A new report reveals the increasing concern of start-up founders over their cyber insurance coverage and shows that the insurance industry has some way to go to help start-ups with cybersecurity.
Embroker’s new report, the Cyber Risk Index: Start-up Edition, surveyed over 400 venture capital-backed startup founders in the US from November 10-14, 2022, to gain insight into their perceptions and concerns surrounding cybersecurity and cyber insurance.
The report found that 31% of start-up founders were more concerned about cyber risk than in previous years, while 68% had experienced a cyberattack. While most start-ups (86%) have substantial cyber insurance coverage, about half said they their current policy would only partially protect them in the event of a breach or compromise. Additionally, 71% of respondents indicated that they were considering additional cyber protections and tools for 2023.
The survey results reveal the impact of several years of a hard market in the cyber insurance space, according to David Derigiotis (pictured), chief insurance officer at Embroker. The San Francisco-based insurtech offers a digital platform for commercial property and casualty (P&C) insurance.
“What was interesting is that the hard market is certainly having its toll on clients because a fairly high percentage believed their policies would only partially cover them should they experience a cybersecurity incident,” Derigiotis told Insurance Business. “I think that’s somewhat alarming. The industry needs to do a better job with providing guidance around insurable exposures and the risks that might have been covered in prior years versus where coverage has been reduced or limited today.”
Cybersecurity remains a priority for start-up founders amid a challenging funding and operating environment. As founders look to 2023, they are most concerned with impacts from inflation (32%), cyberattacks (27%), and supply chain challenges (26%). One significant finding of the report was that 44% of those without cyber insurance cited cost as the primary reason for not having it.
Meanwhile, the top three “non-negotiable areas of investment” for 2023 are product innovation (32%), cybersecurity protection (31%), and equipment upgrades (30%). This reinforces how focused founders are on better protecting and shoring up their company infrastructure and equipment.
The report also explores external risks, internal pressures, how founders choose to mitigate cyber threats, and what drives decision-making. According to Derigiotis, the results provide insight into the current cybersecurity landscape for start-ups and the steps they are taking to protect their businesses.
“The whole notion that cyberattacks are not really an issue that small to mid-sized enterprises have to worry about has been debunked,” Derigiotis said. “Now that they’ve experienced cybersecurity incidents firsthand, they understand the value that a cyber insurance policy can offer in terms of the resources. This includes increased risk management tools that can help elevate the organization’s cybersecurity posture and the financial risk transfer benefits that you get from traditional insurance.
“Now more than ever, start-up founders view [cyber insurance] as more of a must-have in their overall insurance portfolio.”
Aside from internal pressures from shareholders to bolster cybersecurity and cyber insurance, external factors like global events are also having a marked effect on start-up founders. When purchasing cyber insurance, founders cite their decisions as most motivated by tensions around foreign relations (40%), media coverage on other company data breaches (35%) and managing a hybrid/remote workforce (32%).
Mitigating cyber risk is undoubtably a priority for start-ups. Founders said that conversations about elevating cybersecurity measures and cyber insurance policies occurred in nearly 100% of boardrooms.
To best support their start-up clients, brokers should maintain a strong understanding of what’s available in the marketplace and initiate the conversation with their clients, according to Derigiotis. “Brokers should understand the proactive value that a cyber insurance policy can offer and convey that message back to the buyer,” he said.
The insurance exec also said that 2023 would be a year about returning to the fundamentals. Start-ups should focus on institutionalizing cybersecurity training and awareness among staff, as business email compromise and social engineering attacks are predicted to dominate the threat landscape.
“I fully expect that we’re going to see a massive spike in business email account compromised losses. I think we’re also going to see another uptick in ransomware,” Derigiotis said. “It’s just about getting a regular cadence of patching to keep software and systems up to date. It’s focusing on the basics.
I know there’s usually a lot of flashy headlines around certain attacks or zero-day vulnerabilities [a vulnerability in a system or device that has been disclosed but is not yet patched]. But an organization that focuses on the basics - tackling employee awareness training, updating your software, having a good patching cadence, backing up your data, practicing data retrieval – will be much more secure.”
Have any thoughts about the cyber insurance market for start-ups? Share with us in the comments.