If your business stores sensitive information electronically or depends on computer networks, systems, and data, you may be at risk for a hack, data breach, or ransomware attack. Cyber insurance can provide coverage for this risk and other cyberattacks.
What is cyber liability insurance?
Cyber liability insurance, also known as cyber risk insurance or cyber insurance, covers your business against liability and property losses caused by cyberattacks such as hacks, data breaches, denial of service attacks, and viruses.
With the increasing adoption of digital technologies in business, there are a number of new risks for businesses as they could be the victim of a variety of cybercrimes. Cyber insurance typically covers common cyber risks such as data breaches, hacking, ransomware and cyberextortion, denial of service attacks, and viruses.
Because cyber liability insurance policies vary widely between insurers, other forms of cyber mishaps, like social engineering fraud and phishing schemes, may also be covered depending on the insurer. Commercial general liability and commercial property policies generally exclude coverage for cyber liability and electronic data, so you may not have coverage for data breaches without a cyber liability insurance policy in place.
Get a quote on Cyber Liability Insurance
Cyber liability insurance can cover losses your business experiences due to cyberattacks, whether they are first-party losses or losses from third-party legal claims. Cyber liability insurance can provide coverage in a number of scenarios:
- Your business is hacked and your customers’ personal data is stolen. Your customers file suit against your business for the violation of their privacy.
- Your business is hacked and credit card information is stolen. Government regulators and your credit card network issue fines and penalties against your company.
- In the wake of a data breach, your business must hire consultants to recover your data. You also run advertisements to notify your customers of the breach.
- Your data center is hacked and your systems are held hostage. The cybercriminals demand that your business pay a ransom in order to regain access.
What is data breach insurance?
Data breach insurance is a type of cyber insurance that provides for a more limited set of protections than a broad cyber liability insurance policy. Also commonly known as first-party cyber liability insurance, data breach insurance deals only with first-party losses that your business directly incurs, rather than third-party losses where your company’s data breach causes a customer or employee to suffer a financial loss.
Who needs cyber liability insurance?
Business owners who store sensitive, confidential, or proprietary information can benefit from cyber liability insurance. If your business stores any of the following information, you should consider the protections provided by cyber liability insurance:
- Credit card numbers or other payment information
- Personally identifiable information (PII) including names, email addresses, phone numbers, addresses, Social Security numbers, driver’s license numbers, and more
- Protected health information, including medical records and patient payment history
- Trade secrets or patent applications
- Usernames, passwords, and other login information
Do small businesses need cyber liability insurance?
Small businesses can benefit from cyber liability insurance and protection from cyber threats just as much as large businesses. While much of the news you hear about cyberattacks and data breaches likely involves security lapses at large corporations, like Equifax or Colonial Pipeline, the reality is small businesses are just as at risk. According to our small business survey, 42% of small businesses experienced a cyberattack in 2021, and 69% of small businesses were concerned about being attacked in the next 12 months.
In fact, small businesses may be even more vulnerable, as many smaller companies lack the time, expertise, and resources to establish advanced security protocols, train employees, and implement strong digital protections. Cybercriminals have also been increasingly targeting small businesses in the hopes that they can move up the supply chain and infiltrate larger companies that may share systems or information with smaller companies.
The consequences of a cyberattack on a small business can also be much more debilitating than for a larger company that has more resources to absorb any losses. Oftentimes, the financial costs necessary to remediate a data breach may simply be out of reach for smaller businesses.
What does cyber liability insurance cover?
Cyber liability insurance covers financial losses from data breaches, hacking, viruses, denial of service attacks, and other similar cyber events.
Cyber liability insurance generally has two major components: first-party coverage and third-party liability coverage. First-party coverage protects your company when you incur expenses from a data breach or when your company is hacked. Third-party coverage provides protection when a customer, vendor, partner, or other party sues you for allowing a data breach to happen. You may choose to purchase either or both types of coverage.
First-party coverage provides protection against the financial losses your business incurs due to a data breach, hack, or other cyber event.
First-party coverage can provide for the costs of responding to and recovering from a data breach. These costs can include:
- Notifying your customers or employees affected by the breach. Many states require businesses to notify affected customers or employees if personally identifiable information is involved in a data breach.
- Providing credit monitoring services to those affected by the data breach. Although most states do not require providing credit monitoring services after a data breach, it can be a helpful tool to aid your public relations efforts.
- Hiring technical consultants or lawyers to find out whether a breach happened, the extent of the breach, and any regulatory compliance necessary.
- Advertising and public relations costs to educate customers or other affected parties about the breach and help to fix your company’s reputation.
If your company’s electronic data is lost, damaged, or corrupted due to a hack, virus, or denial of service attack, you can be covered under first-party coverage. This coverage also extends to data belonging to others stored on your systems.
First-party coverage will reimburse your company for the costs to restore or recover the lost or damaged data, as well as the costs to hire consultants to help you restore or repair your data.
Data recovery coverage usually does not cover data loss due to mistakes made by your business or your employees. For example, if your employee accidentally deletes your critical business data, it would not be covered.
Because commercial property coverage usually excludes coverage for electronic data, having data recovery coverage can be valuable if your company experiences a hack or cyberattack.
Business interruption insurance is also available on many cyber insurance policies. A typical business interruption insurance policy that is attached to a commercial property policy only covers perils that cause physical damage. Usually, commercial property coverages do not provide coverage for electronic data.
If the loss or destruction of data leads to a disruption in your ability to do business, this coverage can pay for the loss of business income your business experiences.
- Your business is hacked, and data critical for your sales team to sell on a daily basis is destroyed. Your business income insurance under your commercial property policy will not provide any coverage, even though you will experience lost sales and profits. Cyber liability coverage can reimburse you for the lost sales and profits when data is lost due to a cyberattack.
Note, however, that this coverage may only apply to lost profits that are directly caused by the cyberattack. If your sales decline due to a hit to your reputation from the data breach or cyberattack, these declines may not be covered. Some insurers, however, are now including reputational loss coverage on cyber policies, which can provide coverage for extended financial damage due to reputation loss.
Cyberextortion and Ransomware
First-party coverage can also cover cyberextortion, including ransomware attacks. If your business is threatened with damage to your computer systems or networks unless you pay a ransom, this insurance can provide coverage. Ransomware coverage can also come in standalone form.
- A hacker gains access to your computer network and threatens to delete all of your customer data unless you pay them money. The data includes financial records, contact information, and usernames and passwords. Cyber Liability Insurance would cover the cost of the ransom.
First-party coverage can also provide coverage for the money you spend to respond to the extortion demand, in addition to any ransom you pay. The insurer’s consent is usually required before you pay these expenses.
Third-Party Liability Coverage
The third-party liability coverage provided by cyber liability insurance provides protection against lawsuits filed by clients or others against your business as a result of a breach of their security or privacy. These lawsuits can accuse your business of failing to adequately protect data you possess that belongs to customers, employees, vendors, or others.
Some of the claims and costs that third-party liability may cover include:
- Legal expenses. If your business is sued, cyber liability insurance can cover attorney’s fees, court costs, and any resulting judgments or settlements.
- Network security claims. If your company suffers a network security failure, you could be sued. Covered events include data breaches, viruses and malware, denial of service attacks, or unauthorized access by a hacker or rogue employee. It can also cover your business if you have trade secrets or patent applications for clients that are exposed in a hack or data breach.
- Privacy claims. Your business could be sued for negligence in failing to protect sensitive data of others stored on your company’s network and systems. In addition to hacks and viruses, privacy breaches can include a breach of a physical record, such as files tossed into a dumpster. It can also include human error such as a lost laptop or sending a file full of customer account data to the wrong email address. Privacy claims can also include the wrongful collection of personal information.
- Employee privacy liability. If sensitive data about your employees is stolen from your company systems, including PII, your business could be sued.
- Regulatory fines. Government regulators may impose fines, penalties, and other costs on your business in response to a data breach.
Third-party liability insurance is generally written on a claims-made basis, which means coverage is only available if the claim is submitted while the insurance policy is active. Most general liability policies are written on an occurrence basis, which covers claims submitted after the policy ends if the event causing the claim occurred while the insurance was active.
Deductibles and Sublimits
Many cyber insurance policies have sublimits for first-party coverage. A sublimit is part of the limits of insurance, but it places a maximum on the amount of coverage for that type of loss. For example, if you have a cyber liability insurance policy of $1 million with a 50% sublimit on first-party coverage, the most the policy will pay for first-party losses is $500,000, and the most it will pay for all kinds of losses including first-party losses is $1 million.
Many cyber liability insurance policies also have a deductible, which means that your business retains part of the risk of the loss, up to the amount of the deductible.
What does cyber liability insurance exclude?
