As Cybersecurity Awareness Month is underway, it may be time for businesses – especially small- or mid-sized firms – to assess their understanding of current cyber risks and whether they’re adequately covered by a cyber insurance policy.
According to a Hiscox 2019 Cyber Readiness Report, the number of firms reporting cyber incidents has risen from 45% last year to 61% in 2019. 2019 is the third year that Hiscox has released its Cyber Readiness Report, and for the first time, the report found that a majority of firms surveyed said they experienced one or more cyber attacks in the past year.
Additionally, findings from the report show that the cost and frequency of attacks have increased when compared with last year, and small- and medium-sized firms are now equally as vulnerable as larger companies, which hackers have historically targeted.
“The impact is real,” Tim Francis, enterprise cyber lead at Travelers, told Insurance Journal earlier this year. “Sometimes people feel like, ‘Well, I’m a small or mid-sized company, and I’m not going to be a target.’ Because they read headlines about nation state actors taking down major corporations, it creates this culture where they think that they have to be a targeted entity.”
In fact, a Willis Towers Watson report on cyber insurance trends to watch in 2019 stated that mid-sized companies, which it defines as organizations with annual revenue of less than $1 billion, will continue to drive market growth in the cyber insurance space as they realize the threat and potential financial consequences of a cyber attack.
“Midsize companies can be prime targets for cyber attacks because they often lack the resources and protocols of larger firms to defend against them,” wrote Joe DePaul, National Cyber/E&O Practice leader for North America at Willis Towers Watson and author of the report. “For others, the menacing headlines alone are enough to drive them off the sideline and into the buying market.”
That said, The Travelers Companies 2019 Travelers Risk Index – which comprised 1,200 business leaders participating in an insurer-sponsored survey – found that although for the first time in the survey’s six-year history, cyber was named as the top concern among businesses of all sizes, only roughly half of surveyed participants reported purchasing a cyber insurance policy this year (51%), creating a business continuity plan in the event of a cyber attack (47%) or taking a cyber risk assessment for themselves (49%).
Francis said that while more businesses are taking steps to prevent a cyber event, “it’s still alarming that nearly half don’t have the proper insurance coverage,” Insurance Journal previously reported.
U.K. based data and analytics firm GlobalData stated in a recent report that where the uptake of cyber insurance is far lower than the percentage of business owners detecting a cyber breach, cyber risks could pose a threat even for insurers that don’t offer cyber insurance.
This could mean commercial insurance providers may be exposed to cover the cost of cyber claims on traditional policies such as business interruption, according to a report based on findings from GlobalData’s 2018 UK small- and medium-sized enterprises (SME) Insurance Survey.
“Even insurers not offering cyber cover could find themselves being impacted financially by having to cover the cost of cyber-related claims due to ambiguous policy wording,” GlobalData stated in the report.
It pointed to finance and insurance company AIG’s plans to transition toward affirmative cyber insurance as one strategy for clarifying how insurance policies cover cyber risks.
Indeed, from 2020, all of AIG’s commercial property and casualty insurance policies will affirmatively cover or exclude both physical and non-physical cyber risks, addressing concerns that traditional commercial insurance policies across the industry are often silent about cyber coverage, according to an AIG press release.
“AIG believes P&C policies globally should be clear about the cyber coverage they provide. For the most part, across the industry, typical P&C policies have not been written to adequately deal with cyber exposure,” said Tracie Grella, global head of Cyber Insurance, in the release. “As we shift to affirmative cyber coverages and exclusions, our clients can more closely consider the cyber peril they face and evaluate how that exposure impacts coverages and policies across their enterprise.”
For more than 20 years, AIG has offered specific, standalone cyber insurance products. As the cyber threat has grown in the last five years, AIG has been drawing on that expertise to provide more holistic cyber coverage for clients across standard commercial insurance lines and to incorporate affirmative cyber coverage into traditional property and casualty policies on a product-by-product basis, the release stated.
“Moves such as AIG’s transition towards affirmative cyber insurance will help ensure policyholders have a clear understanding of which cyber perils are covered through a commercial insurance policy that is not cyber-specific,” said Daniel Pearce, insurance analyst at GlobalData, in the GlobalData report. “This, in turn, will help businesses owners more easily identify the benefits offered by a specialist cyber insurance product.”
While ensuring proper insurance coverage in the event of a cyber incident is important, having a preparation and response plan in place is also a vital factor in building resilience.
Shawn Ram, head of insurance at Coalition, a cyber insurance company focused on small-and mid-sized businesses, said businesses need to start by understanding that it is their entire company that needs defending, not just their network.
“In this day and age, it is a rare business whose core operations are not dependent on technology,” Ram said in a Coalition press release. “A cyber incident can easily trigger many forms of loss from fines and penalties, to stolen funds, to ransomware extortions.”
He stated it’s important for businesses to focus on the basics: routinely patch software, use strong passwords and enable multi-factor authentication, particularly for email, among other strategies.
“By our estimates, enabling multi-factor authentication in front of email would have eliminated over 50% of the cyber insurance claims submitted by our policyholders,” Ram said in the release. “These practices, of course, should be accompanied by a coherent incident response plan and a comprehensive insurance policy to help the business remain resilient.”
Coalition announced in September that it is expanding its cyber and technology errors and omissions coverage — previously only available to companies with less than $250 million in revenue — to include middle market companies with up to $1 billion in annual revenue. Middle market companies now have access to Coalition’s cybersecurity tools as well as up to $15 million in coverage backed by Swiss Re Corporate Solutions and Lloyd’s of London.
As the month of October is Cybersecurity Awareness Month, be sure to check out Insurance Journal’s Research and Trends page for additional resources and information on all things cyber.
*This story ran previously in our sister publication Insurance Journal.