing cyber insurance to small business clients is helping them prevent an attack in the first place. Independent agents should have all the facts to help prepare their clients to educate and train all employees on cyber security. “Negligent employees or contractors and third parties caused most data breaches experienced by SMBs,” according to the Insurance Information Institute.

It’s often recommended that every small business should have a point person in charge of addressing an attack, someone who educates all staff regularly on how to prevent being attacked through phishing, email scams and ransomware. The point person can also send out samples of email scams to test staff and create greater awareness. Businesses should consider:

  • Providing regular, up-to-date training for staff on the latest online threats and trends in cybercrime.
  • Using teaching drills and exercises with everyday scenarios that test employees’ ability to detect scammers and respond appropriately to fraudulent requests.
  • Training staff on the dangers of clicking on unsolicited email links and attachments and the need to stay alert for warning signs of fraudulent emails.
  • Have a clean desk policy to ensure employees’ desks are cleared and all sensitive data is locked to defend confidential information.
  • Monitoring and protecting websites with an advanced website scanner, web application firewall to block cyberattacks, and installing updates immediately to repair vulnerabilities.
  • Using a virtual private network (VPN) to be protected from all vulnerabilities when using any Wi-Fi network.
  • Establishing a cyberattack response plan so employees are ready in the event of a breach.

Mobile device use should also be protected. Ponemon reported the most vulnerable entry points to organizations’ networks and enterprise systems include mobile devices, laptops, IoT devices, cloud systems, and smart phones.

‘Independent agents can go beyond selling a policy to their business clients and be a trusted advisor who educates them on the growing risks of being uninsured for a cyberattack.’

Agents as Trusted Advisors

Smaller firms lack resources, and according to the 2018 Hiscox Cyber Readiness Report, organizations with fewer than 250 employees devote a smaller proportion of their IT budgets to cyber (9.8% on average versus 12.2% for larger organizations). Additionally, just 7% of smaller firms rank as cyber experts.

Independent agents can go beyond selling a policy to their business clients and be a trusted advisor who educates them on the growing risks of being uninsured for a cyberattack. Let clients know they are not too small to be affected by a cyberattack. With a cybersecurity plan and cyber insurance in place, they and their teams will have the confidence that their business and their clients’ business are secure for the long haul.

Author’s Note: This article was written just as the impact of the COVID-19 outbreak was becoming apparent. In this environment, more businesses than ever are moving information and transactions remotely — which translates into a greater cyber risk for all.

About Jeff Holmes

Holmes is the senior vice president and chief operating officer of SIAA (Strategic Insurance Agency Alliance). Email: jeffh@siaa.net

Was this article valuable?

Here are more articles you may enjoy.

From This Issue

Insurance Journal West April 20, 2020
April 20, 2020
Insurance Journal West Magazine

The Young Agents Issue – with Survey Results; Markets: Directors & Officers Liability; Webinar: Cannabis Coverage Update