Cyber liability insurance is primarily designed to protect your business from cyberattacks. However, there are some common exclusions that insurers may stipulate in cyber coverage. These can include:
- Damage to your business reputation as a result of a data breach.
- Costs to fortify and improve your internal technology systems.
- Lost future sales because customers avoid your business after a breach.
- Loss of intellectual property owned by your business.
- Damage to your business caused by your own or your employee’s actions. For example, you install new software that causes your network to go down for several days.
- Personal liability of directors and officers for breach or failure of duty.
It’s important to note that many policies have a waiting period, during which losses will not be covered. For example, a policy with a 12-hour waiting period will not pay for any losses incurred during the first 12 hours of a network outage.
There also may be some variance with regards to coverage of social engineering fraud. Social engineering attacks are often executed over email and can lead to data breaches as well as money loss. However, the schemes used in social engineering fraud are aimed at tricking an employee into voluntarily giving access or transferring funds to an attacker. Some cyber policies may provide coverage for social engineering fraud, and some insurers may offer coverage under a commercial crime policy.
Coverage for the personal liability of your directors and officers is also typically not covered in cyber policies. However, in the wake of a data breach or cyberattack, third parties may sue your business for damages, and they may also name your management team in the lawsuit, claiming mismanagement or breach of fiduciary duty. In order to protect your leadership team, it’s best to consider directors and officers liability insurance.
How much does cyber liability insurance cost?
The average cost of cyber liability insurance in the U.S. was $1,485 per year in 2020, and our mid-year update in 2021 found that average premiums had risen 7% to $1,589 per year, driven by an increasing number of cyber and ransomware attacks on businesses and a rise in demand for cyber coverage.
The costs of insuring your business against data breaches and hacking attacks will vary based upon the nature and size of your business, as well as the state in which your business is located. Below, we list the average cost of cyber insurance in each state, along with the difference between the state average and the national average.
|State||Average Cost of Cyber Insurance||Difference from National Average|
|District of Columbia||$1,539.25||3.66%|
Besides the location of your business, a number of other factors can greatly affect the premiums that you pay for cyber insurance. Insurance companies will take into account the nature of your business, the number of sensitive employee and customer records you store, whether your business stores credit card and banking information on your customers, and the types of security defenses your company has undertaken. Additionally, if your company has a history of cyber insurance claims, or if it has been attacked or hacked in the past, your premiums may be higher.
How do I apply for cyber insurance?
The cyber insurance application process is typically more rigorous than other types of policies, as cyber risk is a constantly evolving coverage area facing new and different threats every day. When it comes to cyber insurance, insurers want to understand and evaluate your cybersecurity infrastructure and determine your level of risk. How well can the people, processes, and technology you have set up for your company’s cybersecurity protect and respond to the ever-increasing number of cyber threats?
It’s important to be as thorough as possible in your application, as coverage can often be denied for a number of common reasons. The insurer may conclude that your company has inadequate cyber incident response plans, insufficient testing procedures, or incomplete policies and processes, among other reasons.
Compare Cyber Insurance Quotes
There are a variety of insurers and brokers in the market, and it may be difficult sorting through all of the options. AdvisorSmith analyzed a variety of cyber policies and determined the best cyber insurance companies for small businesses. To determine the best cyber insurers, AdvisorSmith considered a number of factors, including financial strength ratings from AM Best and Standard & Poor’s, customer satisfaction data from several J.D. Power studies, complaint ratings from the National Association of Insurance Commissioners, available features and options, and availability of information and ease of use of the insurers’ websites.
|1||Hiscox||4.9 / 5.0|
|2||Chubb||4.8 / 5.0|
|3||The Hartford||4.7 / 5.0|
|4||AIG||4.7 / 5.0|
|5||CNA||4.6 / 5.0|
|6||Arch||4.5 / 5.0|
|7||Hanover||4.5 / 5.0|
|8||Intact||4.4 / 5.0|
|9||Beazley||4.3 / 5.0|
|10||Axis||4.3 / 5.0|
Cyber Insurance Policy Forms
Cyber insurance is still in its early days, and insurers have yet to consolidate around a standard policy form for coverage. Coverage terms vary widely between insurers, so you’ll need to pay extra attention to what exactly is being covered and what the definitions are on your policy form. If you’re interested in seeing what a few sample forms may look like, we’ve compiled a few below.
Specialty cyber insurers:
Reducing the Risks of Cyber Liability Claims
Cyber insurance should be your last line of defense against hacking, viruses, and data breaches. It is best to be proactive and take precautionary steps to reduce your exposure to cyber liability.
After a data breach, customers or clients may be less interested in doing business with you in the future.
Some ideas for reducing your cyber liability exposure include:
- Install all the latest software and security updates.
- Hiring an IT security consultant to audit your systems and create a security plan.
- Backing up your company data on a regular basis and storing it in the cloud or offsite.
- Limiting access to sensitive information by employees using passwords for electronic data and physical locks for physical files.
- Using network security software and firewalls, including the use of virtual private network (VPN) software.
- Training employees on the importance of keeping customer and partner data confidential.
As the economy relies more and more on digital systems, software, and the internet, businesses will increasingly be more exposed to cyber risk. From retailers that operate online e-commerce stores to restaurants that take online orders, businesses of all types need take steps to safeguard their data and protect their businesses from the financial consequences of a data breach or hack. Cyber insurance can provide coverage for both first-party and third-party liability losses if your business is the victim of a cyberattack.
AdvisorSmith spoke with the following experts to provide critical insight on cyber insurance for business owners.
- Chairperson & Associate Professor, Mathematics and Computer Science
- Fontbonne University
- Director, M.S. Cybersecurity Policy and Governance
- Boston College
- Associate Professor, Computer Science
- Challey Institute Faculty Scholar
- North Dakota State University
- Associate Professor
- Department of Finance, Insurance and Law
- Illinois State University
- Davey Chair of Risk Management and Insurance
- Butler University
- Managing Director, Brantley Risk & Insurance Center
- Appalachian State University
- Associate Professor of Accounting & Information Systems
- The College of New Jersey
- Professor of Computer Science
- Executive Director Emeritus, CERIAS
- Purdue University
- Director, Entrepreneurship and Technology Innovation Center
- New York Institute of Technology
- Midyette Eminent Scholar in Risk Management & Insurance
- Florida State University, College of Business
- Associate Professor, Computer Science
- The University of Alabama at Birmingham
- Professor of the Practice
- University of Maryland, Robert H. Smith School of Business
- Norwich University Applied Research Institutes (NUARI)
- Professor and Chair, Computer Science
- California State University, East Bay
- Dakota State University, Beacom College of Computer and Cyber Sciences
- Professor, Computing Security
- Rochester Institute of Technology
- Associate Professor, Information Systems and Cyber Security
- Director, Cyber Center for Security and Analytics
- The University of Texas at San Antonio
- Adjunct Professor, Information Security and Digital Forensics
- University at Albany, State University of New York
- Instructor, Information Technology and Cybersecurity
- Grand Canyon University
- Associate Dean, Cyber Security
- Southern New Hampshire University
- Assistant Professor, Cybersecurity
- University of Nebraska Omaha
- Clinical Assistant Professor, Department of Accounting
- University of North Texas
- Director, School of Technology and Innovation
- Marymount University
- Assistant Professor, College of Engineering, Computing and Applied Sciences
- Clemson University
- Associate Professor
- Graduate Program Coordinator, Department of Computer Science
- Stephen F. Austin State University
Q. Should small businesses be concerned about cyber risk?
Guanyu: Many people think that small businesses should not worry about cyber risk because they don’t have lots of money to offer to the hackers. However, small businesses are easier targets because they lack dedicated IT and cybersecurity professionals to protect them.
Almost every small business has digital assets and equipment, such as computers, websites, and POS (point of sale) systems. Digital assets include confidential customer data such as Social Security numbers, passwords, and credit card information.
Any data leak or data breach will be likely to cause legal and privacy issues for them. In addition, hackers may compromise their digital systems and use them to launch another attack toward another company. Therefore, small businesses may be liable for other small or big companies’ damage. In fact, according to a 2019 study by Hiscox, “small businesses are becoming increasingly at risk. The report highlights a 14 percent increase from the previous year.”
Kevin: Yes, and they should have been concerned for the past 10 years. It doesn’t matter what your business size is. Cyber threat actors, whether it’s a cybercriminal or a hacktivist, what they’re looking for is the lowest hanging fruit—the easiest entry point.
If you’re a midsize bank, cybersecurity should be on the forefront because not only does it impact your business operations, but it also impacts your customers’ personally identifiable information and sensitive financial data. If you’re a shop of two to five people, you still have to worry about cybersecurity because no matter what, someone can come in and shut you down, demand a ransom, and hold your data hostage. People write all sorts of things in emails, and you could have intellectual property, trade secrets, or correspondence between you and a customer that you don’t want in the public. So no matter what size yor business is, you need to be worried about the cyber risk to you, personally, and to your business.
