Ten things you should know about cyber risk and insurance: A guide for SMEs

Given the recent increase in ransomware attacks, data breaches, and other cybersecurity incidents, cyber insurance is gaining importance as an effective tool for mitigating risk from malicious actors. However, a 2023 Forrester Research security survey found that while 83% of enterprise security decision makers say their company has some form of cyber insurance coverage, only 26% of organizations have a standalone cyber insurance policy.

SMEs and cybersecurity challenges

Unlike large enterprises, which often employ a CISO and have a robust internal IT department capable of implementing a sophisticated cybersecurity program, small and medium-sized businesses (SMBs) often rely on a skeleton crew of IT professionals – if they have cybersecurity experts on staff at all. As a result, SMBs are often more vulnerable to cyberattacks.

What you should know about cyber risks and cyber insurance

Businesses are used to using insurance to finance and transfer risk, but traditional insurance products typically do not cover cyber incidents. Cyber ​​insurance is designed to protect businesses from the financial and operational impact of cybercrime. It helps cover costs in the event of a cyber incident, provides immediate access to experts, and gives stakeholders peace of mind that the business is prepared for a cyber incident. We’ve put together 10 things SMEs should know about cyber risk and cyber insurance to help them become more resilient to cyber attacks.

1. It is not only large organizations that are threatened by cyber attacks and therefore need cyber insurance. SMEs are also at risk – Bad actors don’t discriminate and are highly opportunistic. While attacks on large, well-known companies make headlines, organizations of all types and sizes are at risk. According to Veeam’s 2023 Data Protection Trends Report, 85% of ransomware attacks target small businesses, and many of them report paying a ransom as a last-ditch effort to get their data back.

In fact, by analyzing Corvus claims data, we found that while the average cost of a cyber claim increases along with the victim’s revenue, the smallest category of companies (those with revenue of $50 million and less) have the most severe claims in relative terms (as a percentage of revenue).

1. No industry is immune to cyber threats – While cyberattacks on some industries make headlines more often than others, any organization can fall victim. While healthcare, technology and construction are commonly attacked, the top targets fluctuate depending on new vulnerabilities and cybercrime trends.

1. Cyber ​​insurance does not increase the risk of an attack or data theft for companies – Cyber ​​insurance doesn’t make you a target, but the fact that companies live in a connected world where employees, suppliers, customers and partners are all part of an online ecosystem. In addition, a poor security posture significantly increases the risk of attack.

1. When deciding whether to take out cyber insurance, It is important to understand the true cost of an attack or breach – Cybercrime is one of the biggest losses for small businesses. According to a study by IBM, the average cost to a small business in the event of a data breach is around $3 million. However, the actual cost can be much higher when legal fees, increased IT costs, accelerated security controls, brand and company reputation, and more are taken into account.

1. When it comes to cyber insurance, Your standard commercial liability insurance or business liability insurance (BOP) may not be enough – While these policies cover some employee-related incidents and other breach liabilities, they likely do not cover cyber incidents such as ransomware attacks. A separate cyber insurance policy is essential to protect yourself against cyber risks and reduce the likelihood of having to pay a significant amount out of pocket in the event of an incident.

1. SMEs should consider cyber insurance as a service to manage cyber risks – Some smaller businesses may find cyber insurance too expensive. Businesses should compare the cost of policies and coverage, but also consider the additional services they may not be able to afford if they have in-house staff or standalone cybersecurity consulting services. For example, many insurers offer access to risk consultants who can help map cybersecurity vulnerabilities, proactively provide risk insights and analysis, and respond in the event of an attack or breach.

1. Understand your role—and the associated risks—in the supply chain of your industry – Third-party attacks (where suppliers and vendors in companies’ supply chains are attacked) have increased. Organizations that are suppliers to larger companies could be the target of cybercriminals, so these companies need to consider the risks and develop appropriate risk mitigation strategies. Micro-enterprises such as law firms, accountants, health departments and clinics, private equity firms and other financial services companies should also look closely at cyber insurance policies.

1. Your customers and partners may require cyber insurance as a prerequisite for doing business – In a recent report from Sophos, 42% of survey respondents said they need insurance coverage when working with customers or business partners who contractually require cybersecurity insurance.

• Improved security controls can help reduce risks and increase insurability – As companies face more stringent underwriting requirements for cyber insurance, companies with robust cybersecurity controls will become more attractive to insurers. Common security controls enforced include:

• Multi-factor authentication (zero trust network access)
• Better backups
• Next-generation antivirus and/or Endpoint Detection and Response (EDR)

1. Involve all key stakeholders in the cyber insurance evaluation – Even in small organizations, it is important to involve key stakeholders, including finance, IT and compliance departments, to review and understand what is covered. It is better to ask questions and provide clarity up front to avoid surprises in the event of a cyber incident.

Cybercrime is not slowing down and ransomware is constantly evolving, so now is the time to implement strong security controls and ensure your risk mitigation strategy toolkit includes cyber insurance.