Cybersecurity probably isn’t at the top of your commercial client’s list of priorities, but it should be for every carrier, broker and agent.
Small and medium-sized businesses have never been at risk of attacks as they are right now, but most are still hesitant to purchase adequate insurance to protect themselves. Carriers have a responsibility to their clients to understand the threat landscape facing small and midsize businesses (SMBs) and take steps to provide the kind of protection that delivers real value.
SMBs are a favorite target of hackers, says Aaron Basilius, senior vice president of cyber at AmTrust Financial Services. Attacking big companies may result in big payouts, but those organizations are also much better equipped to handle cyber attacks. The payoff with SMBs may be smaller, but they are a much easier target.
“Do small businesses have huge bank accounts like multinational corporations? No,” Basilius says. “But it’s easier to, on the whole, get into a small business’s system. A hacker doesn’t have to go to similar lengths to get in there.”
Hackers target data, writes Shena Tharnish, vice president of cybersecurity products at Comcast Business. That may include personal data like credit card details and medical records that can be sold on the dark web.
She says other motivations for cyber attacks include:
The pandemic was a boon to hackers who were quick to take advantage of the vulnerabilities that remote work created. The FBI’s Internet Crime Complaint Center has received around a 400% increase in online crime reports since the start of the pandemic, spiking from 1,000 a day to highs of 4,000, says Tonya Ugoretz, deputy assistant director of the bureau’s cyber division.
Thousands of businesses in Canada were victims of cyberattacks in 2020, reports the Canadian Federation of Independent Business. A survey in October 2020 of 3,040 small and medium-sized businesses found almost one in four had experienced an attack since March of that year. Nearly five percent said attacks were successful, meaning over 60,000 businesses were probably victims if figures are extrapolated nationwide.
Even though the risk is clear, cybersecurity insurance still won’t be the easiest sell. Carriers must educate commercial clients, address the regulatory issues, personalize cover and provide integrated services to connect with SMBs on this issue.
To connect meaningfully with SMBs carriers must overcome the knowledge gap surrounding cybersecurity and insurance. Insurance firm Sedgwick found that while SMEs are more aware of cyber risks than brokers perceive, “less than 20% have purchased cyber-specific insurance coverage.” Added to that, the majority of small business employees have no cybersecurity awareness training.
What’s worse is that SMEs are starting to see cybersecurity insurance as a luxury in the wake of the COVID-19 pandemic, writes Tom Johansmeyer, head of property claim services at Verisk.
However, leading cybersecurity insurance providers are already educating clients, says Jeremy Barnett, chief marketing officer at cybersecurity solutions provider Cyberscout.
“Because it’s a relatively new insurance product and the small business owners aren’t necessarily familiar with all of the different coverages, the insurers are providing great educational resources for them,” he explains. “You’re not just buying insurance — you’re buying cyber support resources as well.”
One of the main reasons SMBs look to buy cybersecurity insurance is to fulfill a contractual obligation, says Ellen Zhang, chief marketing manager at remote program management platform Symba. “Many enterprises are making it mandatory for the third-parties they work with to have cyber insurance coverage.”
It makes sense, then, for carriers to address the regulatory issues that surround this insurance product.
Tim Woitach, marketing manager at McNeil & Co. Insurance, says it’s “essential to convey the massive undertaking it takes to monitor your information, protect against a breach, spot and stop any breach that occurs, notify the proper authorities of the crime, and mitigate the aftermath.” While large companies have departments that can handle these issues, small businesses often handle everything themselves. This makes insurance that covers these issues all the more important.
Some organizations are choosing to merge cybersecurity protection with insurance, writes Chase Norlin, CEO at cybersecurity workforce developer Transmosis. “In this situation both parties win: Insurers lower their overall risk by vetting and utilizing the latest technology to reduce the likelihood of an attack, and small business owners no longer need to navigate this complex landscape to determine the correct technology and policy that will cover them in the event of a breach.”
While this trend is still in its infancy, “the closer that technology and insurance come together, the better the outcome will be for both parties,” Norlin adds. “This means less breaches, less insurance claims, faster and fuller payouts when there are claims, and a healthier appetite that insurers will have for taking ongoing risk.”
Insurers are well placed to provide a service like breach response, says Sharon Shea, executive editor at TechTarget.
“When a policyholder contacts the insurer with a suspected breach, a team member quickly responds and brings in third-party specialists such as legal counsel or forensic investigators as needed,” she writes. “The insurers maintain panels of service providers, including forensic analysts, data breach attorneys, call centers, PR firms, and other vendors that specialize in breach response and are available on short notice to assist. For small to mid-sized organizations or any entity that does not manage data breach crises on a day-to-day basis, the services of an experienced third-party breach response team can prove invaluable.”
Standardized policies don’t work for most companies, regardless of the insurance product. And while cybersecurity policies contain some combination of standard elements, says Dan Burke, national cyber practice leader at insurance brokerage and consulting firm Woodruff Sawyer, a more nuanced approach containing specialist additions provides much better coverage.
“These enhancements to a cyber insurance policy are not always available unless you know what to ask for, and if they are available they are generally sublimited to an amount less than the full policy limit,” Burke explains.
This will require carriers to understand their commercial clients, says the team at Agency Height. “Some may only have minimal cybersecurity needs and want just a medium or limited coverage. On the other hand, some may wish for comprehensive coverages due to higher cyber risks and more significant tort liabilities.” They advise carriers to discuss their clients’ operations and use of technology to better understand their needs and personalize coverage.
Michelle Chia, head of professional liability and cyber at Zurich North America, recommends businesses assess their risks and the associated costs and choose policies that are tailored to their “core concerns.”
“For a company with online sales, the most concerning impact might be business interruption or ransomware,” she says. “On the other hand, a medical office company might be concerned about losing information, HIPAA violations, business interruption, or ransomware events.”
While SMBs are under threat from cybersecurity criminals, commercial carriers are at risk of losing out to the competition if they aren’t ready to enter this rapidly growing market. Understand your commercial client, assess their needs, and then create personalized coverage that delivers the protection they need.