It’s also important to understand that cyber threat actors are looking for an easy entry point. That’s where you see the Department of Defense coming in, for example, because a small company may be a government contractor, doing work with the federal government. That’s the entry point.
It might be that I’m a sub to the sub that’s a subcontractor to Raytheon that works for the government. They’re going to look at you, and you’re the entry point in—they’re going to breach your system because you might not have the protection you need there. And if they get in through you, that might be the last federal contract you ever have. The government is now pushing to require the whole supply chain, from the contract to the prime down to all the different subs, to make sure they have certain standards in place consistent within this framework to protect their systems.
Zahid: We are seeing an increasing number of small and medium-sized businesses in the crosshairs of attackers. In fact, according to Verizon DBIR, in 2021, the gap between the data breaches was not that large, with 307 breaches in large organizations and 263 breaches in small organizations, and this gap is shrinking. Moreover, large organizations find breaches faster in over half of the cases (55%) than small organizations (47%).
Small business owners should definitely be concerned about cyber risk because the National Cyber Security Alliance has found that three out of every five small businesses that get attacked go out of business in less than six months.
Yayuan: Cyberattacks on small businesses can be the same as large businesses, but small companies do not have the same resources to build a strong cybersecurity system as large corporates and are less likely to survive a severe cyberattack.
Especially after large corporates implement a hard-to-break security system, small firms will be more likely to be the target of cybercrime. In this sense, small businesses should be more concerned about cyber risk.
Victor: Cyber insurance is now necessary coverage for any business, regardless of size, that handles data either on a local network or in the cloud. And, without this coverage, most small businesses can’t handle the devastating financial consequences caused by a cyberattack. These costs include legal fees, recovering and restoring data, and the cost of compliance in notifying customers of a data breach.
David: Absolutely, in fact, they should be more concerned. Large businesses have deeper pockets and the ability to pay significant amounts to rebuild a network, recover data, and pay ransom. Smaller businesses have fewer resources and are therefore less likely to recover from a cyberattack or ransomware. Given that small businesses have less security and experience, they are also an easier target.
Abhishek: I believe, yes. In the past year, there has been a significant increase in cyberattacks on smaller organizations, and small businesses may have very valuable data, like private client data, Social Security numbers, etc. It may also be easier for hackers to target the network infrastructure of small businesses.
A reason cyber risk is even more significant for smaller businesses nowadays is the use of Ransomware as a Service (RaaS). With RaaS, anyone can use ransomware tools, borrow it as a service, and go and maliciously attack organizations and profit from the attack.
Eugene: Definitely. Large business usually have more resources to apply to security, and they also may have large resources to weather a problem; smaller companies could be wiped out, especially in the current economy that is hobbled somewhat by COVID issues.
Michael: There are several differences between small businesses and large businesses when it comes to cybersecurity. Those differences relate primarily to whether the business is a private or publicly traded company, what type of business it is/does, and what type of data it will be storing. Additionally, there are several operational attributes that may also affect how the company approaches its cybersecurity strategy, including what type of business they do, such as healthcare, financial, or services that deal with minors or underaged clients.
Similar to other types of crime, each cybercrime has an MO or method of operation (modus operandi) and also has a motivated attacker that has some purpose or desire to target your specific business. This is important to understand because the more attractive your data is to a cyber criminal, the more vulnerable you become, which, in turn, means that you need to take a more aggressive approach to your cybersecurity strategy. As an example of this, imagine that one business does not store/save credit card information and sells greeting cards, and the other business saves all of its customer data, including credit card number, expiration date, and security code, and sells high-end vehicles. The second business is much more vulnerable because it is a more desirable target.
The answer to the question based on the above is that all businesses should be concerned about cybersecurity and in protecting their data; however, companies that operate in a fashion that makes them a more desirable target should have a more aggressive strategy and a stronger security posture than other organizations that may not be as desirable a target to cyber criminals.
Patricia: Potential losses from cyberattacks can be devastating to any size business. Small businesses have more limited resources to direct toward cybersecurity when compared to larger businesses, which can make them an easier target. A large business may be able to absorb the costs associated with a cyberattack, but a small business may want to consider a cyber insurance policy that will help the business stay afloat if it experiences a cyberattack.
Ragib: Small businesses should definitely be concerned about cyber risk. While the media covers large scale attacks on big businesses, there are hundreds of small businesses that are getting attacked. The cybercriminals have figured out that they can extort money from halfway across the world by capturing the cyber resources of businesses. This has become an organized (criminal) business for these criminals. No business—big or small—is immune from being a target of these criminals.
Clifford: Every organization, large or small, should be on guard for cyber risk. Attacks seem oriented toward larger entities for the most part due to potential payoffs from ransom or the sale of stolen personal or corporate information, for example.
Nevertheless, cyber risk vulnerable companies create a path of least resistance for hackers to break into a system at relatively low cost for them. Small businesses are less likely to have the resources to invest in capabilities to mitigate their cyber risk exposure and thus make an easier target for would-be hackers.
Phil: Cyber risk exists for all businesses. A small business may have less “attack surface” but by its nature has often less sophisticated cybersecurity infrastructure. The adversary is looking to minimize the cost to monetize its tools and time. This makes small businesses an ideal target.
In the past several days, a number of critical vulnerabilities have been identified in popular operating systems. Small businesses may not have the staff or time to assess the risk, test the patches, and install on all organizational machines. Adversaries are actively scanning the internet for these vulnerabilities with armies of compromised computers—bots—executing the search.
This is not unique to today, cyber crime has been estimated to have increased 350% (reported by the UN) during the pandemic. This makes all businesses at greater risk and those not prepared to engage in the on-going nature of maintaining currency at greater risk.
Levent: Based on my experience, cybersecurity for everybody. Everybody has to take care of the security issues related to their business or their personal information.
For example, my local dentist is a small business, but they have health care information, which is very private information and requires different ways of providing security to that information. Although they maybe have only 200 people’s information, that data is still important and private, and any disclosure of that information could provide some difficulties for the business and for the customer. That’s why you need to protect your information, and it doesn’t matter whether you are a big company with data on 200 million people or a small business with information on just 200 people.
Kevin: Yes. Small businesses don’t have as much information to protect as large businesses, but any security or privacy issue can be devastating given the reality that small businesses lack the funding or knowledge to thwart attacks.
Further, most small businesses connect to suppliers, banks, partners, etc. The sharing of data puts the entire supply chain at risk. Paying employees electronically can be attacked or compromised. Most small businesses do not have large capital reserves and do their best to keep their doors open and employees paid.
Cyberattacks on all businesses, but particularly small to medium-sized businesses, are becoming more frequent, targeted, and complex. A recent survey entitled Accenture’s Cost of Cybercrime Study reveals that 43 percent of cyberattacks target small businesses, with only 14 percent prepared to defend themselves.
One cyber issue can disrupt business to the point that the small business needs to close its doors. Cybercrime, which includes everything from theft/embezzlement and DDoS attacks to accidental disclosure and hacking, is up 600 percent as a result of the COVID-19 pandemic, putting small businesses even more in the crosshairs of cyber criminals.
Jonathan: There is cyber risk for any business, any government organization, and any home. The Internet connects many different types of infrastructures together, but the packets remain the same.
Larger businesses have more money to spend on resources and protection, more cybersecurity specialists on board, and more intelligence to protect against future attacks. With that in mind, cybercriminals often like to go for the low-hanging fruit, which small businesses and their smaller budgets and resources represent. While a single attack against a small business might not net as much as an attack against a larger one, numerous successful attacks against small businesses might be very fruitful in bulk.
Elias: Nowadays, it is intuitive to say yes for this question. Being wary about cyber risk is no longer an afterthought but goes hand in hand with the initial vision of any organization.
Clearly, regardless of the size of the organization, one should have a visibility of the assets of their organization. If the assets are something that they can take out of the organization or halt it completely from conducting its operations if they are exploited or hit by a cyberattack (i.e., DDoS or a ransomware), then cyber risk awareness should be a priority, weaved into the strategy. It’s really about ROI provisioning.
Deborah: Every business and organization, regardless of size and sector, needs to be concerned about cyber risk. While cyberattacks on big companies routinely make the news, small businesses are also being targeted at an alarming rate. One in five small businesses fall victim to a cyberattack (National Small Business Association) and, 60 percent close or go out of business within six months of a data breach or cyberattack (National Cyber Security Alliance).
