Smaller organizations are taking their fair share of hits from cyberattacks. Beazley recently reported that ransomware incidents spiked 37% in Q3 over the previous three months, and small businesses specifically were accountable for 63% of all ransomware incidents over a nine-month time period.
“Threat actors are becoming more sophisticated in general. As it pertains to smaller organizations, I would say that extortionists are increasingly targeting SMEs, specifically because they're perceived as having less cybersecurity defenses in place,” said Annamaria Landaverde, cyber lead in the reinsurance division at Munich Re America, adding that according to a recent report, 60% of small to mid-sized enterprises go out of business following a cyberattack. “That's quite a staggering number to me. I would say that the financial impact is great for an SME, and not to say that it doesn't exist for other organizations, but an SME is less likely to recover from a large cyberattack on the organization that takes down the network and results in business income loss.”
It's very costly to bring in computer experts to restore the data on a network, or hire forensics experts to determine what part of the network was attacked and how to repair those vulnerabilities. There are also additional costs associated with notifying individuals in the event that their data was disclosed, as well as longer term reputational costs, and all of that can weigh on a smaller organization. Moreover, if an SME relies heavily on their website or their technology to earn income, then those organizations are going to be more impacted than an organization that is not as tied to that technology.
Moreover, the regulatory compliance space can be a tricky one for SMEs to navigate.
“The regulatory fines and penalties are increasing,” said Landaverde. “An SME might not be as aware of the regulatory compliance needed for their industry as a larger organization might be, and so in the event that they have a data breach and they were not in compliance with those regulations, such as HIPAA or some of the financial services regulations, they could be subject to fines and penalties, which might be significant for them to pay.”
Smaller IT budgets and as a result less funding to go towards cybersecurity tools and controls likewise open up smaller organizations to cyberattacks.
“Some examples of that technology might be technology to encrypt their data, their systems, or maybe even tokenize payment card information,” explained Landaverde. “That type of technology is costly – maybe too costly for an organization in the SME space. Segmentation is another more costly practice for an organization where they would segment the data that's stored on their network so that confidential information may be stored in one portion of the network separate from, let's say, their HR system and separate from their operational technologies. Those are areas where an SME might be more vulnerable because they don't have as layered of an approach to cybersecurity as a larger organization might have.”
However, cyber insurance is one risk transfer and mitigation tool that SMEs can afford, though experts want to clear up the misconceptions around this coverage leading to more cyberattacks. When it comes to ransomware, for example, one leader says an insurer’s first response isn’t necessarily to pay up.
“We'll look at the strain, we'll try to identify if we can unencrypt it, we do more than most to try and not pay out, but it is fair to say that if it's cheaper for the business then we will pay and it is a little bit controversial,” said Neil Gurnhill, CEO of Node International, a managing general agent (MGA) dedicated to digital, cyber and technology-related insurance and reinsurance solutions that was recently acquired by H.W. Kaufman Group.
Another expert elaborated on the point that there are situations when paying the ransom is the best course of action.
“I think at the end of the day, the insurance is in place to protect the policyholder and if paying the ransom means that you're protecting the policyholder because you're allowing them to stay whole, you're allowing them to stay in business and to not sustain a business interruption loss, it's in the best interest of the client,” said David Derigiotis, corporate senior vice president of professional liability at Burns & Wilcox.
Gurnhill also added that cyber insurance isn’t the first to have this particular insurance mechanism around ransoms, since kidnap and ransom coverage has had a similar trigger in place for years. In contract however, cyber insurance is responding to the risks of the digital age, he said.
The other benefits of cyber insurance include the many risk management features that solutions available on the market have today –and these don’t only work in the insured’s favor.
“Taking a holistic approach is where cyber insurance is very different from other areas of insurance. Typically, insurance is just financial risk transfer – offloading the cost when something happens – but cyber insurance, it's in the best interest of not only the policyholder, but also the carrier as well to offer more services up front,” explained Derigiotis. “If you can have a policyholder that is better prepared, that has the right management strategies in place, that knows where they're vulnerable, they will be less likely to have a claim, which is a benefit for the insurance company.”
With new comprehensive cyber solutions coming on the market all the time, insurers and insureds have a lot to be thankful for with the advent of well-rounded mitigation offerings.
“The more we can help, the better we can make our insureds more cyber resilient, the less likelihood there's going to be a claim and the less claims we'll pay, so it's really a win-win. We have a very vested interest in our insureds,” said Gurnhill. “It's very much a response-based product, whereas before it was more just [about] liability, and I think that's shifted across the board.”