It is well known that small and medium businesses (SMBs) face an ever-increasing risk of cyberattacks. Sixty-three percent of SMBs, surveyed in Fall 2019-prior to COVID-19 lockdowns-reported they had experienced a cyber breach in the last 12 months, according to Ponemon (“The 2019 Global State of Cybersecurity in Small and Medium-Sized Businesses”).
The damage from an attack can be a crippling blow to a small business. The average cost of a breach to an SMB is $175,000, to say nothing of the business interruption and potential harm to the company’s reputation (NetDiligence Cyber Claims Study: 2020 Report).
Further, as compared to larger companies that come equipped with dedicated security teams and large IT budgets, SMBs are often not fully prepared to withstand a cyber assault.
This year, COVID-19 came with its own share of cyber exposures. Remote work became a major security consideration stemming from the COVID-19 pandemic. The rise in compromised remote desktop protocols (RDPs), leaked credentials, loT credential stuffing, and more attacks in general, are all reflected in the 400% spike in cyber attacks reported by the FBI in the early days of lockdowns in April 2020. Further, home WiFis are not as secure as workplace protocols, driving up the average total cost of a breach by $137,000 in 2020, according to Ponemon.
Fortunately, standalone cyber liability coverage can help offset some of the financial pain of these business-crippling incidents. While many SMBs do have some form of cyber coverage, far too many believe that their current business insurance, such as general liability of E&O policies, will cover the subsequent expenses that arise from a cyber breach.
A recent Deloitte study, “Deloitte: overcoming challenges in cyber insurance growth,” found that despite the ever-increasing severity and frequency of cyberattacks, the gross written premium level of dedicated cyber insurance policies remains relatively flat with growth falling below expectations. Annual premiums for cyber insurance overall are around $2 billion and 42% of it comes from the limited coverage included in standard commercial policies. Despite the threat of cyber perils and lack of adequate coverage, SMBs are often passing on standalone insurance. The reasons range from lack of knowledge of what standalone cyber coverage provides to erroneously thinking their current business policies will cover damage from a breach. Forty-three percent of SMBs passed on standalone cyber coverage believing their current business policy covers damage from cyber events, according to the Deloitte report.
COVID-19 highlighted the danger of cyber exposures, raising awareness of the growing problem cyber threats present to SMBs. Now, more than ever is the time to empower insureds with the right cyber coverage.
So, how can brokers move their portfolios into adopting more standalone cyber coverage? Outlines below are the key challenges and possible solutions to help brokers and agents place more cyber risk and better protect their clients.
1. Help your clients understand the threatscape and severity of it.
Challenge: Due to their size, SMBs are less prepared in terms of technology, technical knowledge, and experience. In fact, according to a March 2020 study by the Cyber Readiness Institute, only 46% of business owners provide any training to help workers be cyber secure when working from home.
SMBs simply don’t fully know the risks, they don’t train employees, don’t have procedures and contingency plans in place, do not always have backups (or the right ones), and generally possess low cybersecurity awareness.
And cybercriminals are turning their gaze from large enterprises with vast databases to the low-hanging fruit that is small business. According to the Verizon 2019 Data Breach Investigations Report, 43% of all cyber attacks target small businesses. The bottom line: If a business has a computer with an Internet connection, it is at risk. All it takes is something as innocent as a trusted vendor sending you an invoice-and you could find yourself submitting a fraudulent payment to a cybercriminal, or even fall victim to a ransomware attack.
Solution: Educate and train. Sixty-seven percent of cyber breaches are caused by credential theft, errors, and social attacks, according to the Verizon’s 2020 Data Breach Investigation Report. Provide relevant information, news, statistics, and claims scenarios, to show the likelihood of a cyber breach and the effects of an attack respectively. The more this information is tailored to show the impact on the specific client, the better.
Further, encourage cyber awareness training including employee simulation testing to best prepare your insureds for an eventual attack. Running 11 or more training courses over four to six months can reduce phishing click-throughs by 65% (Webroot Threat Report, 2020).