From phishing scams to data breaches, the operational impact and costs or a cyberattack to a business can be catastrophic, including lost business and revenues, investigation, response and recovery costs, reputational damage, notification and credit monitoring for individuals affected by a data breach, litigation, fines and penalties. According to the Ponemon Institute’s 2020 “Cost of Data Breach Study,” the global average cost of a data breach (an incident in which sensitive or confidential data is accessed without authorization or stolen) is $3.83 million, and the average cost of a data breach in the United States has hit an all-time high of $8.64 million.
Many data breaches involve small and midsize firms because they tend to lack adequate security and trained staff and are data-rich sources of valuable financial and protected health information. They often maintain connections to larger companies that may provide a way into their networks for attackers, and often fail to have proper backup and restoration services in place, which makes them the perfect target for ransomware attacks.
Dwight: Small businesses are equally vulnerable. They offer the same risks as large corporations; some hackers will target small businesses due to the lack of cybersecurity focus.
Jonathan: There is no safe haven in our globally connected digital economy. All businesses should be concerned about cyber risks because negative impacts include financial loss, business disruption, breach of confidential data, and loss of consumer trust. Cyber incidents often prove fatal to small businesses that haven’t prepared for them in advance.
Rui: Definitely! And every business has their own valuables. Besides those big-name companies, attackers also target small businesses. One big reason is that the success rate of attacks on small businesses can be much higher than attacks on big-name companies, as small businesses tend to neglect cyber risks, have limited knowledge about risk management and cyberattacks and defenses, and invest less or even no money on security countermeasure technologies. Therefore, the operation of small businesses can be very sensitive to cyberattacks.
Jose: Unfortunately, small businesses must also worry about cybersecurity vulnerabilities. Although the high-focus, high-skill, well-financed attacks tend to focus on larger organizations, many of the “low-lying fruit” attacks are centered on small and medium-sized businesses. Companies with insufficient controls represent easier targets while still yielding highly actionable information.
Diane: Any small business that is connected to the internet needs to be concerned about cyberattacks, particularly in these days of increasing phishing attacks and ransomware closing down businesses. There is still a tendency for small business owners to be overconfident, thinking, “Why would a hacker bother with my small business?”
Two main reasons:
- Small and medium businesses are considered easy targets for malicious actors and can represent a good source of income for them (large volume of small ransomware amounts). Small businesses are often poorly secured with little or no security staff preventing the attack or responding to it.
- In this digital world, small businesses are often linked to larger businesses, either as a customer or as a vendor in the supply chain. Once in the small business computer system, hackers can traverse the network and get into the larger business and exploit their systems. There are many examples of hackers hacking into large businesses through this attack route. For example, the large exfiltration of credit cards that Target experienced just before the holiday season in 2013 was believed to happen because the hackers were able to enter the Target systems through an air-conditioning vendor. It is and will only get worse.
Recent reports estimate that three-quarters of small businesses had experienced a cyberattack in the last 12 months.
Small businesses also need to be aware of the cybersecurity clauses that are being added to third-party agreements today. To do business with a large company, a small business is often required to have a cybersecurity posture that represents low risk to the large business. So, it can be a competitive advantage going forward for a small business to be proactive in minimizing cyber risk. A further example of this is the Department of Defense Cybersecurity Maturity Model Certification (CMMC), which will ultimately require all government contractors to have an independent assessment to ensure they’re safe to do business with.
Long: Sure. Small businesses could be more vulnerable to cyber risks since they often operate on a tight budget for cybersecurity.
As the COVID-19 pandemic has scattered businesses and their workforces into remote work (Work From Home), and employees increasingly use their personal devices (known as Bring Your Own Device or BYOD) such as phones, tablets, and laptops to execute work-related functions for small businesses, the cybersecurity threat has also greatly increased.
BYOD is the use of personal devices to access a company’s digital assets for work, inside or outside the organizational environment (e.g., Work From Home). This can be meaningful to small businesses because of the reduced cost in device management and the flexibility it grants the employees. However, these personal devices must be carefully managed to maintain the same standard of protection as that of company-owned devices. For example, user credentials or confidential business data can be leaked if the device is compromised or lost/stolen.
Christopher: Small businesses are just as vulnerable if not more so than large businesses. The advantage of targeting a large business is the attacker has more opportunities to exploit vulnerabilities. The most common way is through a phishing attack. Phishing attacks are done by sending emails to an organization with links directing the victim to a form to trick the victim into giving the attacker information.
The real danger in a phishing attack is the attacker needs only one victim. A phishing email can be sent to 1,000 people and 999 could reject it. If there is one who falls for the attack, then the attacker has succeeded. Larger businesses have more potential to have people fall for such attacks.
In practice, we see the opposite lately. While large businesses do have more potential targets, they also tend to have the resources to have a more robust security infrastructure. Small businesses had no such infrastructure in place.
This was exacerbated by COVID-19 lock downs and businesses having to switch to a remote work model. Smaller businesses did not have the infrastructure in place to make this transition easily. This left holes in their systems, allowing for exploits to be found. We heard of many ransomware attacks and even Zoom bombing. People started using personal devices more for work. These personal devices did not have the same security structures in place as the work machines. The lack of resources made small businesses exceptionally prime targets during this time.
Q. How can a business effectively organize and manage cyber risk?
Guanyu: A business should assess and mitigate cyber risk. People are usually the weakest link in cyber defense. Businesses should train their employees and improve their basic cybersecurity knowledge, such as using strong passwords, identifying phishing scams, avoiding clicking an untrusted attachment or link in an email, and so on.
They should also have a business continuity plan, which includes regular backup of data and systems/applications and testing of recovering data and systems. They should keep in contact with local police and the FBI so that they know where to get help after an incident occurs and keep themselves up-to-date on the newest cybercrimes and attacks.
Kevin: If I’m talking with a client, I always start off with the questions, “What happens if you were hit with ransomware today? What do you do? What do you have to mitigate, recover, and get back to operational readiness?” And when you step back, if the answer is, “I don’t know,” well, now you can start thinking about how to start building up a cyber and data privacy program and what you need.
And it’s not like you need to go out and spend and bring in the consultants and hire a forensics firm and all that. That’s not what you need to do. But what you should do is sit down and start asking the questions, “What type of information do I have? What type of systems do I have? Where do I store my data? How is that data protected?”
Depending on the size of your business, whether you’re a 7-11, or you’re a wealth manager with five people working in your office, there’s sensitive information there, and it’s still your business. So that’s when you start bringing in different experts. You’re not going to hire a chief information security officer if you’re a 7-11, but what you might do is have outsourcing. You might have managed services that come in, you can have virtual CISOs come in periodically and help set up your program, and you would definitely need a data privacy attorney.
Zahid: Attackers don’t discriminate between large and small businesses because while the latter may have less data, it is still of value and, unfortunately, sometimes easier to steal due to lax controls. The good news is that with cybersecurity, you can start small. Small businesses should simply start by categorizing the sensitivity of their data and how important it is for the attackers. Next, they should determine the vulnerabilities in their organization that, if exploited, could allow attackers access to that data. Finally, they should take steps to fix those vulnerabilities.
Normally, this last step will involve developing an information security policy and training employees about basic cybersecurity hygiene, like using data protection techniques, proper access control, regularly installing patch updates, checking for system weaknesses, and keeping backups. Simple security measures like learning how to spot phishing scams, using strong passwords, and two-factor authentication can go a long way in managing cyber risk.
Yayuan: As mentioned earlier, the current premium volume from cyber insurance only covers a small portion of the actual cyber loss. Therefore, much of the risk is retained by companies themselves. So cyber risk management should focus on prevention and loss control.
First, a company can try to make its systems are as secure as possible. For example, design a secure system and constantly update systems to protect against malware and hack.
Second, a company should have a cyber incident response plan in place to minimize financial and reputational damage when a cyber attack occurs.
Third, a company should purchase cyber insurance even though coverage is limited. Companies should actively work with insurers on preventative measures and crisis management support. The smaller the company, the more important such support services are.
Fourth, companies in the same business may work together to develop a cybersecurity strategy and protect each other from cyberattacks.
Lastly, for large-scale cyber events, the government should step in and unify corporations, insurers, and reinsurers to work out a long-term risk-sharing solution. As has been seen in terrorism risk and earthquake risk, government-backed risk management solutions are necessary when a systemic risk might surpass the capability of the private insurance industry.
David: Update passwords regularly and make them harder to guess. No pet names, birthdays, or mascots. Setting up dual authentication and biometrics will also help. If a business purchases cyber insurance, the insurer will provide loss control services and guidance on how to manage the risk.
Abhishek: One of the most important things is to understand the value of the data you have. Once you understand the information you own and quantify its value, your realize how important the data is that you’re collecting.
Secondly, you need to make sure that your network is secure. Whatever software, enterprise services, or databases that you are using, you want to make sure that your data is encrypted properly. You want to reduce the number of injection points or vulnerabilities that could be exploited by bad actors.
