Information security is a critical business asset and must be a top priority for all organizations — large and small. Yet many small businesses underestimate the potential for cyber risk and have inadequate coverage (or none at all) to protect them from cyberattacks. Ransomware attacks are on the rise and are a serious threat to the nation’s economy, infrastructure and national security. In 2020, the estimated cost of ransomware attacks on both public and private institutions in the U.S. was $19.5 billion, according to a report by the U.S. House Committee on Oversight and Reform. The average cost of a data breach, IBM Security reports, increased from $3.86 million to $4.24 million from 2020-2021. 

Concerns of cyber warfare

This situation has only compounded the already challenged cyber market trying to keep up with ransomware claims. Russia’s invasion of Ukraine has heightened insurers’ concerns over the potential for big losses from both government-sanctioned attacks and vigilante hackers. Already, insurers have responded to the increased frequency and severity of cyber claims by raising premiums, increasing deductibles, restricting policy language, reducing coverage limits and implementing stricter underwriting requirements with high levels of risk management requirements and compliance measures. Still others have exited the cyber market entirely. 

Cyber insurance underwriters are focusing more and more on an organization’s resilience. The most common definition is the ability of an enterprise to limit the impact of security incidents. This is a broader approach that encompasses cyber security and business continuity management, which aims to not only defend against cyber-attacks, but also ensure that the business is able to survive.

Traditionally, the property insurer’s predominant concern has been security. How deep is the moat? How high is the wall? Today, a significant amount of cyber underwriting attention now takes into account how a business will be able to function after bad things happen. Will it be able to operate and move forward? Because, if the only alternative is to eventually shut down, then it’s a bad risk.

How small businesses can protect against cyberattacks

What does this mean for small businesses? It’s important to note that small and mid-sized businesses are not immune to cyberattacks. Data from the Chubb Cyber Index shows that nearly 75% of all 2020 cyber claims were filed by businesses with less than $500 million in revenue. But while it’s expected for the cyber liability insurance market to continue to harden as the number and costs of attacks continue to climb, the good news is there is capacity in the market and businesses of all sizes that can demonstrate robust network security should be able to obtain coverage. According to Alera Group’s Property and Casualty 2022 Market Outlook, businesses with a proactive, risk management approach to cybersecurity will be able to obtain coverage with more favorable terms. 

In today’s highly digitized world, cybersecurity must be a business imperative. Cyber security is not just an IT problem, but a business problem, with mission critical systems at stake. Businesses should first review their current policies to see what, if any, coverage they have and then have a discussion with a broker who has in-depth cyber risk experience about what additional coverage they may need. The following steps can help small businesses obtain cyber liability coverage that meets their needs and objectives.

Key steps to obtaining cyber liability coverage for small businesses

Small businesses have the potential for significant vulnerabilities for cyber threats. However, there is no one-size-fits all approach to cybersecurity. Each business must assess its risk exposure and tolerance before implementing a cybersecurity program. Not doing so can jeopardize business continuity and reputation in light of a breach, and few small businesses have the necessary resources to recover from an attack. Assessment tools are available to help benchmark coverage limits, including the amount of loss of income. 

1. Understand data governance

A robust cybersecurity policy is reliant upon good data governance. Yet many organizations lack a clear understanding of their vulnerabilities because they lack a clear understanding about where data originates, where it’s housed and how it’s shared. For a small business, this may apply to how customer information and methods of payment, such as credit card information, is collected and stored. Bottom line, it’s impossible to sufficiently implement the correct controls without understanding the sources of data and related risks. 

2. Conduct a risk assessment

Once businesses have an understanding of their data usage, it’s time to develop processes to continually assess vulnerabilities and implement risk mitigation strategies. Cyber criminals are relentlessly evolving their tactics and elevating their threats, so vulnerability management programs must be adaptive to changes in the business environment and continuously access potential risks. One of the first steps in vulnerability management is determining each asset’s value to the organization, its risk exposure and priority level for security. A coffee shop offering free Wi-Fi may need to prioritize its internet security and payment systems, for example, over its connection with an infrequently used supplier. Also, like many large businesses, small businesses have had to take some or all of their operations remote during the pandemic. This poses unique cybersecurity threats and should be a part of the risk assessment.  

3. Determine risk tolerance

Next, organizations should consider their overall vulnerability landscape and determine their overall tolerance for risk. It’s impossible to be 100% protected from cyber threats, so organizations must prioritize investments and focus on areas that would have the biggest impact on business continuity.

4. Adopt a zero-trust security model

Equally important to assessing internal vulnerabilities is assessing vulnerabilities brought forth from third-party vendors and suppliers. It’s essential to vet each third-party entity for its cyber preparedness and not simply take the entity’s word for it. Many small businesses employ outside accountants, for example, and should ask what steps they take to protect the privacy and security of client data. A zero-trust model can protect businesses from potential outside threats.

5. Develop a plan

Developing a cybersecurity risk management plan is a critical step in not only protecting businesses, but also in obtaining cyber liability coverage. This should include activities as simple patching software to the more complex like an incident response and disaster recovery protocols. Agents and brokers will likely ask to see this plan when writing policies to assess its robustness and comprehensiveness. Small businesses should look for outside resources to help with this process. The Federal Communications Commission, for example, offers a free tool to help small businesses develop customized cybersecurity plans. And there are numerous products in the marketplace to help businesses strengthen their systems, from security software to education to vetting third-party vendors. 

6. Educate all staff on cyber dangers

Education is a front-line of defense against cyber threats. All employees should understand the businesses’ cyber vulnerabilities and their role in cybersecurity. Any employee with access to email, for example, should receive security awareness training and understand why phishing is harmful. Communication and testing throughout the year heighten awareness and keeps employees and other stakeholders up to date on new and emerging threats. 

7. Monitor results and continue to improve

Cybersecurity must be a continuous process. New threats will emerge, and businesses must be able to adapt. It’s important to pay attention to changes in business practices. When upgrading sales software, for example, make sure it’s secure and will not introduce new threats to the business. Businesses should incorporate cybersecurity into new-hire training to ensure best practices in cyber hygiene from the onset. 

For small businesses, cybersecurity can be a daunting, yet essential task. By partnering with an experienced, insurance broker, businesses will get the level of coverage they need. Experienced agents and brokers can provide important risk management and risk mitigation guidance, as well as keep businesses apprised of changing regulatory requirements, when applicable. By following these critical steps, small-business owners can make great strides in protecting their investments and keep their operations up-and-running.

Stephen Paulin is Cyber Risk Strategist at Orion Risk Management, an Alera Group Company.