Should SMBs Invest in Cyber Insurance?
IndustryView | 2015
In a business environment that seems chronically susceptible to breaches, purchasing cyber risk insurance may sound like common sense. However, cyber insurance products are often complex and expensive, and can contain many exclusions. For this report, we surveyed owners and decision-makers at small and midsize businesses (SMBs) to gauge their awareness of, and interest in, cyber insurance. We also consulted with experts to determine what factors they should consider before purchasing it.
Cyber insurance sounds like an idea whose time has come. After all, in today’s wired business environment, successful cyber attacks seem to be proliferating at a dizzying rate. According to the Identity Theft Resource Center, there was nearly a 28 percent increase in the number of breaches reported between 2013 and 2014.
It is perhaps unsurprising, then, that cyber insurance purchases saw a fivefold increase from 2006 to 2013. But what exactly is cyber insurance?
[Cyber insurance protects] against losses related to cyber-risks, such as data theft/loss, business interruption caused by a computer malfunction or virus and fines or lost income because of system downtime, network intrusion and/or information security breaches.
In the past, much of the discussion on cyber insurance revolved around the needs of enterprises. Now, however, products aimed at SMBs have hit the market, and are reportedly gaining in popularity. But while the costs of a breach can indeed annihilate an SMB, the average cyber insurance policy is complicated, expensive and can contain many exclusions. In other words, the decision to purchase is anything but straightforward.
To gauge SMB awareness of—and interest in—cyber insurance, Software Advice surveyed owners and decision-makers at U.S.-based companies with up to 500 employees. We also spoke to experts for advice on the issues businesses must consider when deciding whether or not to purchase a policy.
First we wanted to know something fundamental: Are SMBs even aware that dedicated cyber insurance exists?
According to our sample, for the most part, the answer is “no”: just 33 percent of respondents know about cyber insurance; 67 percent do not. However, this does not necessarily indicate an apocalyptic marketing failure on the part of insurance companies.
Bob Rudis, a security data scientist at Verizon Enterprise Solutions who previously worked for insurance firm Liberty Mutual, emphasizes that the market is still young.
“I would define [its] state ... as ‘infant’ or ‘forming,’” Rudis says. “There have been companies selling versions of cyber insurance for a few years, but there is no same standard of practice for vetting a potential company, [sharing] claims data or historical (actuarial) data or even a consensus on pricing models.”
It is also possible that many SMBs have not investigated cyber insurance because they think they already have it. Information technology (IT) security and insurance expert Nauman Noor says that some insurance carriers provide limited cyber coverage for SMBs within their business-owner policies.
“Typically, these cover the cost of business impact due to network loss and having to restore their IT systems,” Noor explains. However, he adds, what is typically not covered (or if it is, is capped at a low limit, such as $10,000) is the impact from a data breach. This includes things such as the cost of letting all impacted parties know their credit card information has been lost.
Mike Carey Jr., senior insurance advisor at carrier CyberInsure Solutions, has a similar opinion. Decision-makers who think their business insurance covers cyber-issues, he explains, should inspect their policies for “gotcha” clauses that leave them vulnerable to critical—and potentially costly—threats.
Awareness of cyber insurance may be low, but adoption rates are even lower. Indeed, only 2 percent of respondents in our sample report having cyber insurance in place—making the market an “infant” one, indeed.
However, after defining cyber insurance to the SMB decision-makers in our survey, we find that a majority are at least a little interested in it. A combined 52 percent are either “very,” or “moderately” intrigued, with a further 32 percent “minimally” intrigued—giving us a total of 84 percent expressing some level of curiosity.
Of course, after a year of news stories involving high-profile breaches at large companies, it is little surprise that SMBs are interested in a product that might help protect them against catastrophe. The disastrous trend has continued unabated into 2015, with the huge breach at health insurance provider Anthem as one example.
So what types of businesses currently purchase cyber insurance? Steve Durbin, managing director of the nonprofit Information Security Forum, says those in the health care industry have been particularly active buyers “due to the enormous volumes of customer data they have to handle” and the regulations they must adhere to. Similarly, financial, retail and higher education institutions are subject to regulations, and thus, more likely to purchase cyber insurance.