Another thing is that technology is continuing to move toward a cloud-based environment, making services cheaper and requiring less maintenance, improving access for smaller scale businesses. So given that malicious actors are starting to come for small scale businesses, cloud-based technologies are also facilitaing the remedies and solutions for small businesses that could help protect against attacks.
Eugene: This is a major question that we’re still trying to address. Part of the issue is for businesses to give cybersecurity a level of attention commensurate with its importance. That means board level reporting, a real budget for ongoing improvement and defense, and investment in personnel, training, and tools. It may even mean rearchitecting the business to appropriately segregate and partition IT systems and data in separately-protected enclaves.
To do cybersecurity right means making a commitment in resources and prioritization. Every board (and C-suite person) should ask what it would mean to business if some/all of their data was stolen/leaked/corrupted. Then they should ask if they are confident that their company has validated, rehearsed responses to incidents that could cause those kinds of damage. If the answer is “No” or “I don’t know” then they need to do some immediate planning and assessment, probably guided by an external organization with experience in that kind of operation.
Michael: There are several components to managing risk and any security expert will tell you that you are never 100% protected. The best you can do is to minimize your risk by constantly addressing and updating the latest security concerns and known vulnerabilities.
The best way to do this is to secure a qualified security expert or company to help you manage your risk. These companies and experts will make sure that you stay current with system patches and upgrades that address newly discovered vulnerabilities that cyber criminals are looking to exploit.
The second thing is to make sure that you adopt a regular and fostered culture of cybersecurity awareness inside of your organization. If your employees do not understand the general concepts of cybersecurity and how these attacks take place, then they will always be at risk and you will be put at risk by your own staff because they do not acknowledge that their actions are creating risk.
Patricia: When a business has identified cyber risk exposures, the first step in managing the risk is internal loss control, i.e., undertaking activities to reduce the frequency and severity of potential losses. These methods include, for example, enhanced security protocols, monitoring of data access, and resiliency checks.
As it may be impossible to reduce potential cyber losses completely, a cyber insurance policy will help cover the financial consequences of an event. Effective management of the cyber risk requires continuous monitoring of cyber exposures across the business to ensure that internal loss control efforts adapt, and cyber insurance coverage limits are adjusted, as cyber risk conditions change.
Ragib: Businesses can organize and manage cyber risk in multiple ways. The first thing is awareness. All employees, from entry level to the top level, must be aware of the cyber risks, identifying potential phishing and social engineering attempts, etc. Practicing cyber health hygiene (not clicking on unknown links, not clicking on attachments, double checking email sources, etc.) should be a part of annual training for everyone.
Next is prevention. Make sure all the software systems are updated. Ensure that everything is backed up regularly. For backups, have multiple places where data would be backed up on a daily basis, and one of them should be a physical backup in a disk/media not connected to the network (e.g., a removable drive).
Finally, have a mitigation plan for cyberattacks—the question is not “if,” rather it’s “when” the attack will happen. Have contingency plans for data theft, data loss, and if necessary, insure against losses from such attacks.
Clifford: Multi-factor authentication is one way firms can more securely protect their systems and sensitive information from a breach. In the case of the Colonial Pipeline cyberattack, the breach occurred by way of a legacy Virtual Private Network (VPN) system coupled with single factor authentication. Upgrading your customers’, employees’ and vendors’ access to your systems is a critical step every organization should make.
More generally, larger companies should incorporate cyber risk into their enterprise risk management functions and focus on the following activities: (1) develop a cyber risk maturity threat assessment, (2) monitor, analyze and control cyber risks, and (3) prepare for cyber incident management and resilience.
- Organize for the fight – know your assets – data, hardware, software, personnel
- Practice good cyber hygiene – virus protection, two factor authentication, eliminate default passwords, endpoint protection, least privilege
- Train personnel – against phishing, internet scams, social engineering, intellectual property protection
- Secure data – encrypted at rest and in transit
- Manage your systems and resources – understand how systems are being used through internal or third party monitoring
- Prepare for a cyber event – build relationships and resources before the event
- Understand the changing threat environment and modify your approach and policy as required
This is a lot for a small business, but it is no different from understanding accounting or legal issues. Learn the basics and hire expertise to check your assumptions and posture.
Levent: Managing cyber risk is a professional job and cannot be managed 100 percent. This is because in cybersecurity, we have three things: known knowns, known unknowns, and unknown unknowns.
Known knowns means that we know the things that we know in cybersecurity. So I can manage the risk for those known knowns. For example, let’s take the Zeus virus. It’s very well known, we know the signature, and if that virus comes to my computer, almost all possible antivirus software will be able to detect it. This is because they wrote the software based on those knowns.
For known unknowns, we know what we don’t know. Here we can manage risk somewhat, but not 100 percent because we don’t exactly know what’s going to happen. But we know that something may happen from this part, or this weakness, or from this particular application, and I can go and manage that application or that weak point.
The most difficult area is the unknown unknowns. This means we don’t know what we don’t know, and that scares everybody. Because you don’t know where the attack is going to come from, when it’s going to come, and where it’s going to attack. How are we going to manage these unknown unknowns? That is not easy, but people are working on it.
For small businesses, your risks will depend largely on your industry. If you are a small retail shop, you probably don’t have a lot of information on the customer, so any threats regarding data loss are not that big of a deal. However, if you are a dentist or a doctor, you will have private customer information, which is important to protect.
Some basic steps to protect your data are to make sure you backup your data and make sure it is encrypted. For many small businesses, because of the pandemic, they moved many of their services and data to the cloud. So suddently, the security of your laptop or your local network is not a big deal anymore because what really matters is the security of the cloud. So if you’re getting your cloud services from an Amazon or a Google, you are assuming these companies have proper security measures in place against some particular threats. In some sense, you are right, they have those measures, but in another sense, they may not, as they are also suffering from security attacks. However, it is probably better for a mom and pop shop to use a cloud service than to try and understand how to do it themselves.
Kevin: Most small businesses need basic security hygiene. The good news is that basic security does not cost a lot. The bad news is that most small businesses lack a security “expert” who can understand it enough to make these decisions.
A good place to start is the NIST Small Business Security Standard or the BBB Small Business Security Standard. These frameworks offer specific advice for a small business to organize against attackers and put down a fundamental framework that will keep most bad guys out. Understanding the common attacks and then fortifying against these attacks efficiently is the key for the small business.
For example, a recent Ponemon Institute cybersecurity report indicates the most common small business cyber attacks are:
- Phishing/Social Engineering: 57%
- Compromised/Stolen Devices: 33%
- Credential Theft: 30%
The aforementioned small business security standards take these statistics into consideration and are the place to start when investing in cyber defense.
Jonathan: Humans are, have been, and will always be the weakest link in any security implementation. Any hardware or software implementation of security can easily be undone extremely quickly by a gullible or naive human.
You can patch a computer, but you can’t patch people. You can teach them to be vigilant, but they forget and make mistakes. As computer vulnerabilities get more difficult for cybercriminals to exploit, people become their most obvious targets.
Make sure user education and training is provided so employees know what they should do and what they shouldn’t do. Test them to ensure resistance against phishing, spear phishing, and whaling attacks.
Elias: It is a multidimensional approach from the end-users, to upper management, all the way from the technical specifications to business strategies. There’s no one way to manage cyber risk; it’s an iterative waterfall design that goes from high-level business objectives/vision to very detailed technical implementation (and maintenance) processes.
There are de-facto steps to provision cyber risk such as monitoring the risk environment and the data assets, creating a risk plan, gaining management support, working with the employees/other stakeholders, and enforcing and continuously updating the deployed security technology. These are very generic steps but can give you an idea about the complexity and what-if scenarios in the context of cyber risk.
Deborah: Start by knowing what you need to protect. Inventory enterprise assets and software—data, applications, infrastructure that your organization depends on to operate and perform key business functions. Actively managing your enterprise assets (end-user devices, including portable and mobile; network devices; non-computing/IoT devices; and servers) and software (operating systems and applications) inventory provides a critical foundation for preventing attacks.
Then focus on basic cyber hygiene. Here are some good questions to ask/discuss that are foundational to good security and will help identify where proactive defensive measures can reduce risk and make a significant difference in your organization’s overall security posture:
- Are sound processes and technical controls in place to assign and manage access credentials and privileges for user accounts, administrative/privileged accounts and service accounts?
- Is access granted based on the principle of “least privilege”—the minimal
authorization needed to perform assigned duties/functions?
- Has our organization implemented multifactor authentication (MFA) to reduce the risk of social engineering ploys and other types of credential theft that can lead to unauthorized access?
