In 2020, some 37 billion records were compromised in data breaches.

Data security is the great responsibility that goes hand-in-hand with the great power digital transformation affords. As businesses move more and more operations online — as we’ve seen them do throughout the COVID-19 pandemic — cybersecurity and liability become more and more important.

For commercial insurers, this must be a point of emphasis. Here are a few things commercial insurers should know so they can initiate conversations about cybersecurity risk and preparedness with their customers.

Why Emphasize Cybersecurity and Liability?

A data breach is a major event. As Reena Devarajan, Ivy Tse and Ryan Wilson at EY point out, assets that can be lost in a data breach can include:

• Intellectual property.
• Money.
• Employee records like Social Security numbers.
• Customer records.
• Operational data such as the names of key suppliers.
• The business’s reputation.

For companies in the healthcare sector, sensitive patient data could also be compromised in a breach — which is something that happened at a record rate in 2020, HIPAA Journal writes. That year alone, more than 28 millions healthcare records “were exposed, compromised, or impermissibly disclosed.”

Small Businesses Are Particularly Exposed

The vast majority of small businesses (83 percent) do not carry cyber liability insurance, writes Chase Norlin, whose organization, Transmosis, helps train North American workers for jobs in cybersecurity.

“Most small businesses are still not aware of the harsh security realities that exist within the scope of cyber liability insurance,” Norlin says. This is a point commercial insurers must emphasize because, in all likelihood, a majority of their customers are exposed to those security risks.

That exposure can come from any number of seemingly innocuous places, says Allison Hill, client executive at construction risk management company CSDZ. Companies that process credit card payments, store customer data locally or simply use email have cybersecurity risks, Hill says.

Making commercial customers aware of their risk exposure is the first step toward managing that risk. From there, insurers can look for ways to communicate how devastating a cyber attack or data breach could be, says Jeff Holmes, senior vice president and chief operating officer at national insurance agency alliance SIAA.

“Let clients know they are not too small to be affected by a cyberattack,” Holmes writes. “With a cybersecurity plan and cyber insurance in place, they and their teams will have the confidence that their business and their clients’ business are secure for the long haul.”

Big Companies Have Their Own Threats

The COVID-19 pandemic accelerated digital transformations across nearly every industry. One major aspect of those transformations, driven by shelter-at-home orders, has been the proliferation of people “working, learning, teaching, and consulting from home,” writes Gregory Garrett, former head of U.S. and international cybersecurity at BDO and current VP of cybersecurity at Perspecta.

This rapid transformation opened many organizations up to phishing attacks, spoofing attacks and ransomware attacks. “Frequently, organizations of all sizes, and from every industry, consider cybersecurity to be an afterthought,” Garrett writes. “However, these organizations are learning this leads to costly lessons on cyber fraud and/or data breaches.”

According to research by software company Ecosystm:

• 44 percent of organizations were the targets of cyber attacks during the COVID-19 pandemic.
• Among those organizations, 87 percent reported that individual employee devices had been compromised.

The lesson for commercial insurers? All customers should explore their options for mitigating cybersecurity risks. This includes adopting security best practices at work as well as insuring their organizations against persistent threats.

How Insurers Can Advise Their Commercial Customers

Jack Kudale, founder and CEO of cyber insurance provider Cowbell Cyber, tells TechRepublic that the product category has evolved greatly in recent years.

In years past, cybersecurity insurance was bundled with other commercial policies, Kudale says. Now, it is marketed much more frequently as a customizable, standalone product that can offer different levels of protection for businesses:

• It can insure businesses against loss of revenue due to business interruption.
• It can insure against the expenses a business incurs while trying to recover from a cyberattack or breach.
• It can insure against liability costs, such as lawsuits brought by affected customers.

This is a key distinction for commercial insurers to make in conversations with customers. Cybersecurity insurance is not a monolithic protector. Rather, it is something that can be shaped to the needs of each business.

Therefore, insurers must act in their capacity as trusted advisors to help customers understand their needs. Fundera contributor Priyanka Prakash offers a few lines of inquiry to help that process along:

• Ask customers about what sensitive records they store, and where.
• Ask customers about what steps they would have to take to inform customers of a data breach.
• Ask customers how much it would cost to replace affected or damaged hardware.
• Ask customers whether their IT teams could handle damage response, or whether they would need to hire outside help.

Questions like these will help customers understand their coverage needs.

At the same time, it’s important to emphasize how cybersecurity threats evolve rapidly, says Domenico del Re, who leads a team of actuaries and catastrophe risk experts at PwC United Kingdom. New data streams emerge, security audits identify new points of vulnerability and business assets mature along their life cycles. Cybersecurity strategies must account for this kind of fluidity when assessing, and insuring against, business impacts.

Unfortunately, the COVID-19 pandemic has added a further wrinkle to this conversation. Tom Johansmeyer, the head of Verisk’s PCS division, says economic pressure from the pandemic has caused some companies to view cybersecurity insurance “as a luxury” — at precisely the moment they should view it as a must-have.

Cyber risk is a multifaceted challenge for businesses, today more so than ever. This risk can be managed and insured against, however, and this should be a point of emphasis for carriers, agents and brokers going forward.

Images by: Mika Baumeister, Blake Wisz, LinkedIn Sales Navigator