View this article online: https://www.insurancejournal.com/magazines/mag-ideaexchange/2018/05/21/489533.htm

Debunking the 3 Cyber Risk Myths for Small and Medium-Sized Businesses

Cyber losses at large companies make the headlines. Hacks at Target, Equifax, JP Morgan Chase, Sony, and Anthem are well-known. While certainly painful experiences for them and their customers, these events are not likely to put these firms out of business thanks to their extensive IT departments, financial resources and cyber insurance programs helping to cushion the blow.

Cyber risks are no less prevalent for small and medium-sized entities (SMEs). Firms of all sizes are getting hit to the tune of $1.3 billion in 2016, according to the FBI. Yet in stark contrast, it’s likely there is inadequate (if any) coverage provided to SMEs by existing business insurance policies. Without the safety nets of their large-firm counterparts, the exposure is potentially catastrophic, if not existential. Research conducted by the National Cyber Security Alliance found the following:

• Every 40 seconds, a company is attacked with ransomware.
• Almost 50 percent of small businesses have experienced a cyber attack.
• As many as 60 percent of hacked small and medium-sized businesses go out of business within six months.

Recent ransomware attacks, such as WannaCry, mean that SMEs are starting to get the message. Global insurance giant Allianz noted growing visibility and focus on cyber risk in its 2018 Risk Barometer survey. But Vinko Markovina of Allianz sounded a cautionary note: “Awareness is growing… but many SMEs still underestimate their exposure and are not prepared for, or are able to respond to, an incident. This can be a fatal mistake.”

There is also increasing recognition of the value of cyber risk insurance. The 2017 Council of Insurance Agents & Brokers’ Cyber Insurance Market Watch Survey noted 32 percent of surveyed companies purchased cyber coverage, up from 24 percent the year prior. This is a significant jump in firms buying coverage. However, two-thirds of companies are still not buying it. Why not? There are three pervasive myths that often prevent SMEs from including this important coverage in their business insurance portfolios.

Myth 1: ‘We are too small to be a target.’

According to Jeff Bardin, chief intelligence officer of cyber risk consulting firm Treadstone71, “[Forty] percent of cyberattacks are aimed at companies with 500 employees or less.” Common sources of big claims for SMEs include a lack of encryption tools on laptops and mobile devices, rogue employees, fraudulent invoices, unsecured customer protected data and ransomware attacks.

The impacts of these cyberattacks include lost customers, distracted staff, reputational harm, fines and damages, and expenses for forensics, remediation, notification, credit monitoring and legal defense and/or settlements.

Myth 2: ‘Our exposure is not that great.’

Believing their IT operations are uncomplicated, low tech and unattractive to cyber attackers, many SMEs are unaware of the extensive threats they face. Hackers see a valuable source of easily accessible data.

To intensify matters, the cyber-risk environment is dynamic. Cyber criminals are constantly exploring new hacking techniques. Emerging exposures and vulnerabilities continue to evolve from the increasing utilization of social media, cloud computing, the internet of things (IoT) and artificial intelligence.

There are two categories of cyber risk exposures:

• Third-party exposures include the liability a business has to others due to an unlawful breach of its network, trans- mission of malicious code (e.g., a virus),a denial of service attack or the theftand subsequent criminal use of confidential data on individuals’ or proprietary-firms’ secrets.
• First-party exposures include losses the business incurs when an even causes damage or malfunction to its equipment or that of a supplier or customer, extra expenses to minimize the duration of a loss, costs to replace destroyed data, as well as the financial losses due to cyber extortion or computer fraud.

Myth 3: ‘Our existing insurance coverage protects us.’

Many SMEs get lulled into a false sense of confidence that they already have cyber protection in their traditional general liability, property, crime and/or directors and officers liability policies.

Although there may be some coverage in their existing business policies, SMEs must beware of the following:

• Coverage, if any, is limited. These policies were not designed to respond to cyber attacks.
• Coverage is disappearing: Underwriters are increasingly carving cyber coverage out of conventional policies in favor of cyber-specific policies — the modest coverage some policies have today may be gone at the next renewal.

A Roadmap for Navigating the Cyber Market

There are several challenges SMEs must keep in mind as they venture into this complex marketplace.

First, it is a relatively new risk environment, with more than 60 different insurance companies offering cyber coverage.

Second, insurers use “non-standard” policy forms, meaning policy terms and conditions can vary widely from carrier to carrier.

As many as 60 percent of hacked small and medium-sized businesses go out of business within six months.

Finally, underwriter pricing methodologies are “all over the map.” There is minimal consistency in premiums. It is critically important that company leadership invests sufficient time to understand both the range of risks and solutions.

The following systematic client and broker team-based approach is recommended:

Step 1 – Assessment

Gain an understanding of the nature and extent of the risks facing the company. Solicit input from key stakeholders, such as finance, IT, sales and legal, and run hypothetical claim scenarios. With this information in hand, determine where there is or isn’t coverage from existing insurance policies.

Step 2 – Understand What Cyber Coverages Are Available in the Marketplace

Get to know the details and nuances of the large menu of third-party and first-party coverages and support services that carriers are offering.

Step 3 – Insurance Program Design and Marketing

Determine what mix of third- and first-party coverages are needed to close any uncovered gaps. Coverages can be selected or “packaged” on an a-la-carte basis to create programs tailored to each organization’s unique operations and a marketing strategy can be developed to target the appropriate insurers for the broker to approach.

Step 4 – Evaluate Carrier Proposals

The broker will negotiate with the carriers and present detailed comparisons of options. Key provisions they will review with the buyer include selected coverage parts, coverage triggers, who is insured, limits/sub-limits, deductibles, premiums, definitions, exclusions, defense provisions and carrier-support resources.

Step 5 – Placement

If a decision is made to proceed, the broker will bind the program.

Step 6 – Ongoing Monitoring

Many carriers offer value-added risk-management services to assist their insureds in reducing susceptibility to claims, access outside security experts and lawyers and provide employee loss-avoidance educational materials. Keep current on cyber risk exposures and trends.

Hackers are constantly seeking new victims and ways to target them. SMEs that fall into one or more of these three myths are at greater risk of becoming victims.

Working through the process — assessing company risks, becoming a cyber insurance “student,” designing a tailored program and evaluating and then selecting an effective insurance solution — takes effort. However, this investment in front-end pre-planning will prove to take a fraction of the time, energy and financial exposure required to respond to a cyber event. It could well mean the difference between survival or losing the business.