- Is access granted based on the principle of “least privilege”—the minimal
- Have our employees received cyber awareness and skills training to ensure they understand your organization’s security policies, know how to safely handle data and systems, and can recognize and report incidents?
- Are our enterprise assets and software securely configured, and routinely patched and updated to avoid weaknesses that hackers could easily exploit to gain access to your network and sensitive data? Do we consider security in designing and procuring software with security in mind and remediate identified weaknesses?
- Are processes and technical controls in place to identify, classify, and protect sensitive data throughout its entire information lifecycle—from initial collection to disposal? Is encryption used to protect sensitive data?
- Do we routinely scan enterprise assets and software to identify and remediate vulnerabilities?
- Do we continuously monitor to identify and respond to potential threats and attacks?
- Do we have appropriate defenses in place to prevent and control the installation and spread of malware?
- Are audit logs available to quickly detect and investigate malicious activity, and support incident response?
- Do we have sufficient scenario-based response and recovery plans for common cyber incidents like phishing campaigns, ransomware, and denial of service attacks, and practices to restore critical data and assets to minimize operational impact on business?
Other areas for small businesses to consider include questions related to network infrastructure security and monitoring, will often apply to service providers’ security practices, and the management of supply chain risk.
Dwight: Training and continued training is the key to manage risk. All of the cyber protective measures are useless if individuals are not informed.
Jonathan: Many businesses partner with reputable consultants or managed security service providers (MSSPs) that specialize in cyber risk management, incident detection, and incident response. It is often too difficult and expensive for businesses to develop truly effective cyber defense capabilities without expert support.
Rui: From the perspective of management, a business needs to first assess the assurance level of all its virtual assets. All the potential risks should then be identified for those assets at a high assurance level. Correspondingly, plans for mitigating the potential threats or attacks should also be made.
For example, what should be done if an employee clicks a link in a spear phishing email? And what else should be done if an employee’s laptop with sensitive documents is stolen? Then a comprehensive review should be performed to ensure the controls/actions adequately cover the risks.
Meanwhile, as any risk management system should include technology, processes, and people, it is also critical to create a good culture of security in the business. Don’t forget that all these need to be performed periodically in the business. Sometimes a business may reach out to reputable security consulting firms for help on this process.
Jose: Managing cybersecurity comes down to three main components: people, processes, and technology. Many individuals inadvertently overemphasize technology and ignore the most vulnerable components—people and processes.
People are always the weakest link in any cybersecurity program. If collusion is present, even more risks arise. To address people risks, companies must execute quality background checks and deliver effective cybersecurity training; both are required to minimize risks. Vulnerable processes with leaky points of contact cannot be adequately safeguarded. For a technological control to work, the input, storage, and movement of sensitive data must be scrutinized.
This goes beyond the inner workings of servers and networks, extending into whether sensitive data should be collected in the first place. If they are required, then the rigid enforcement of policies covering least-required access, proper handling, and encryption must then be addressed. These interdependencies between business processes and sensitive data exposures cannot be avoided.
Specifically addressing technology, small businesses must be cognizant of the defense in depth principles required to protect their application and database servers. Failsafe mechanisms should be architected to mitigate potential data breaches, upstream and downstream. Sole reliance should not be placed on any one control. Effective deterrence is possible when a suite of cybersecurity controls such as firewalls, intrusion prevention systems, intrusion detection systems, sound backup policies, and heuristic network monitoring is employed.
If a business feels they are too small to handle an effective cybersecurity program, another option is to outsource their application and/or database servers to a managed service provider. Companies such as Amazon Web Services and Microsoft Azure can provide a measure of security, but only within the constraints of their hosting contract. It is still important for companies to govern people, processes, and individual client-side devices (e.g., laptops, desktops, mobile devices). The need for a strategic cybersecurity plan with cogent policies and procedures cannot be avoided through a SaaS (software as a service) arrangement. Outsource firms may host your application and database servers, but ultimate responsibility for data security remains with the outsourcing company.
Diane: There are many approaches to cyber risk management. First, however, the leaders of the small business must understand the potential impact of a cyber attack on their business. Cyber risk should be considered business risk and may include the inability to conduct business as usual with associated employee downtime, loss of valuable data, and the cost of restoring business operations. Related effects, particularly from those involving data breaches, might be reputation damage, legal damages, and financial loss. Some reports indicate as many as 60 percent of small businesses close their doors following a significant cyberattack.
There are many guides now available for small businesses to effectively manage risk. One of these is “Risk Management for a Small Business,” developed by the Small Business Administration (SBA) as part of its Financial Education Curriculum. While not specific to cyber risk, it does raise issues with the people, processes, and technology components of any business and is designed for the leaders of small businesses in the U.S.
Getting more specific about cyber risk and the controls necessary to ensure such risk is low, there are many guidance documents available on the internet. For example, the Federal Communication Commission has a good list of tips.
But the main treatise on cyber risk management is from the National Institute of Standards and Technology (NIST). Their “Risk Management Framework” was originally developed for federal government agencies but is now being adopted by the business sector. NIST also provides some specific content for small businesses (Small Business Cybersecurity Corner) with the current focus on ransomware.
There also some free training courses specifically designed for small businesses. One example is the “Cyber Basics for Small Business” online training offered by the Global Cyber Alliance with the Cyber Readiness Institute.
Long: Adopt a zero trust model for access control to any resources: “Never trust, always verify.” Increase employees’ security awareness since humans often represent the weakest link in the security chain. For example, using multi-factor authentication, implementing real-time monitoring of network and service requests, and maintaining offline data backups.
Christopher: One problem small businesses have that large businesses don’t involves the resources allotted for cybersecurity administrators. Most small businesses do not have a security expert for their cybersecurity. At best, they contract out their security needs to a third party. The best fix a business can have in managing cyber risk is to have a dedicated security expert to handle and maintain their security.
While have a security expert is the number one thing to help a business, there are plenty of other things a business can do to ensure security readiness.
- Educate employees to the concept of social engineering and how to avoid it.
- Keep all machines and systems up to date.
- Enforce good password policies (such as long passwords, no dictionary words, change passwords annually) and invest it multi-factor authentication.
- Invest in a VPN.
- Always, always have an offline backup.
Q. Where do you see the cyber insurance market trending, and what are the main insurability challenges?
Guanyu: The concept of cyber insurance and its adaptation in the industry is still at the early stage. I believe that more and more people will realize that cyberattacks and their negative consequences are real. The cyber insurance market will increase as the demand increases with the recent waves of ransomware attacks. I see three main insurability challenges:
- How to effectively determine the premium and coverage of cyber insurance. Historical data of insurance premium and cost/coverage plays an important role in deciding the future premium. Because cyber insurance is still relatively new, insurance companies may not have enough historical data to determine the right price and cost.
- How to assess the clients before a cyber incident occurs. Many small businesses do not have dedicated IT professionals to assess and mitigate their risks. This means that insurance companies need to hire third-party cybersecurity firms or vendors to periodically assess their clients to see if they implemented their cybersecurity defense properly. If a client does not do any due diligence, then the client may not be insurable or pay a higher premium. In short, the challenge is to decide if a client has done due diligence or not.
- The constant changes and uncertainty in cybersecurity. The cost of a cyberattack may increase dramatically within a year due to the ever changing nature of technology. This may cause an insurance company to pay out an unexpected large amount of money which may lead to financial failure. Also, with the payout increases, the premium will increase. Will clients keep paying the premium when it becomes very expensive? For a typical health, property, or auto insurance, the maximum payout can be expected, which is the price of the property. But no one knows what the maximum payout or damage of a cyberattack is, which could be millions of dollars.
Kevin: The key is when you get cyber insurance, it’s important to get a lawyer’s eye on your policy so you can make sure that you know exactly what you’re getting and what you’re paying for. What you don’t want to have happen is when there is a breach, you find out that the insurer won’t provide coverage because of a technicality in the contract.
Down the road, I see the insurance industry dictating what the best practices are, because if they’re going to pay to cover a breach or attack, they’re going to want to look at your systems and make sure you were following best practices. Did you do what we required you to do? Because if you didn’t, that means that’s a breach of contract, and we’re not going to pay up.
I think this is what’s really tough for organizations right now. You can go from victim to defendant, because you’re going to have the regulators coming after you, you might have law enforcement coming after you, and you might have the plaintiffs’ bar suing you because there’s a breach of personally identifiable information. And then you can be a plaintiff too, because the insurance company might not be taking on your case and saying you didn’t follow the best practices, so we’re not going to pay you.
Zahid: As cyberattacks such as ransomware proliferate, businesses are going to increasingly rely on cybersecurity insurance to help cover not just ransom payments but also other financial losses caused by business interruption, fines, and expenses owing to data breaches. Currently, I see the following major challenges from the perspective of the insurer, the insured, and the attacker.
