“What, me worry?”
While this disposition worked for Mad magazine’s Alfred E. Neuman for decades, it’s not advisable for small and medium-sized enterprises (SMEs) in considering cyber insurance. Large companies, of course, are increasingly investing in cyber policy coverage to protect themselves from the financial fallout of stolen data, disrupted operations, extortion and other cyber events. The frequency of such attacks against businesses of all sizes in all sectors drives a global cyber insurance market projected to grow to $20.4 billion by 2025 compared to $7.8 billion today.
In our insurance and risk conversations with SME leaders, we see SMEs transforming with cloud, mobile, Internet of Things (IoT) and other technologies just as aggressively as the largest enterprises. In any size company, these business transformation forces, themselves can blur risk tolerance and awareness of how different cyber security incidents and outcomes affect a businesses’ bottom line, brand, employees and obligations. The blazing pace of technology, combined with many SMEs’ assumptions about insurance can sideline cyber insurance conversations until it is too late. In fact, we often find SME owners and decision-makers accepting as truth the following myths about cyber insurance. Here are the myths, as well as the realities behind them:
Myth #1: “Cyber insurance is only for large companies.”
Reality: SMEs may conclude “No one is looking to hit us” or “A cybercriminal can only do so much harm,” and dismiss the idea of buying coverage entirely. But this puts them in a precarious position: Two-thirds of these businesses experience at least one cyber attack within a year, and subsequently suffer at least eight hours of system downtime. The typical cost of resolving an incident is $36,000. When an attack involves business interruptions, SMEs face median expenses of more than $140,000 in incident response, lost productivity/sales and recovery.
Clearly, this is something to avoid, especially given that both the immediate IT and business recovery costs, plus additional charges – such as brand damage and customer churn – could deal a crippling, if not fatal blow. By investing in cyber insurance, SMEs proactively reduce their risk exposure, which sends a message to partners and customers that they are taking threats very seriously. Investing in cyber insurance improves incident response and helps minimize events’ impact by allocating financial and other resources relieving disruption and recovery costs.
Myth #2: “If we already have insurance coverage, we’re probably good.”
Reality: Not necessarily. In many cases, we’ve discovered businesses assume that “more policies” itself equals “total” coverage, when in reality what is in place are piecemeal or outdated policies providing inadequate coverage when crises arrive. Threats are shifting rapidly. “Ransomware” wasn’t a daily headline ten years ago, and now it’s costing SMEs $43,000 per incident. In the beginning of 2020, we never would have imagined a global crash-course to everyone working from home during a pandemic – putting even greater strain and stakes on companies’ ability to run their organizations off the cloud, Zoom calls and home routers everywhere, logically increasing cyber risk.
That’s why – even if they have bought insurance – SMEs must constantly reassess their policies and review coverage with their broker to understand coverage and how it applies to different scenarios. They may have acquired a policy from a reputable insurer, for instance, but the provider ended up selling them an arbitrarily stripped-down version of the coverage they provide for large corporations. It is critical to assess the adequacy of both coverage and limits. For example, we often see SMEs say they have cyber insurance, and then see that they have $250,000 in limits – when they need $5 million. Other policies could place the up-front burden of making a ransom payment – if necessary – on the victim, with the insurer reimbursing the cost later. But SMEs should negotiate new clauses that designate the insurer as responsible for the direct ransomware payment – a small firm may encounter difficulties in coming up with, say, $100,000 or more to pay a ransom or get systems back up and running.
Similarly, the policies should cover changes that come with the digital transformation, the impact of WFH, etc. In other words: The policy must reflect what the threat landscape looks like today, not two years ago.
Myth #3: “We don’t need to deal with insurance companies or incident responders unless something bad happens.”
Reality: By taking a reactive approach, SMEs short-change themselves. Cyber insurance presents a great opportunity to get out ahead of threats, especially when the provider incorporates a partner capable of offering both proactive managed detection and response (MDR) services and digital forensics and incident response (DFIR) services into the program. Such a partner helps prevent attacks before they even materialize, by bringing expertise and outside eyes to the true state of a company’s operations, removing assumptions and blind spots.
This decreases the number of days or even months that a threat will hide within a network and compromise/steal data – i.e. dwell time. A DFIR partner will also work with an SME to encourage best practices company-wide, such as the promotion of good, basic cyber hygiene for employees or the adoption of the DMARC email authentication protocol to stop fraudsters from posing as top officers of a business to pull off a scam.
All of which benefits both the business customer and the insurer: The SME is now proactively launching comprehensive defense strategies instead of waiting for that “something bad” incident to strike before taking action. They lower their risk exposure as a result, which providers obviously view favorably – frequently enough to lower premiums.
For certain, a “What, me worry?” perspective on cyber risk won’t fare well over the long haul for SMEs. (Mad magazine, after all, printed its final issue in 2018.)
Ignoring or neglecting cyber insurance as a business asset is like making big-stakes dice wagers at a casino: Sure, you could avoid a bad roll at first, but you very well may eventually lose everything. In our unprecedented times, business and risk leaders can dramatically improve management of cyber and business risk by reexamining their insurance portfolio and making sure these time-honored myths are not standing between them and and recovery when the inevitable happens.