SME boards “cannot pay lip service to cyber risk anymore” | Insurance Business America
It is often the case that small and medium-sized enterprises (SMEs) wrap themselves in the infamous ‘that won’t happen to me’ blanket. It’s a special blanket reserved for companies who believe they are too small or too insignificant to be on the receiving end of a lawsuit or an insurance claim.
As safety blankets go, the ‘that won’t happen to me’ (purchased by companies at no extra expense) is pretty useless. Over the years, this scathing review has been proven time and time again by SMEs who only realized the depth of their financial exposures when they were forced to file for bankruptcy following a claim.
A big financial unknown for SMEs at the moment revolves around cyber risk. In its primary years, cyber liability exposure was held only by large firms or those with access to money and credit card information – at least that’s what the majority of SMEs believed. The ‘that won’t happen to me blanket’ was out in full force, and understandably so.
Read next: Cyber extortionists increasingly targeting SMEs because of weak defenses
But the cyber risk landscape has changed, and SMEs are more at risk than ever before. Every single company that uses technology to perform day-to-day functions has some form of cyber exposure. Even the smallest business that uses email to chat to clients offers a window of opportunity for cyber criminals to exploit.
“What smaller firms need to acknowledge is that they’re as susceptible and vulnerable to cyber breaches as larger firms, and that all incidents are relative,” said Tracey Vispoli, president of Berkley cyber risk solutions. “A large company may have 100 million records, but for a small company with 100,000 records, a data breach is just as disastrous. They need to recognize that, but I don’t think they’re quite there yet.”
For brokers and agents selling cyber insurance to SMEs, benchmarking is a good tool, according to Vispoli. Business managers want to hear about loss scenarios and real-life claim situations that impact their industry. But benchmarking is only the beginning of the conversation. It has to progress into the probability of what could, or what does, tend to happen, she added.
“Smaller companies tend to look at risks in terms of dollars. They want to know what a risk means in terms of ultimate probability and maximum loss. If they’re able to quantify their risk, with the help of their insurance partners, then they can better understand what they’re up against from an exposure perspective,” Vispoli told Insurance Business.
“Boards of directors cannot pay lip service to cyber risk anymore. They need to understand that a cyber breach is not only a reputational damage crisis situation; it can also have a serious impact on the balance sheet, no matter the size of the company.”
Read more about cyber: Businesses not grasping details of ‘one of the strictest privacy laws in the country’
There are tools available to help insurance buyers understand their financial exposure related to cyber risk. However, the challenge with cyber is that there are many different cyber elements that can touch many different insurance policies. Again, the smaller business’s innate desire for simplification kicks in, and many have an urge to collect their cyber exposure in one trap. This is where insurance partners can once again step in and provide tools to simplify the complex cyber risk web.
“Business leaders want to see a visual mapping of what their exposure is, what it looks like in terms of dollars, and what they can do to mitigate it,” said Vispoli. “They want to compare that to the cost of the insurance policy and make an educated choice as to whether or not transferring that risk is a wise thing to do.
“There are technology tools in the market that are helping business leaders to arrive at these conclusions, and I think these tools should continue to grow. It’s an important part of loss control. Property insurers will have loss control tell companies whether or not their sprinklers are far enough apart, or whether or not they’ve got the right shut-off valves. That’s exactly what our job should be when it comes to cyber exposures.”