Small and medium-sized enterprises (SMEs) have a lot of catching up to do when it comes to meeting incoming mandatory breach notification regulations, which are coming into effect in only a few months on November 01.
“They’re under-prepared. There’s a lot that has to be done from a pre-breach assessment and analysis as well making sure your security protocols, policies and procedures are in place, the software’s up to date and patched,” said Michael Kalakauskas, national underwriting specialist for Trisura Guarantee Insurance Company. “For SMEs, a lot of the time they don’t even have an IT group so they’re looking for the president or the CFO to fill that role, whereas they definitely need to have someone who’s responsible for it or hire an outside party to come in and evaluate all their protocols and make sure they’re up to speed.”
GDPR in Europe and state-level regulations in the US mean Canada has been left in the dust in terms of implementing similar notification and privacy laws, which is why the new rules are so important for getting insureds up to speed on cyber risk mitigation.
“It’s very much a tug of war of education and preparedness, and getting them aware of the exposures, aware of their liabilities,” said Kalakauskas, adding that many SMEs think they don’t have an exposure or they don’t carry financial records, so they don’t need coverage – comments for which the underwriting specialist has a comeback ready. “You definitely have an exposure – it may not be as much as you think, but let’s see what would price out now for a standalone $250,000 or $500,000 policy.”
With the current state of the cyber insurance market, it’s an opportune moment to buy coverage.
“For most insurance buyers, it’s the right time to buy now when the capacity is high and the prices are low, versus in five years [when] we don’t know what’s going to happen,” explained Kalakauskas.
Ransomware and social engineering are the main areas of opportunity that the cyber expert sees hackers using to target SMEs, which typically don’t have the best policies or incident response plans in place.
“It’s all over the map. I think it’s come a long way in the last few years of them being educated and aware of the exposure, but we still have a long way to go before they actually start buying dedicated and proper insurance coverage,” said Kalakauskas. “I’d say 20% of all SMEs probably buy a standalone cyber policy. The rest either don’t buy it all or they’re adding it on by a small endorsement or a tack-on frill coverage kind of extension where, to be totally honest, I think it’s not appropriate at all.”