It’s no surprise that data breaches and cyberattacks are on the rise. The Identity Theft Resource Center issued a press release in October of 2021 saying that the number of data breaches that had occurred in 2021 through September had already surpassed the number of attacks in all of 2020 — a year in which small businesses saw a 424% increase in cyberattacks.
What’s worse is that adversaries don’t discriminate and they’re using the same tactics against businesses big and small. That means that small and mid-sized enterprises (SMEs) are facing the same threats and risks without a big budget that would allow them to put a robust security program in place. So while many SMEs have no defense against hackers, others have taken alternative routes to find ways to protect their organization.
Risk management isn’t just about preventing an attack. It’s also about minimizing the extent to which an attacker can move through your environment and mitigating the damage should an attack occur. One way SMEs have historically done that is through cyber insurance which covers the financial impact of a cyberattack. However, cyber insurance offerings have changed significantly in the last few years, and SMEs are now struggling to get the appropriate coverage.
In this article, we’ll aim to answer the following questions:
- What is cyber insurance?
- Do SMEs need cyber insurance?
- What are the challenges SMEs face when trying to get coverage?
- How can SMEs get affordable cyber insurance coverage?
What is cyber insurance?
At the highest level, cyber security insurance is a type of insurance businesses can purchase to cover any financial losses related to a cyberattack or data breach. It is often added to a business’s liability insurance policy.
Generally speaking, cyber liability insurance covers the costs associated with a cyberattack investigation, legal fees, data recovery efforts, regulatory fines, reparations paid to customers, computer system repairs, and any financial losses incurred due to a disruption to your business.
Cyber insurance generally does not cover any costs or profits lost due to reputational damage or any costs related to the loss of intellectual property. It should also be noted that many insurers won’t cover costs or financial losses related to nation-state attacks, since insurers claim these attacks are an act of war. This has led to cyber-insurers refusing to cover costs related to ransomware as some ransomware attacks are carried out by state-sponsored hacker attacks.
While a company can greatly benefit from cyber insurance coverage should an attack occur, it does nothing to protect that company from malicious actors. It’s simply a means of recouping some of the financial losses related to cyberattacks.
Do SMEs need cyber insurance?
The short answer is yes. Nearly every business today is susceptible to cyberattacks. Bad actors are no longer targeting specific companies. They’re running automated attacks 24/7, scanning the internet for anyone who is vulnerable and willing to pay a ransom to get their systems back online. Any business big or small that collects or stores customer data, has an online presence, or uses email needs cyber insurance.
In many ways, cyber security insurance coverage is much like car insurance. You may be an excellent driver, but it’s important to have protection just in case someone else puts you in a compromising situation. Likewise, you may be taking all the necessary precautions, but it’s smart to have insurance because ransomware attacks are so prevalent, and the cost of these attacks can be catastrophic.
According to a report from IBM and the Ponemon Institute, the average cost of an insider threat compromise (the result of a negligent employee exposing the company to a data breach, for example) to small organizations was $7.68 million. Many businesses can’t recover from such a huge monetary loss. In fact, the National Cyber Security Alliance estimates that 60 percent of companies hit with a data breach go out of business within six months.
If these numbers aren’t convincing enough, having cyber insurance is increasingly being demanded by boards, counterparties and supply chain partners, because cyberattacks can have a big trickle-down effect. For SMEs looking for funding, lack of cyber insurance may cause prospective investors to view a company as too risky.
What are the challenges SMEs face when trying to get coverage?
Not too long ago, cyber insurance was a fairly affordable add-on to liability insurance, and small businesses would essentially buy insurance (rather than building up actual cyber resiliency) to transfer the risk to insurers. This was a relatively cost-effective method given the price of hiring an entire security department.
However, that strategy has now backfired. Over the years, cyber insurance providers
had to pay far too many ransoms, so they’re raising premiums significantly. As of the end of 2021, many cyber insurance premiums increased 50 percent or more with some quotes coming in closer to 100 percent higher than the previous year. This hike in cost has made it extremely difficult for SMBs to buy cyber insurance.
Tired of paying ransoms for companies that had no security protocols, insurers are now requiring businesses large and small to have key controls in place, like ransomware protection, to secure coverage. So, now, in addition to paying higher premiums, companies also need to meet a number of requirements and prove that they are resilient against a cyberattack in order to get cyber insurance.
How can SMEs get affordable cyber insurance coverage?
To improve their security posture and obtain coverage from insurers, SMEs need to set up the appropriate controls, train employees on cyber security best practices, and invest in cybersecurity software. This isn’t something that happens overnight and is often best accomplished with the help of a full team of security experts who can provide the right guidance and insight.
Though small businesses have the option of building up an in-house team with the capabilities to improve the organization’s security posture, that can be a time-consuming and expensive process and isn’t a realistic solution. Instead, many choose to partner with a managed security service provider (MSSP).
An MSSP is a third-party team of security experts that can help you quickly and effectively improve your organization’s security posture and prove to insurers that you have the right controls in place. It is a more affordable and faster way of implementing a full set of security capabilities than building an in-house team from the ground up.
In addition to working with an MSSP to improve your cybersecurity and providing technical details to substantiate your organization’s resilience to cyberattacks, you should be prepared with your own perspective on two questions when approaching insurers:
- What coverage and limits does my organization really need?
- What are the price influencers that determine the terms of coverage and limits?
Arming yourself with this information puts you in a stronger starting position as you’ll better understand your organization’s cyber insurance needs when considering coverage options.
Improve your security posture and obtain cyber insurance with SolCyber
Given the ever-increasing threat of cyberattacks—and the devastating costs associated with them—it is essential for businesses large and small to have cyber insurance. But in order to get coverage, you need to be resilient.
Insurers use specialized cyber analytics solutions — like the industry’s leader, CyberCube — which provide cyber risk exposure, security scores, and analytics that drive their cyber insurance underwriting and pricing decisions. Addressing the security signals that negatively impact your security posture can positively impact on your ability to obtain appropriate cyber insurance.
The SolCyber Insurance+ Program can set you up for success when it comes to applying for cyber insurance. SolCyber is not your average MSSP. We believe cybersecurity services should be available to every business, not just those that can afford to spend $1B on it. We offer amazing security, backed by approachable humans, at an incredible value.
If you’re planning to apply for cyber insurance, but first need to enhance your security posture, drop us a note to find out how we can help.
TAKE OUR 3-MINUTE CYBER INSURANCE RISK QUIZ AND FIND OUT YOUR RISK SCORE!