However, Durbin adds that he is “also seeing players in a number of new industries” purchasing cyber insurance, such as manufacturing and supply chain. Again, regulatory concerns are frequently a driving force.
SMBs are more at risk than large companies to a data breach: With fewer resources to handle the fallout, an attack can put them out of business. However, juggling the demands of already-small budgets and narrow profit margins can discourage the purchase of potentially expensive cyber insurance. Given this, we asked what information would be most important in persuading SMBs to make the investment.
Any SMB owner or manager contemplating cyber insurance is going to consider all of these factors (and others). However, the area of greatest concern is understanding the business’s own liability for a breach, cited by 31 percent of respondents. Clearly, the thought of being on the hook for millions of dollars is highly persuasive to many.
A knowledge of insurance premium costs is a relatively distant second, cited by 20 percent of our sample, while factors such as understanding the likelihood of a breach or knowing exactly what the policy would cover lag even further behind. Almost one-fifth (19 percent) flatly state that they would never purchase cyber insurance, unless required by law.
The question of liability is a complicated one that varies from industry to industry, and is also tied to the regulatory issues cited by Durbin. But SMBs would be safe to assume that in the case of a breach, many costs are going to fall upon their heads.
Carey of CyberInsure Solutions notes that government penalties may be the least of SMBs’ worries. “In more and more cases, the most costly part of cybersecurity risk to businesses may come not from the hackers, but [from] the lawyers,” he explains.
Ultimately, however, SMBs may be forced to purchase cyber insurance as a matter of doing business. The infamous Target hack in 2013 began with an attack on a third-party HVAC contractor the retail titan did business with. According to Andrew Braunberg, research director at IT security research and advisory company NSS Labs, this has led large companies to become increasingly anxious about third party risks.
“Historically, SMBs have simply accepted cyber-related risks, or avoided them by quickly adopting new information technology,” Braunberg says. However, he adds, any smaller businesses working with large enterprises or government agencies are likely to find that these organizations will “increasingly insist” that their partners, suppliers and contractors have some level of cybersecurity insurance.
“This is likely to be a significant driver in incentivizing SMBs to adopt some level of coverage,” Braunberg says.
A realistic appraisal of all the costs of a breach—whether in the form of fines, lawsuits or legal fees—is key when considering whether or not to purchase cyber insurance. Yet SMBs seem to be in a state of uncertainty: Just one-third of respondents claim to be “very confident” they understand the financial damage such an event could do to their business.
A further 40 percent hedge their bets, claiming to be “moderately confident.” The remaining 27 percent (combined) are much less secure.
The costs of a breach vary according to the industry a business operates within. But according to the Ponemon Institute, the average cost of a data breach in the U.S. is estimated to be $201 per compromised record, with the total average cost to a company amounting to $5.85 million. It’s little surprise, then, the U.S. House Small Business Subcommittee on Healthcare and Technology reports that 60 percent of small businesses close within six months of a cyberattack.
But before SMB owners rush to purchase the nearest cyber insurance policy, there are a few important considerations to bear in mind.
Rudis stresses that owners must view the purchase as a business decision, conducting a detailed analysis of the “diversity, volume and strength of cyber threats facing their company” before deciding whether the policy is worthwhile.
This includes understanding all of the company’s internal vulnerabilities, whether they are in their systems, applications, laptops and desktops, mobile devices or even within staff members themselves. Business owners should also perform a thorough analysis of the coverage and effectiveness of the defenses in place to fight these vulnerabilities, such as anti-virus, firewalls, secure coding practices, awareness training and advanced malware detection.
“That will give them an idea of their exposure, and help them decide what the mix of investment in their security program should be versus a premium spend on cyber insurance,” Rudis explains.
Even if an SMB purchases cyber insurance, the best policy will not be a replacement for good security practices, tools and controls. Indeed, by having effective defenses in place (some of which are discussed in our final section below), an SMB might be able to lower its premium and increase the likelihood of actually receiving a payout from its insurer. And of course, in the absence of cyber insurance, good security is even more essential.
