The risk of a cyberattack is a leading concern for a majority of business owners, yet many have not taken some of the key steps needed to prevent or respond to a cyber incident, according to a new survey of business leaders. The Travelers Risk Index, an annual report that studied more than 1,200 business decision-makers, found that cyber risks were the third top concern among respondents, following medical cost inflation and broad economic uncertainty, Insurance Journal recently reported.
“It is a good sign that more business owners are worried about this,” said Allison Arnold, Broker, Professional Liability, Burns & Wilcox, Indianapolis, Indiana. “It is concerning to me when they are not taking the steps to protect their business or community while knowing the risk is out there. That is alarming.”
The survey results also show that many businesses do not have Cyber & Privacy Liability Insurance to protect them in the event of a cyber incident. According to the Travelers report, 66% of small businesses do not carry the coverage, compared to 26% of mid-size businesses and 28% of large businesses.
It is concerning to me when they are not taking the steps to protect their business or community while knowing the risk is out there. That is alarming.
“A lot of business owners are asking about it. They are aware of the risks and they see these incidents out there, but there may not be a lot of drive to buy it because they think they are just not going to get hit,” said Arran Auld, Broker, Professional Liability, Burns & Wilcox, San Francisco, California. “Others buy the cheapest policy available and are not looking at the coverages, but just trying to get it in place.”
Risks grow as cybercriminals get more advanced
According to the U.S. Government Accountability Office, most types of cyberattacks — and their costs — are on the rise in the U.S., with business email scams, data breaches, and ransomware among the most common types of reported cybersecurity incidents. Global cyberattacks increased 38% between 2021 and 2022, Security magazine reported in January, and the expected cost of cybercrime worldwide is expected to grow nearly 70% between 2023 and 2028 to a total of $13.82 trillion, according to Statista. In Canada, a recent survey of IT security professionals found that fewer overall cyberattacks took place in 2023 compared to 2022 but that total breaches were up 130% and denial of service attacks climbed 30%, CTV News reported in June.
“It is not slowing down,” Arnold said. “The frequency of cyber claims is increasing as well as the severity. It is definitely not going anywhere.”
Cybercriminals and their tactics are “constantly evolving,” Arnold explained. “In the insurance space, we have to constantly evolve as well to address the concerns that are happening in real time,” she said. “We are seeing a high frequency of incidents.”
Cybercrime-related insurance claims seem to be happening more frequently, Auld agreed, and cybercriminals are getting “more advanced” by the day. “The risk is always changing,” he said.
When a company is targeted in a cyberattack, its Cyber & Privacy Liability Insurance can help pay for the immediate response to the breach — including investigation, negotiating ransomware payments, getting systems back up and running, and notifying affected customers — as well as costs like loss of business income while systems were down or legal defense in the event the company is sued due to the breach.
The insurance carrier does not want them to have a claim and will give them the resources to put them in a better position and strengthen their IT network.
These policies can also provide risk management consulting services to help companies lessen their risk of a cyberattack — a benefit that some business owners may not realize is included, Auld said. “The insurance carrier does not want them to have a claim and will give them the resources to put them in a better position and strengthen their IT network,” he said.
Small businesses could be most vulnerable
Both individuals and businesses need to take cyber risks more seriously, Canada’s cybersecurity chief Sami Khoury said in September during an international cybersecurity summit, where he called for greater cybercrime prevention collaboration between the U.S. and Canada, CBC reported Sept. 9. At the summit, Khoury also pointed to the unique cyber risks faced by small and mid-sized businesses, which “play an important role in society” and could be more easily exploited if they do not have the cybersecurity infrastructure of larger firms.
“The mid- to large-sized businesses truly have a better grasp on this risk in our society right now, and they have the budget to be able to afford the premiums on the policies and the infrastructure to better protect their businesses,” Auld said. “They can beef up their security. Unfortunately, it kind of circles back to the small, mom-and-pop shops.”