Many insurance companies are caught off-guard with increasing ransomware demands and are responding by raising premiums, changing their products and limiting coverage based on the size and nature of the business to remain profitable. However, as insurance companies start to educate their risk analysts in cybersecurity and build a knowledge base, I think we will see this industry quickly recover and grow with the demand.
A grave challenge I expect we will see from the point of view of the insured is the issue of moral hazard. Companies who resist adopting sound cyber hygiene practices may be inclined to over rely on insurance companies to pay the ransom bribe and bail them out so that they can get back to their usual business as quickly as possible.
Part of the moral hazard problem is the asymmetry of information. The organization knows what its risks are, but the insurance company doesn’t and so the latter can’t charge an appropriate premium because it doesn’t know how much risk is being incurred. It will be extremely important that insurers accurately price ransomware risk using appropriate factors—not just the size and nature of business but also the company’s cybersecurity posture.
Companies’ operational security and incident response readiness should be a part of the assessment leading to reducing premiums, just like automobile insurance has evolved to a usage-based model which tracks the way drivers operate a car. This would help avoid the cyber insurance industry from fueling ransomware.
Finally, cyber insurance may lead to unwanted attention from hackers themselves. Hackers such as REvil have been known to target the insurers so as to get the list of its cyber policy holders to target. DarkSide, the ransomware group reportedly behind the Colonial Pipeline hack, is known to adjust its demands according to the victim’s insurance coverage.
In summary, I think cyber insurance companies can leverage their unique position in dealing with the aftermath of ransomware incidents to expand their risk-analysis heuristics. Insurers can then provide feedback to the industry on how they can improve their cyber hygiene practices.
Yayuan: Due to the growing demand for cyber insurance, the cyber insurance market is expanding rapidly worldwide. According to AM Best, the average annual growth rate in premium has been 20% in the past four years. Despite the relatively fast growth of the cyber insurance market, only a small portion of cyber loss is covered by insurance. In 2020, global losses from cybercrime are estimated at $945 billion according to McAfee, and global cyber insurance premiums are around $7.8 billion. This means insurance only covered less than 1% of cyber losses in 2020.
An important factor that determines the development of the future cyber insurance market is the insurability of cyber risk. First, cyber risk is increasingly sophisticated and hard to predict. Without sufficient data and good analysis of data, it is hard for insurers to quantify the likelihood of a cyber event and the costs generated from the event. Second, the potential loss from a cyberattack could be extremely high. The recent hack on Colonial Pipeline in the U.S. resulted in a massive gasoline shut-off and a ransom of $4.4 million. An event like this has a terrorism- and war-like character. We know that systemic or catastrophic risk is generally not insurable for private insurers. Third, as of now, there is also a lack of effective tools for insurers to prevent, detect, and evaluate cyber threats, which makes cyber risk hard to manage.
Without a full understanding of cyber risk yet, many insurers set low limits and various exclusions to cap their liability for cyber risk. For example, many insurers do not cover intellectual property theft or damage to physical assets from a cyber incident. In sum, cyber is a challenging risk for insurers and many are still in the stage of defining their own risk appetite.
Victor: Cyber distortion, ransomware, viruses, malicious breaches, stolen data, fraudulent use and access to accounts, phishing attempts, unintentional as well as unauthorized disclosure of data, attack of industrial controls, and the internet of things (IOT) and cloud computing are all growing cyber exposures—just to name a few. The increasing number of first-party and third-party cyber losses has significantly impacted today’s cyber insurance market.
The insurance industry is making two market adjustments to the increasing cyber claims. The availability of coverage—higher limits—is shrinking, and the pricing of coverage is increasing. This is the classic example of a hardening or hard market depending on how you look at the relatively short-term history of the cyber insurance marketplace. The main insurability challenge is the lack of access to coverage and higher insurance premiums on renewals.
David: Cyber insurance is rapidly becoming more expensive and restrictive due to the high-profile cyberattacks and ransomware demands over the last year. Cyber insurance typically covers two things: data and the network. Data is arguably the most valuable asset for an organization and subject to privacy laws. The network computer system is at risk of being breached, damaged, and held for ransom. What started several years ago as kids in the basement extorting a few hundred dollars has evolved into organized crime and state-sponsored cyberattacks requiring payment of millions in bitcoins. The increasingly sophisticated attacks have led to dramatic increases in loss frequency and severity which causes higher premiums.
Cyber insurance is still relatively new, and insurers are still learning how to model the risk and provide effective loss control. It is the fastest-growing line of insurance, and insurers are struggling to keep up with the evolving threats.
Abhishek: I think there will be a time when cyber insurance is purchased for the individual and not just for organizations. Just like we buy auto and property insurance, the time is going to come when we have to buy our own individual cyber insurance.
The reason being the world has shifted toward the digital platform, especially because of the pandemic. A lot of people and organizations are getting equipped with technology, and with this comes many more cyber threats. The market is definitely going upward, and you may see a lot of insurers coming to this field, as well as an exponential rise in cyber insurance that people and organizations are buying.
With other insurance types, like home or auto, it’s relatively straightforward to price. You have a number of factors that you consider, like driving history, make and model of a car, etc. With cyber insurance, there are some factors that are easy to quantify, like how many attacks have happened in the past, how robust is your infrastructure, etc. But one of the things which is still difficult to assess is the financial value of your data. I believe that is the major challenge.
Another challenge is building the risk assessment model. Your model is only as good as the data you use, and with cyberattacks, past historical data may not be adequate to predict the next risk or cyberattack.
The progression of technology and the fast pace of innovation may also be a challenge. Technology continues to penetrate deeper into infrastructures, meaning the chance of cyber risk is increasing as well. And with hardware getting cheaper, more and more small businesses are able to afford these new technologies, which in turn increases the risk of cyberattacks.
Eugene: I think we may see some exclusions or narrowing of circumstances for ransomware coverage.
The biggest problems right now would appear to be:
- What are the appropriate best practices to measure to assess risk and set appropriate policy rates?
- How to deal with the moral hazard issue (e.g., clients change configurations out of expected or indulge in riskier behavior because of the insurance).
Unless insurers can get a handle on these issues it is likely they will not be able to offer broad coverage, or they may not be able to stay in the market.
Michael: The real challenge in insuring data is establishing the value of that data. What may be considered priceless to a small business or organization may not really have the same value to an insurance company.
The other issue is that insurance companies are looking to charge fees based on a risk level that they have established by performing some sort of an audit on the property or valuable. The ability and cost of an insurance company to perform an adequate evaluation of a customer’s level of security may far outweigh what the insurance company will receive from the company in annual fees, etc. Once these two variables become too disparate then the value of the insurance policy to the insurance company becomes less and too much of a risk for the insurance company to take on.
Patricia: The insurability challenge for cyber risks stems from the growing frequency and severity of cyberattacks, as well as the evolving nature or “complexity” of the attacks. If insurers cannot accurately estimate the risk of an attack and the likely consequences of an attack, it is difficult to establish terms of coverage, including the price.
Attacks have become more severe and are encouraging businesses to seek coverage but, at the same time, insurers are still developing expertise with little historical data to work from. The good news is that coverage is generally available, though coverage levels are modest, and prices are increasing.
Clifford: The recent Colonial Pipeline cyberattack caught many by surprise in terms of its disruptive impact, but it also underscored the vulnerability of companies and other organizations to these threats. Cyber insurance premiums have risen significantly over time with AM Best reporting that premiums rose by nearly a third in 2020.
With cyber threats expanding and evolving at an increasing pace, insurers are struggling to understand the likelihood and severity of these risks in a manner that enables them to accurately underwrite and price this risk. Consequently, premiums are likely to continue rising and incorporate some uncertainty factor into their pricing.
Phil: It is getting more expensive and the insurance companies are reducing their exposure by requiring more mature cyber readiness programs.
Levent: The challenge with cyber insurance today is a lack of historical data. If you look at car insurance, for example, insurers can build models based on accident reports and an understanding of what characteristics and types of behavior lead to accidents. Based on that, insurers can manage their risks and come up with a premium. So, for example, if you are driving over the speed limit or are driving drunk, then you have a higher probability of getting into an accident. We may not ever be able to get that kind of historical information about cybersecurity.
The lack of historical data is a big challenge to manage the risks that may happen in the future, let alone the technological difficulties, because technologically, everything is constantly evolving. Programs are updating, computers and hardware are changing, and it is a very dynamic environment. Threat factors are changing, and when threat factors are changing, your risk models that you used to use may not work anymore.
So it is difficult for insurers to write policies in a very clear manner because of the lack of information and the risk models that they are using right now. They may not be able to easily write something that’s going to define every possible outcome. And the other thing is they do not know the unknown unknowns, so they are unable to predict future risks.
