View this article online: https://www.insurancejournal.com/news/international/2018/03/07/482569.htm
A classic mistake made by many small and medium sized enterprises is to assume that they are immune from cyber attacks because hackers and fraudsters have bigger fish to fry. As a result, SMEs can be under-prepared in the face of the growing risks from cyber criminals, who see them as potential soft targets for penetration and extortion due to underinvestment in cyber security.
And when things do go wrong, SMEs are less likely to have the connections to the expertise required to address a breach quickly and, just as likely, will not have the necessary funds set aside to hire such cyber specialist, IT and legal support.
SMEs need to be aware of worrying statistics. First, the World Economic Forum’s recent Global Risks Report clearly highlighted that cyber crime is now very much part of interconnected global risks, with attacks against all businesses almost doubling in the last five years.
Separate research has also suggested that hackers have breached over 14 million of the 28 million SMEs in the U.S. according to the 2016 State of SMB (small- to medium-sized businesses) Cybersecurity Report. We’re not talking about tiny mom and pop organizations here – in the U.S. an SME can employ anything up to 500 people and include branches of larger corporations.
Most worrying of all, statistics show that between 60 percent and 70 percent of SMEs are unable to survive a breach and are out of business within six months – all because they have no supplemental support mechanism in place to help them rebuild the company and reinstate their operations.
This support, provided by standalone cyber insurance, is therefore now an increasingly important component of a comprehensive cyber risk management strategy.
Comprehensive cyber insurance policies are now essential for all businesses, accompanied if possible by solid risk management tools and cyber security experts, which can aid in recovery after a breach, with the best offering 24/7 breach alert services.
Another incentive for the purchase of cyber insurance is the fact that global regulators are also looking very closely at the issue of mandatory cyber risk management.
One prominent example of regulatory intervention was a regulation enacted in 2017 by the New York Department of Financial Services (DFS), which mandated that all financial services companies establish and maintain cyber security programs. The first hurdle for regulated companies was the Feb. 15, 2018 deadline to submit certifications of compliance with the regulation.
The scope of the DFS regulation, which includes foreign financial institutions operating in New York, expands in 2018 to include the requirement for an annual written cyber risk assessment, among other requisites.
Another example is the EU’s General Data Protection Regulation (GDPR), which also highlights the need for greater cyber risk management in the context of protecting data from theft or loss. The GDPR, which becomes effective on May 25, 2018, will require mandatory notification of serious data breaches with massive fines possible for companies that fail to comply.
As well as having the correct firewalls, encryption and data protocols in place, developing a cyber incident response plan and increasing or restructuring cyber risk insurance will be key to managing data protection risks for many businesses.
Clearly, a meaningful focus on cyber risk management is now necessary for all companies, not just for entities in financial services, or businesses storing personally identifying data. From data theft, to ransom attempts and distributed denial of service attacks, all companies – small, medium and large – are potential targets.
Some SMEs will look for cover only when they suspect they have a breach, if they see a peer suffer through a breach, read about a high-profile attack, or if they employ people who have experienced breaches in other firms.
In the past it has been a challenge for producing brokers to find effective cyber products that offer the cost-effective breadth and support that SME clients are seeking.
Nowadays, however, affordable cyber coverage is available to producers and their more proactive SME clients. For those SMEs that need a gentle push, producers would do well to present cyber terms to their prospects along with their other coverage needs. In that moment, an application may be completed and the buying process can begin, without delay.
The London market is increasingly viewed as a cyber insurance hub thanks to the experience of its underwriters in handling complex risks, and the ability to design wordings for specific market segments. For the cyber risks being faced by SMEs, this is crucial because there is no “one size fits all” approach to cyber insurance. SMEs have very different coverage needs compared to large, multinational corporates, for instance, which already may have sophisticated cyber risk response mechanisms in place.
As well as traditional providers of cyber insurance, London is also supporting international producing brokers by offering new white label, online cyber portals to allow them to service the local market with the right wordings, knowledge and support. In addition, innovative players in the London market are offering wider support services to SMEs to help them manage cyber risk with post-event insurance cover, and by helping them protect their networks against attack in the first place.
The demand for cyber coverage is on the cusp of exponential growth, which is a massive opportunity for Lloyd’s and the London company market. However, in order to cope with the volume of demand for specialist coverage solutions, brokers must add value by working harder to facilitate and speed up the placement of international business underwritten in the market. This means creating real momentum around the current modernization drive, with the aim of offering highly efficient electronic processing and placement across all risk classes.
Expertise and diligence is required, and the London market must rise to this challenge.
Related: