Don't be the one

One out of every five businesses will fall victim to a cyber attack. Not being part of that statistic, writes Shawn Ram, requires confronting the risk that goes along with embracing technology

It’s happened more often than I can count. People – from the guy who cuts my hair to the CPA I meet at a party – hear that I work in cyber insurance, and they proceed to ask me how they can protect themselves. I end up talking about cybersecurity a lot.

At my last doctor’s appointment, I noticed that my physician had transitioned from paper patient fi les to a cloud-based record management system. After proudly showing o‑ his new iPad, my doctor proceeded to ask me about cyber security. I was glad he did – security considerations aren’t always front of mind when adopting new technologies, yet it’s essential that businesses understand the implications that come with increased connectivity.

As a society, we’re going through a significant period of change. The machine age is giving way to the information age – and we’re just at the beginning. Technology can be a real asset in the workplace. However, it also presents a real catch-22 for businesses. To thrive and remain competitive, businesses today must embrace and adopt technology. But with the adoption of technology comes new risk exposures – and these risks can be existential, particularly as a business’s operations become ever more dependent on technology.

The reality is that technological risks are the most pervasive risks facing small businesses, and they are increasingly among the more severe risks exposures. It’s easy to think that your business is too small to be impacted, but in actuality, it is estimated that one out of every five small and medium-sized businesses will fall victim to cyber-attack; of these, 60% will shut down within six months.

Failure to treat cybersecurity and technological risk as a risk management problem can be costly. According to IBM, the average cost of a data breach is over US$1m, and the potential loss exposures can be diverse, from data theft and income loss as a result of business interruption to privacy liability, reputational harm, and even property damage or bodily harm.

Cybersecurity isn’t a problem that will be solved by technology alone. This is because, at its core, it is fundamentally a risk management problem. To address the risks that come with technological innovation, companies are left with three choices: accept the risk, mitigate the risk or transfer the risk.

At Coalition, this is our mantra, and it’s a framework we use regularly to help SMEs understand the importance of risk transfer and cyber insurance in the context of a cohesive risk management strategy. We recommend that SME clients that are increasing their technology footprint take the following steps:

• Check your contracts. Make sure you understand the limitations and liability with technology providers, and don’t be afraid to push back on those limitations.
• Duplicate data and create redundancies within your own internal systems. Even the best technology can and will fail
• Make sure you’re following best practices, including using two-factor authentication, encryption and data segregation.
• Where risk cannot be mitigated, it should be transferred. Explore what your existing insurance policies cover to determine what you need from a cyber insurance policy.
• PCI fines and penalties. Your cyber policy can and should be confi gured so that you’re paying only for what you really need.

It’s not possible to completely eliminate risk, which is why it’s so essential for businesses to find the right balance of risk acceptance, risk mitigation and risk transfer. As with most things, a proactive and informed approach is the key to success.

Shawn Ram is head of insurance at Coalition. He previously led the national technology industry practices at Aon Risk Solutions and Crystal & Company.