As a result, insurers are writing policies in a way that, even if something happens, you may not be able to get the coverage that you were expecting. That lack of language in the policies and not understanding the lack of coverage clearly is causing problems in the industry because people don’t understand what they’re covered for.
But these things are evolving. And there are many pending court decisions that will affect how these policies are written in the future. Aother important thing is the standards that we have for privacy issues, for example, GDPR in Europe and CCPA in California. These regulations help insurance companies and also insurance buyers. Because with those standards, you can define things more clearly. We don’t have any federal level regulations yet, unfortunately, but I believe the federal regulations are going to come.
Kevin: Cyber insurance has been a hot topic for nearly 20 years now and has matured to a point where options are now available for small businesses. Some insurers offer riders for existing policies and others offer standalone cyber insurance options. Each carrier varies in what they cover, when, where, and how much.
It is important to understand the details of the insurance to ensure compliance in case of a claim. Ransomware is a great example of a very common and disruptive attack occurring on small businesses. 71 percent of all ransomware attacks are on small businesses. Why? They are easy targets.
Small business owners don’t really understand what a ransomware attack is or what they should do if it occurs. Should I set up a bitcoin account? Should I pay the ransom? Should I contact law enforcement? Insurance can help after the fact, but it is vital the covered business understand reporting timelines, requirements, and other terms of the in-force policy.
Jonathan: The cyber insurance market is trending towards a new normal because of the explosion of ransomware, and its related claims, over the past two years. Companies with cyber insurance could actually be targets because of the policies themselves, which might imply a lack of certain cybersecurity implementations. As such, the price of policies that cover ransomware and other attacks could rise dramatically. Companies could be required to show they are doing their ultra due diligence in multiple aspects of cybersecurity before such policies are granted.
A big challenge for insurability is the fact that cybercriminals and cybersecurity specialists are playing a never-ending cat-and-mouse game. The bad guys get in, then the good guys implement protection for that attack, and finally, the bad guys find a new way in. Rinse and repeat. Determining a business’s risk is thus hard to quantify, since it is always going to be a moving target with new types of attacks.
Elias: Typically, cyber insurance would mostly cover hacks/data breaches, ransomware attacks and their implications, phishing attacks, and employee negligence. I don’t believe these will change moving forward (as in they continue to persist with their threat).
What will increase is perhaps the number of insurers in the cyber insurance market, the number of cyber insurance policies written nationwide, the demand for cyber insurance, and the premiums for cyber insurance. I also perceive that organizations in critical sectors would limit their amounts to be paid (by the insurers) to demotivate attackers in targeting their organization. Additionally, we know that the cyber insurance market is not as mature as other insurance markets (e.g, housing/health, etc.). It’s really still at its infancy.
Regardless of the organizational assets and amount of premiums they are paying, the insurance market in a nutshell doesn’t have the financial stability in terms of cash assets. Any cyber threat targeting a number of organizations with big enough assets will probably pipe out the insurer’s premiums for that year. Basically, uncertainty of outcomes could make insurers cautious about quickly responding to increases in demand, even if pricing supports it.
Further, scale could become a problem. Meeting a rapid spike in demand on a relatively new risk could result in a significant increase in losses too. Accepting that sort of risk in a niche market isn’t the same as doing so more broadly, which ultimately could lead to shortages in capital (and reduced availability in the market) for cyber insurance.
Deborah: Cyberattacks are on the rise, with attacks becoming more frequent and losses becoming more severe. In 2020, cyber insurers reported a significant increase in losses, as companies across industry sectors were hit by costly cyberattacks, with a rise of more than 400% in ransomware cases and skyrocketing extortion demands.
While reports vary, demand for cyber insurance has increased sharply, along with the cost of coverage (up 10-30% in 2020); however, coverage limits and scope of coverage are being reduced. The overall percentage of organizations with cyber insurance has increased to just under 50% in 2020. Many organizations are required by statute or regulation to have it.
The market is quite saturated; however, only 10 U.S. insurers account for over 70% of all policies. Insurers in some high-risk sectors are reducing their exposure by reducing coverage limits or reducing coverages and placing lower limits on ransomware payouts. Industries where insurers have moved to reduce their exposure include health care and education.
The Government Accountability Office warned in a May report1 that “the extent to which cyber insurance will continue to be generally available and affordable remains uncertain.” The New York State Department of Finance announced in February 2021, that massive industry losses were possible.2
Challenges facing the cyber insurance market include limited historical data on losses, limited visibility into the level of cybersecurity risks by covered businesses, and aggregated losses from cyberattacks.
Challenges facing businesses seeking coverage include cost and expectations that good cyber practices and safeguards are already in place. Risk assessments and physical assessments of cyber defenses are common step in maintaining coverage.
- GAO-21-477, CYBER INSURANCE: Insurers and Policyholders Face Challenges in an Evolving Market.
- NYS DFS Insurance Circular Letter No. 2 (2021). Cyber Insurance Risk Framework.
Dwight: Cyber threats are ever-changing; ransomware attacks will continue to evolve, and much of their effectiveness is due to the lack of knowledge. The cyber insurance market must also develop and attempt to understand these attacks. This development approach may be complex, but it is the only way. Without that type of progress, cyber insurance may be essentially useless.
Jonathan: Cyber insurance will remain a valuable tool in the risk management toolbox for the foreseeable future. That said, it is just one aspect of an effective risk management program. Insurers recognize this and price accordingly. Businesses without effective cybersecurity programs have fewer coverage options, pay higher premiums, and are more likely to have their claims denied after an incident occurs.
Rui: Research on intrusion detection/prevention have been conducted for decades and will surely continue in the foreseeable future. Currently, the adoption of machine learning (ML) and artificial intelligence (AI) into such a research area is a rising trend. They are for tackling the challenges of behavior modeling in intrusion detection/prevention and aim to identify abnormal activities of the intrusion from the normal ones with a high robustness and accuracy.
The first challenge is that behavior of some types of intrusion is very close to that of legitimate software. For example, the basic operation of ransomware is file reading/writing plus the data encryption that can also be found in legitimate software. The second challenge is that polymorphic malware often change their behavior during propagation to evade detection. The third challenge is that, compared to the gigabytes of events generated by the operating system every hour, the amount of events of malicious activities is extremely tiny; the detection of intrusion is very similar to finding a needle in a haystack. Therefore, it is reasonable to say that intrusion detection/prevention with ML/AI will dominate the market in the close future.
Jose: The recent rash of ransomware attacks reflects, to a certain extent, the “low-lying fruit” nature of recent malware attacks. The increasing commercialization of hacking has exposed more companies to a widening attack surface. Specific to ransomware, much mitigation is offered through effective database backup and network redundancy protocols. Often, companies lacking these controls are faced with unnecessary data loss during a ransomware attack.
Unfortunately, insurance does not solve the core challenges associated with cybersecurity. In addition to being very expensive, its future may be somewhat dampened by numerous issues.
First, the underwriting process to qualify for insurance is fairly rigorous. Significant weaknesses in your cybersecurity program can prevent or invalidate desired coverages. Another potential challenge is that any intentional or inadvertent misrepresentations during underwriting can block subsequent coverage. Moreover, some companies report the presence of insurance investigators as being highly disruptive during a hacking incident. Usually, they are there to assess your event readiness and reaction, a contributing factor to any current or prospective coverages. Managing this process can be somewhat time intensive.
Determining what exactly insurance will cover can also get complex. Does it cover only first-party losses (internal company disruption costs), or does it also cover third-party losses (e.g., regulatory fees or vendor late fees)? Are any forensic and ransomware handling/negotiation costs included? Is any property/casualty legal coverage involved, or does the company have to cover these separately?
Often, many of these costs are only covered by costly insurance riders. It goes without saying that any hacking incidents will severely affect your ability to renew coverage. In conclusion, I would say that none of these provisions help reconstitute your damaged corporate reputation. If a company is entrusted with sensitive customer information and loses control of it, it speaks directly to a trust and fidelity issue. No amount of insurance can adequately address this breach.
Diane: Cyber insurance has been a growing field over the past few years, as the insurance industry has provided an option for “risk transfer” to many businesses. However, in general, insurance premiums are based on risk factors, as we see in other areas of the industry. Life insurance, for example, takes into account age, heart disease, smoking, etc., to determine appropriate rates.
Cyber risk now is generating similar data on which the insurance companies can better base their premiums. More insurers are wanting proof of good security practices in a company before determining if they will insure the business or how much to charge. In general, prices are set to increase as attacks increase and restrictions on coverage of the policies will be better defined. Policies may also be tailored to specific industries—for example, retail, utilities, etc.
In summary, small businesses must practice good cyber hygiene to reduce risks, increase competitiveness, and make cyber insurance cost-effective. There are many tools available to help them be successful.