2. Clarify Policy Coverage
Challenge: Insureds often don’t know what’s covered and what’s not. Further, by not offering the right solutions against cyber perils, agents could find themselves liable. Most CGL policies and even endorsements to those polices often don’t cover the vast range of cyber threats. A CGL or E&O policy might cover some part of the damage, such as accidental property damage to a server. Even current CGL coverage that maps to a specific threat or even may not be covered as policies are murky and small businesses don’t have the time or resources to sort it out with their carriers.
Endorsements may augment coverage for a wider range of damage due to a breach but often have lower sublimits that leave the client exposed.
This is especially important as ransom amounts are increasing, cyber events are becoming more crippling, and downtimes are becoming longer and therefore more expensive. Further, these factors, along with COVID-19 and generally higher loss ratios are hardening the market, making ubiquitous coverage less affordable or even possible.
Solution: Align risk with policy coverage and limits and tailor fit the coverage. Know the threats and their potential impact on the insured. While this may be obvious, cyber threats evolve and new attack methods are introduced with increasing frequency. A good place to keep up with the latest cyber threats is the Cybersecurity and Infrastructure Security Agency.
Next, drill down into your client’s readiness to deal with those threats. Tools such as cyber assessments can arm you in helping the insured shape a cyber defense plan and hone in on the right cyber coverage.
Now that you’ve identified which threats are the greatest danger to your client, match their vulnerabilities to specific tailor-fit coverage so they can mitigate their cyber risks. For example, if an insured doesn’t transact online or retain customer records digitally, then high-limit ransomware coverage becomes a lower priority vis-à-vis general cybercrime protection. Conversely, a business retaining sensitive customer information needs thorough coverage to defend against ransoms, reputational harm, potential litigation, and government fines as well as hedge against business downtime.
3. Provide a Support System
Challenge: When a cyber breach happens, an insured needs to direct their entire focus on recovering quickly to minimize the damage. Take this example: An employee of a small retailer accidentally opens a phishing email which triggers a ransomware attack. The company does zero transactions online, yet is now compromised. They need to pay $30,000 in Bitcoin within 48 hours to get their systems up and their customer date back in their hands. They don’t have the cash. They don’t have a Bitcoin wallet. Their backups are compromised. They can’t sell. All of their time and focus is now on this. How will this business get back on its feet?
Solution: Today most carriers offer a suite of support services alongside their standalone coverage offerings. They include preventative planning, breach response services, and post-breach support.
Preventative actions include working with all involved parties-insureds, carriers, and brokers-to create a cyber breach plan. Carriers often provide free cyber business assessments that identify a company’s weaknesses with recommendations on actions to improve cyber hygiene before an attack occurs.
These plans also include employee response training and key action steps in case of a breach.
Many carriers offer robust breach response services. These include providing a “breach coach” that acts as the point person and expert to guide your client back to health.
Other services include forensic experts to help curtail the damage, legal counseling to deal with potential legislation violations (these include CCPA and GDPR regulations), and sometimes even PR experts to help curtail the reputational damage to the insured’s business.
Agents and brokers can empower their clients to take full advantage of these offerings helping map which services align to the unique needs of the individual insured.
Stand Alone, Together
As the costs associated with cyber attacks continue to increase, the market for standalone cyber policies is starting to harder. Further, as loss ratios increase due to factors such as increased ransom payments and business interruption costs, and pricing and underwriting keep evolving, policy costs will swell. Here’s why:
- More and more companies are requiring their partners to carry standalone coverage to protect against third-party threats. Government bodies are considering this as well. Although it didn’t pass, the State of California’s AB2320 proposal, which calls for mandatory cyber insurance for government contractors, shows continuing public sector interest in mandating coverage. Now, with the SolarWinds breach, greater government mandates regarding cyber coverage are most likely coming.
- As part of the hardening market, policies will naturally take on exclusions and more precise language to better mitigate risk and bring clarity to coverage.
- Carriers themselves are asking their distribution partners to carry standalone coverage.
Now more than ever is the time to empower SMBs to better understand cyber threats and stay protected with the right cyber coverage.
Agents and brokers can do their part by educating insureds of the threats, shortcomings of coverage, and the real solutions available to them today.
This includes articulating coverage as relevant to the needs of the SMB, creating training and breach action plans, and reminding insureds of the services available to them that come with standalone cyber coverage.
Article By: Asaf Lifshitz
Source: Insurance Journal