In 2022, Americans filed a staggering 5 million fresh small-business applications—the second-highest number in a year since 2004, showcasing a robust interest in new small-business ventures. As new business owners – it can be a great undertaking to manage and navigate setting up the right parameters to safeguard their business. Cisco found that only 10% of small businesses and 19% of mid-sized companies (250-1000 employees) have achieved the highest “mature” cybersecurity posture.
Most alarmingly, 50% were found to be below average in readiness. Cyberattacks are rising, despite numerous cybersecurity solutions and zero-trust approaches in the market, seizing on an ever-widening attack surface from the proliferations of hybrid work, enterprise cloud adoption, IoT, and now generative AI tools.
For smaller organizations in particular, cybercrimes can be catastrophic. In a National Cybersecurity Alliance study, 25% of small businesses that experienced a data breach filed for bankruptcy and 10% went out of business. While commercial property and general, professional, and product liability policies are the most written for small businesses, cyber liability insurance is a crucial safety net to have in place in today’s digitally transformed business world, regardless of the industry. Only about one quarter of small businesses carry cybersecurity insurance.
Small businesses are much more likely to be targeted by cybercriminals than larger companies
If a small business stores any sensitive client or company data whatsoever on computers, the cloud, and network technology, they have the potential for cybercrime exposure. To prevent breaches or ransomware incursions, phishing schemes, and malware attacks, business leaders deploy automated security software solution stacks, rigorous MFA and password blacklisting policies, and education-awareness programs. Consider these measures table stakes, at this point. Cyberattacks succeed despite their best efforts, with 82% of ransomware attacks targeting SMBs and 43% of all cyberattacks targeting small businesses. In an environment where data security risk is pervasive, SMB leaders are adding cybersecurity insurance to their cost of doing business.
Who are first responders in a cyberattack?
A CNBC report revealed 42% of small business owners had no plan for responding to an attack. The US Cybersecurity and Infrastructure Security Agency (CISA) recommends that every SMB formalize an incident response plan. Most policies provide breach response services, damage mitigation, and ensuring the obligatory investigation and notification procedures are implemented. Cybersecurity coverage helps small businesses prepare for a possible cyberattack by putting a communications and incident response plan in place to provide support throughout the whole breach. When a data breach occurs, insurance would provide expert-led response, credit and identity monitoring, notification and crisis management services to minimize the damage, guiding communication flows, update of stakeholders, and delegating tasks. Because identifying the nature and breadth of the attack is a critical part of incident response activities, insurance coverage should include computer forensic services that help determine the type of cyberattack, recover lost data, and trace the criminal source.
Perform a cyber risk assessment
Not all cyber insurance products address the same exposures, so owners should execute proper due diligence when selecting cyber insurance protection. Business leaders need to fully understand what their cyber exposures are by doing a cyber risk assessment, which CISA provides at no charge. Although the risk assessment is without cost, it does require the time and diligence of the assessor, and in-depth knowledge of the organization’s IT efforts and software vendor relationships.
Once leaders have a basic understanding of their companies’ risk exposures, they can ensure that the chosen coverage is technically adequate in addition to being acceptably priced. If they have successfully assessed their cyber risk exposure, they can employ a basic coverage checklist cross-referenced against the policy proposal. They will then explore what comprehensive cyber liability insurance protection can provide as opposed to data breach and professional liability insurances. Individual insurers may vary in the way they define a data breach, so it bears close attention when shopping. Depending on a business’s risk profile, owners may choose enhanced policies that provide coverage for cyber extortion loss, data recovery loss, and the all-important business interruption loss.
Finally, SMB security leaders, with limited resources, should avoid traditional policies that are inflexible and limiting. Instead, they can seek out providers or insurtechs that have online tools, flexible term and payment options, amenable coverage options, and customized value-added services.
Business owners bear liability for cybersecurity incidents
Verizon’s 2021 SMB Data Breach Statistics revealed that on average, SMBs spend between $826 and $653,587 on cybersecurity incidents. Many small business leaders can imagine the practical financial impact of responding to a cyberattack, from the costs of forensic investigations and customer/employee notification to the most damaging costs, business interruption and ransom. However, many may not immediately realize the cost of legal defense and settlements in fighting lawsuits. Attorneys and consumers have become increasingly aware they can sue companies if data is compromised. Aside from potential lawsuits from customers whose personal data was exposed, lawsuits can come from retirement plan participants whose financial data was stolen, in which case business owners face personal fiduciary liability for a failure to protect their employees’ information. Such allegations of negligence, breach of network security liability, or breach of privacy liability call for the inclusion of robust liability insurance included in cyber insurance policies. This protection defends against covered allegations as well as pay settlements/judgments on behalf of the insured organization.
Additional considerations and risk management protocols
Intensive cybersecurity awareness programs that address the human element are essential since a personal cyberattack on one employee creates an enormous burden to the entire company, with 74% of all breaches include the human element through error, privilege misuse, use of stolen credentials or social engineering – commonly in a scheme when a criminal impersonates a colleague, fooling an employee into giving up sensitive. Training courses should include recognizing privacy risks, preventing phishing attacks, and detecting an attack.
Not only do businesses need to worry about attacks on their own systems, but they also need to worry about attacks on external partners’ systems. A security attack on a software provider can expose a business’s own data, or many businesses’ data across the globe, as evidenced by this year’s biggest cyber incident against the MOVEit tool. Small business leaders need to be cautious when it comes to their software vendors like Slack, Asana, Stripe, and Zendesk. They should take the time to scrutinize insurance requirements in vendor contracts, confirming where the onus lies in handling a cyberattack and understanding the full spectrum of liability.
Only 25% of small businesses have cybersecurity insurance
It can be tempting for a startup or early-stage SMB to focus on acquiring customers and raising the next round of funding first, and then think about how to secure the organization’s data assets later. But in today’s increasingly digitized business world in which criminals have more thruways in, failure to protect one’s systems and data is not an option. Remote and hybrid work remains an ongoing model; businesses have moved in mass into cloud and hybrid-cloud computing; and businesses’ software supply chain has become more complex and interconnected. When bolstering a cybersecurity posture via security policies, training, software defenses, and vendor due diligence fail, cyber liability insurance is the last line of defense that can save the day for a small business.
Richard Clarke is the Chief Insurance Officer at Colonial Surety Company. As an insurance industry veteran with more than three decades of experience, Richard is a Chartered Property Casualty Underwriter (CPCU), Certified Insurance Counselor (CIC) and Registered Professional Liability Underwriter (RPLU). He leads insurance strategy and operations for the expansion of Colonial Surety’s SMB-focused product suite, building out the online platform into a one-stop-shop for America’s SMBs.