SMBs not “too small” to brush off cyber risk concerns

No businesses are too small to be hit by hackers

SMBs not “too small” to brush off cyber risk concerns


By Allie Sanchez

If a small business owner thinks her company is too small to warrant the attention of hackers, they have another think coming.

In an interview with’s Michael Santarcangelo, Carter Schoenberg, president and chief executive of Hemisphere Cyber Risk Management, said these firms comprise 99% of the US enterprise community, thus making them a significant cog in the cyber risk machine.

Schoenberg added that the simple fact that they accept credit card payments, maintain employee records, and keep customer information are enough justifications for thinking about getting cyber risk coverage.

“These same small businesses generally do not have network defensive capabilities let alone the ability to identify if an attack is occurring—outside of the self-evident ransomware attack. That is pretty ‘target rich’ opportunity,” the cyber risk expert said.

He added, “Most SMBs fail to understand these factors and if you don’t understand your risk exposure, how can you protect against or mitigate it?”

Further, Schoenberg said that despite efforts of the Department of Homeland Security to collaborate with the insurance industry to establish measures to address cyber risk through insurance, it was only recently that pre-event services have taken hold in the market.

DHS initiated the first steps to work with the insurance sector in 2011, but it was a measure adopted by the New York Department of Financial Services this March that has made inroads into the institutionalization of proactive cyber risk management approaches, he said.

“In 2017, there is a business justification that warrants a categorical shift in adopting pre-event service offerings within the scope of the policy premium versus waiting for the catastrophe. I liken this to the following historical events that we take as status quo but was not always around because legislation or industry did not mandate it,” Schoenberg explained.

The pre-event services Schoenberg refers to are vulnerability assessments, network and host monitoring, security training, and legal consultations. He posited that adopting them in the policy “can dramatically reduce the likelihood of a claim instead of focusing on post-event services that cost an arm and a leg…”

Related stories:
Ex-State Farm Insurance agent tries to keep insurer from leaving city
Zurich introduces AI into claims decisions

Keep up with the latest news and events

Join our mailing list, it’s free!