To wrap things up, we investigated some of the other steps businesses can take to reduce their risk. Here, the results were fairly alarming—as is often the case when it comes to SMBs and cybersecurity.
For instance, while it is reassuring to see that 56 percent of SMBs encrypt their sensitive data, that still leaves 44 percent that are not. This is especially alarming given that, in many cases, encryption of sensitive data can reduce a business’s liability in the event of a breach to zero.
Meanwhile, although 29 percent of respondents outsource their company’s security to a professional managed security service provider (MSSP)—and are probably in better shape than those who do not—only 39 percent say they have security awareness training in place. Worse, only 25 percent have a breach response plan, leaving the majority completely unprepared to handle a data leak.
It is also interesting to see that 13 percent of respondents cite their business insurance as a defense against risk. As we pointed out earlier, this is often much less comprehensive than many SMB owners and managers think. However, even if an SMB owner does decide to purchase dedicated cyber insurance, careful scrutiny of the policies under consideration is still a must.
“Not all policies are created equal,” Rudin says. “Some insurers have so many caveats in their policies that [they] make the insurance almost worthless to an organization.”
As an example, Rudin cites an almost Kafka-esque clause found in some policies: If a company that accepts credit cards suffers a breach, then even if the business was certified as PCI DSS-compliant by an auditor prior to the breach, the mere fact that a breach occurred will be cited as evidence that the business was “obviously not PCI compliant at the time.” In these cases, says Rudin, it is likely that most policies won’t cover anything.
As well as looking out for such “gotcha” clauses, SMB owners need to navigate the complex array of items cyber insurance might cover. These include, but are not restricted to, incident-response costs, legal costs, notification and protection costs (such as identity theft and credit monitoring) and others. Deciding what mix of these protections an organization needs, says Rudis, can be quite difficult.
NSS Labs’ Braunberg suggests that SMB decision-makers focus on a combination of coverage that protects against liability, breach-response costs and penalties and fines.
“SMBs should start with coverage against third-party costs—that is, the costs that might be incurred if customer data was compromised,” Braunberg says. However, he notes that SMBs should not try to figure out the answers to such complexities alone.
Rather, he says, “SMBs should work with insurance carriers to identify the right combination of risk transfer (e.g., insurance) and risk mitigation (e.g., security technical controls) across their respective domains.”
Tom Firestine, managing principal at insurance firm Calculated Risk Advisors, has other advice: keep it simple. By not storing sensitive data such as customer credit card, birth date or social security information, SMBs can reduce their exposure to risk and thus need for coverage.
Since not all SMBs may be in a position to purchase cyber insurance, or find that the risk justifies the expense, we turned to the experts to get some advice for the uninsured. This advice also applies to those who do decide to purchase insurance, and are looking for ways to lower the cost of their premiums, or simply make their systems stronger.
Noor lists a few common-sense best practices to follow:
SMB owners and decision-makers should tread carefully before purchasing cyber insurance. The cyber-risks businesses face are real and numerous, but so are the complexities and exclusions in the policies that are on the market. In other words: Caveat emptor! (“Let the buyer beware.”)
In the meantime, however, businesses should seek to reduce their risk by other means, which include a good mix of best practices, training and tools. Although experts may debate the importance of cyber insurance for SMBs, nobody doubts that the consequences of a cyber-disaster can be lethal, particularly for smaller organizations.
To collect the data in this report, we conducted an online, mobile survey of 375 employees at U.S. businesses. We asked eight questions, and collected between 205 and 163 responses per question. All survey questionnaires undergo an internal peer review process to ensure clarity in wording.
Sources attributed and products referenced in this article may or may not represent partner vendors of Software Advice, but vendor status is never used as a basis for selection. Interview sources are chosen for their expertise on the subject matter, and software choices are selected based on popularity and relevance.
Expert commentary solely represents the views of the individual. Chart values are rounded to the nearest whole number.
If you’d like to further discuss this report or obtain access to any of the charts above, please contact firstname.lastname@example.org.