In addition to potentially having fewer defenses in place, some small business owners may not feel they are at risk, Auld added. “They just do not think they are going to be a target,” he said. “Especially if they are contracting with larger companies, they may be a target just because of that.”
Last year, one study showed that small businesses were three times more likely to be targeted in cyberattacks than larger companies, Forbes reported in March of 2022. In April of this year, Axios reported that 43% of all cyberattacks targeted smaller businesses and that breaches affecting smaller companies often go unreported.
“Cybercriminals really know that those types of entities do not typically have the infrastructure in place or the budget to really focus on that, so they go after them and target them frequently,” Arnold said. “The cybercriminals know that about their businesses.”
Still, even larger companies are not taking all the steps they could to prevent a cyberattack. Pointing to the Travelers report indicating that half of all business leaders surveyed did not have a cyber incident response plan ready, “that is not a good percentage,” Arnold added. “They may view cyberattacks as a high risk but they are not always implementing tools to help protect their business.”
Cybercriminals really know that [smaller businesses] do not typically have the infrastructure in place or the budget to really focus on that, so they go after them and target them frequently.
Those steps are critical, Auld said, especially given the damage a cyberattack can do to a business even with Cyber & Privacy Liability Insurance in place. “If they are under a cyberattack, they are not going to be able to do anything else until it is resolved,” he said, noting that many insurance policies have an eight-hour waiting period before loss of revenue is covered. “The consulting that the insurance carrier provides to the client can help them get their best practices in place to keep them from having another claim or having a claim at all. Some businesses buy a policy simply for that benefit.”
Contractual requirements, checking policy
Reports of cyberattacks make regular headlines in the U.S. and Canada, with recent incidents including a cyberattack against a health system in Connecticut that exposed the personal information of more than 24,000 employees, and a hacker group in India that targeted multiple governmental websites in Canada. The more these types of incidents appear in the news, the more likely business owners are to consider their own vulnerabilities and look into Cyber & Privacy Liability Insurance, Auld said.
“When it is in the news on a regular basis, they start to see the threat and then they start buying the coverage,” he said, comparing it to the way more employers now recognize the need for Employment Practices Liability (EPL) Insurance. “That is kind of where we are at with cyber.”
Contractual requirements are also driving more businesses to purchase insurance, according to Auld. “I am seeing more and more where they are being asked to carry the coverage,” he said.
Business owners should know that although they may have a small sublimit for cyber liability under other business policies, this limited coverage would not be comparable to a standalone Cyber & Privacy Liability Insurance policy, according to Arnold. “A lot of times it will be a very small dollar amount,” she said. “It is not going to be enough to help them out of the situation and it is not going to have as robust coverage as standalone policies. It is also not going to include the expertise of a cyber carrier.”
Having someone working for them who understands the coverage, their exposures, and the policy forms is important.
With Cyber & Privacy Liability Insurance, Arnold said, “it is a lot more than the money to bring you back to whole.” This includes the help of experts who can assist with forensic investigations, setting up a call center to notify customers, and following each state’s notification requirements. “Each state has different laws and you have to abide by those laws and regulations for each state,” she said. “As a business owner, you probably do not know those laws and timeframes. That is just one piece of expertise the policy includes.”
When buying a policy, it is important to work with a specialized insurance broker who can walk you through the options. “There are so many forms out there, and they are not all the same,” Auld said. “Having someone working for them who understands the coverage, their exposures, and the policy forms is important.”
Without the right coverage, a cyber incident “can be very detrimental to a small business,” Arnold added.
“A business could be taken out if they do have a cyber incident,” she said. ““The cyber criminals may try to wreak havoc on your company. I do not know very many small businesses that can come back from that on their own. For the small business owners that think maybe they cannot afford it, premiums are competitive at the moment. I would encourage them to try to work it into their budget because it could be really detrimental to have an incident and not have that support from a cyber policy.”