The first installment in this series on evolving risks for small businesses addresses cyber risk management, mitigation, and insurance.
Contributed by Nicole Farley, Vice President of Carrier Operations at Bold Penguin. As VP of Carrier Operations, Farley has been streamlining the small commercial quoting experience for agents and small business owners, working closely with several large enterprise partners and carriers to achieve mutual short and long-term goals and objectives.
The Evolving Risks Of Small Businesses is a six-part educational series crafted to help insurance agents navigate the demands of commercial insurance, brought to you by Bold Penguin. Each month, we will highlight a new timely topic that will discuss the trends and tips of a particular risk to help ensure that business owners’ investments are protected.
January’s focus is cyber risk management. In July 2024, the complimentary, completed Evolving Risks Of Small Businesses playbook will be downloadable at www.boldpenguin.com.
The first installment in this series on evolving risks for small businesses addresses cyber risk management. It’s top of mind for everyone in our space – it certainly is for Bold Penguin and our carrier partners, and it should be top of mind for your customers too.
A cyberattack is an “attempt to steal, expose, alter, disable, or destroy information through unauthorized access to computer systems.” The prevalence of cyber risks is rising as businesses become increasingly more digital. However, small business owners may not be cognizant of this risk or the financial and reputational consequences of an attack until it’s too late. According to the Hiscox Cyber Readiness Report, “41% of small businesses experienced at least one cyber attack during the last year. The median cost of cyber attacks for one small business in a year is $8,300.”
As a trusted advisor to small and medium-sized businesses (SMBs), it’s vital for commercial insurance agents to educate themselves on the many intricacies of cyber risks, potential threats, and available options, as well as how to effectively communicate the value of cyber risk management policies.
Madison Williamson, Senior Insurance Product Manager at At-Bay stated, “As all businesses are forced into the digital world it is no surprise that small businesses are sometimes ill-equipped to recognize the risks or react with the necessary speed to rectify errors or attacks. If an insured feels cyber insurance is not relevant to their business, agents should have insureds consider what impact days, if not weeks, with no access to their digital files would have on their top and bottom line. Additionally, what would clients or customers think if their information were stolen or if fraudulent invoices were distributed resulting in unpaid work?”
Williamson continued, “While it can be tempting for small businesses to eschew the risk of cyber attacks, it is vital for business owners to carefully consider not just the financial impact of lost sales and profits but also the reputational impact of being considered not secure by customers.”
To effectively advise on cyber risk management, a key first step is understanding the landscape of cyber insurance and its potential cost on small businesses. Cyber attacks include, but are not limited to, ransomware, phishing schemes, and supply chain vulnerability attacks. The types of cyber attacks and the associated technologies that cyber pirates use are quickly evolving and dynamic. For this reason, small businesses can be an easy target for cyber hackers, sometimes with devastating effects.
According to Mathew Probolus, Chief Underwriting Officer at Berkley Management Protection, “Small businesses are frequent targets of cyber attacks. A recent [Datto SMB Cybersecurity for MSPs] report found that in the last year 32% of small businesses reported that they dealt with a phishing email or attack. 30% of small businesses reported that they also dealt with a computer virus. While not as common as phishing and computer viruses, ransomware attacks remain a top concern for small businesses due to the severe impact a ransomware attack can have.”
According to Chris Hojnowski, Vice President, Technology and Cyber Practice Leader with Hiscox USA, when advising SMBs, it’s important to stress that risk can be mitigated, not eliminated, by “implementing strong internal controls and procedures, maintaining security controls, and proactive action. I would stress that companies of all types and sizes have risk in the digital age and should consider their cyber exposure.”
An agent can aid SMBs with cyber risk management by making them aware of these real-world examples to help comprehend the devastating consequences of being unprepared.
Hojnowski adds, “cyber extortion, where an electronic crime takes place and the threat actor demands money, can include ransomware, distributed denial-of-service, and other attacks. The Hiscox Cyber Readiness Report 2023 found that for businesses who paid ransoms, only half (50%) recovered all their data, and half (50%) were forced to rebuild systems. Over a quarter of businesses (27%) who paid ransoms were attacked again, and 27% went on to be asked for more money by the attacker.”
Small businesses usually don’t have the luxury of dedicated, trained resources to address cybersecurity weaknesses or rebuild systems. Hackers target smaller businesses because they typically focus less on cyber risk management and weaker security than enterprise corporations. Agents must remember this when helping SMBs find comprehensive coverages to address these weaknesses. Probolus adds that customers and agents are not alone in fighting this battle, “Cyber agents can direct small businesses to risk management tools offered by cyber insurers and its partners who can provide training and system cyber risk management assessments, and who can assist in the development of an incident response plan to ensure a company is prepared in the event of a cyber attack.”
Hojnowski goes on to say, “Where there are humans, there’s vulnerability to cyber attacks. And where there is any kind of sensitive or valuable data, such as customer information, there’s a target for bad actors. In ransomware attacks, the most common points of entry were phishing (53%), unpatched servers/VPN (38%), and credential theft (29%). All of these forms of attack are made possible by human error, such as clicking a link in a phishing email, missing a security, or not using a secure enough password.”
Probolus speaks to this point: “Many times, small businesses are unaware of the weaknesses and vulnerabilities that exist within their business. The first step is to recognize areas of weakness. Small businesses tend to have unsecured networks, exchange sensitive data in unsecured communication channels, and lack proper monitoring of their systems and untrained employees.”
Foremost, consider recommending collaboration with cybersecurity professionals and utilization of carrier partners’ resources. Educate SMBs on the value of working with experts who can offer the most current information and taking advantage of resources in this evolving field. Additionally, here are just a few tips to think about when guiding customers toward effective cyber risk management and coverage:
Continue to stay informed on new cyber threats so you can help update policies accordingly and identify your customers’ vulnerabilities. In some cases, the insured will receive better rates if carriers see evidence of proactive cybersecurity and cyber risk management measures, like strong employee training programs, and incident response plans.
Not all businesses are the same. And not all cyber risks are the same. When tailoring coverage, consider the specifics of business operations, i.e., the nature of their customers’ data, their reliance on technology, current industry regulations, and potential financial impact of a cyber incident.
Just as not all businesses or risks are the same, neither are the coverages. Agents need to quote policies with confidence that what is being presented is the best possible solution to ensure investments are protected. Don’t just consider cost, but also the coverage details and additional services offered from varied quotes.
Carefully review the coverage offered by different cyber insurance policies. Ensure that the policy aligns with your customers’ cyber risk management needs and that the limits are appropriate for their size and type of business. Evaluate if common coverage includes all of the potential losses, limitations and exclusions in the case of a cyber incident, e.g., data breaches, business interruption, legal expenses, and regulatory fines.
As Probolus states, “Cyber policies provide coverage for first and third party exposures. First-party coverage pays for expenses your company might incur as a result of a data breach or attack on your computer system. Examples would be ransom payments, loss of business income while you restore your computer system, and costs to restore your data. Third-party coverage pays for costs associated with claims against the company when a third party sues you for allowing a breach to occur. Third parties could include vendors, customers, and clients.”
Some policies may not cover certain attack types or may have specific conditions that need to be met for coverage to apply. Make sure the plan is comprehensive. Hojnowski reminds us to “Please consult individual policies to confirm types and limits on coverage. Over the years, cyber forms have evolved to keep up with the growing threats and changing landscape of cyber attacks by introducing language to help respond to these new and ever-changing attacks.”
The more proactive your clients are in cyber risk management and mitigation, the more effective their cyber insurance coverage will be if an incident occurs. While we all know that insurance provides a safety net, encouraging clients to implement proactive cyber risk management strategies and risk mitigation tactics is just as important. These same principles are as true in insuring against a cyber attack as they are in protecting a physical asset.
Williamson adds “While the world of cybersecurity can be daunting, business owners can be reassured that there are some basic security protocols that can significantly reduce the risk of cyber attacks and help ensure better insurance terms. This includes enforcing multi-factor authentication (MFA) for email access and remote network access. Remote access tools are often targeted by cyber criminals, which makes both MFA, as well as strict remote access policies, vital in protecting businesses from unauthorized access. Additionally, email remains a favorite target for financial fraud or social engineering attacks, which emphasizes the importance of implementing strong email security solutions to stop attackers at the gate. Software vulnerabilities are also frequently exploited, which means a routine and well-maintained patching cadence can aid businesses in staying protected, including retiring end-of-life systems that are no longer supported. This type of plan is best developed in partnership with a security provider.”
Human error is a common factor in many cyber incidents. Educate customers on the importance of creating an ongoing cybersecurity-aware culture where every single employee understands its value.
As a commercial insurance agent, your role includes being a trusted advisor in navigating the complexities of cyber risk management. By understanding the threats, conducting thorough assessments, educating customers on the need, and collaborating with cybersecurity professionals, you can tailor effective coverages that empower your customers to face the challenges of the digital era with confidence. Through proactive education, risk mitigation strategies, and staying informed about regulatory changes, you can guide your clients toward building resilient businesses that stay ahead in the game.
The preceding is part one of a six-part educational series on navigating commercial insurance, with the purpose of keeping commercial insurance agents abreast of industry trends. The complete Evolving Risks Of Small Businesses playbook will be available in July 2024 at www.boldpenguin.com.
The fourth installment in the Bold Penguin series on The Evolving Risks Of Small Businesses addresses the changing landscape and need for surety bonds.
Carlos Gonzalez-Avila, Small Business Insurance Specialist at Bold Penguin, provides insights on support for agents in the insurance business in this issue of 3 Questions.