Small Business Risks in a Cyber World – Why Main Street Needs to Lean on Insurance Partners
When it comes to cyber security events, “hours make a difference, let alone days” in terms of response time, according to Tim Francis, enterprise cyber lead at Travelers. For small and mid-sized businesses, formulating a cyber response plan can be a challenge without the right insurance coverage, education and resources, he told Insurance Journal.
“If you have an event, and you’re a small business…that not only doesn’t have insurance, but doesn’t have access to the network of professionals that an insurance carrier would have, [it] means you’re really going to be behind the eight ball,” he said.
Francis was a panelist at the 2019 PLUS Cyber Symposium held February 6 and 7 in New York City, during which a group of panelists discussed challenges and opportunities around cyber insurance for small and mid-sized businesses.
“The impact is real,” he said. “Sometimes people feel like, ‘Well, I’m a small or mid-sized company, and I’m not going to be a target.’ Because they read headlines about nation state actors taking down major corporations, it creates this culture where they think that they have to be a targeted entity.”
With this in mind, Francis stated he believes a culture shift needs to happen in which small companies can better understand they are perhaps more vulnerable to cyber attacks than large companies. This is because smaller organizations may lack the financial and personnel resources to secure their systems and react to an event if one occurs. This shift, Francis said, can start with the cyber insurance industry.
“Small business owners don’t often just know [cyber insurance] as well as they would know some other lines of coverage, because it’s new, and because they’re trying to run a small business,” he said. “I think once a small business is educated on the fact that cyber insurance exists in the first place, has a familiarity with what it does and maybe, more importantly, understands that there are coverages that are designed for small business, then I think they really see the value.”
PLUS Cyber Symposium panelists agreed.
“I think having the conversation [is important] and not just saying, ‘Here’s this insurance policy. This is what it does. Have a great day. We’ll talk to you in a year at renewal,'” said Adam Abresch, vice president of Cyber Risk at Acrisure. “I don’t think that delivers a lot of value.”
Abresch added that the cyber insurance industry should be helping clients understand what to do when a breach happens and walking them through that process ahead of time.
“When a breach strikes, that’s chaos,” Abresch said. “That’s not the time to figure out what to do. That’s the time to execute on a plan. As a broker, I try to effectively communicate how to respond.”
Indeed, Francis said that having a cyber insurance policy in place is often less about the capacity to tap into a pool of money and more about the ability to tap into a pool of resources.
“I guarantee you that if we look across anyone’s portfolio of business in a small or mid-sized space, those companies don’t already have on retainer a forensic investigator and breach notification system and wouldn’t know where to begin if that happened,” he said. “So the value of insurance is not only what should the response be, but to understand and truly appreciate that when an event takes place, there is probably little chance their staff will be equipped to handle it.”
In a recent interview with Insurance Journal, James Burns, cyber product leader for CFC Underwriting, echoed the idea that the conversation around small business’ lack of understanding of cyber insurance needs to start with those in the industry.
“I guess that’s on us — the cyber insurance industry,” he said. “We need to still do an even better job of articulating how our products and how our proposition relates to small businesses. We have a lot of small businesses that still aren’t sure of what a cyber policy actually does.”
Burns added that as cyber attacks among small businesses have skyrocketed over the past two years from a frequency and severity standpoint, they are costing more money for small and mid-sized businesses.
“We just need to do a better job as an industry — cyber insurers in particular — at articulating what threats are facing small businesses from a cyber perspective, and then how cyber insurance can help protect against those threats,” he said.
Types of Threats
As cyber attacks become more sophisticated, Sian Schafle, partner at Mullen Coughlin, stated during the PLUS Cyber Symposium panel discussion that the attacks are less about information and more about opportunity.
“You may not be targeted because you have certain data,” she said. “You may be targeted because there’s an opportunity to get into your network and have somebody fall victim. The types of attacks have really increased in sophistication over the past few years, and we see the small and middle market organizations being the ones that struggle the most with defending against those attacks.”
Abresch added that increasingly, a single attack is being created by a hacker with the purpose of being distributed to a large amount of people.
“Hackers are lazy to a degree,” he said. “It doesn’t necessarily matter to them which company it is, and a lot of the tools that are being used now to assess a company’s cyber posture and see where there are weaknesses and strengths are openly available. So if the good guys can do that, so can the bad guys.”
Francis stated that for small businesses, attacks are most often a result of employee error, which runs the gamut of not installing a computer patch, falling for a phishing email or even taking work home where it is susceptible to being misplaced or stolen.
Within the context of business email compromise, Schafle added attackers will run search terms within a compromised email account in order to identify the target and the tone of typical conversations to create a fake email that seems real.
“We see some organizations not really appreciate the incident they had,” she said. “We’ll get on the phone, and they’ll say, ‘Yeah, someone hacked into our email account, but we don’t have any protected information. There are no socials.’ I can tell you I’ve never had a business email compromise case that came back with no protected information in the email account. There’s usually something. But you have organizations that don’t appreciate what they experienced and what is required, and they’ll stick their head in the sand and do nothing.”
Small businesses’ cyber attacks are most often a result of employee error, which runs the gamut of not installing a computer patch, falling for a phishing email or even taking work home where it is susceptible to being misplaced or stolen.
Panelists agreed that the solution will come through a culture shift in which small and mid-sized companies begin to realize the attacks can happen to them and be just as severe as when they happen to a much larger organization.
“In many of these cases, it’s not personal,” Francis said. “No one actually even cares necessarily who you are. They’re just the bad guys and are just trying to get someone to open that email. They’re just as happy to take company A’s money versus company B’s money, and they’re certainly happy to take from both.”
Incident Response
For smaller organizations, the challenge with incident response when a breach occurs is primarily around time and resources, panelists stated, adding that this is where the insurance industry should step in yet again.
“Probably the most important thing is not only understanding the vulnerabilities in terms of, ‘If an event happens, what’s going to be the impact?’ But also understanding basic incident response, such as, ‘Should an event happen, what do you do next?'” Francis said. “Part of an insurance program is also providing access to some of those services that can help develop incident response plans, follow templates or engage with consultants.”
Francis added that it can be unrealistic to expect smaller organizations to have the appropriate knowledge of cyber insurance and how to create a response plan, where to start or even what questions to ask.
“They should understand that’s okay, and there are resources out there that can help them with that,” Francis said. “One of the virtues of being a small business is while they might not be fully aware of their exposures, it’s okay to have a plan that’s proportional and reasonable for their own business. They don’t necessarily have to have the same level of an incident response plan that a large company might have. They’ve just got to put a plan in place that’s appropriate for their organization.”
Francis said that in many cases, a small business’ incident response plan can simply be to call its insurer.
“I would be happy in many cases if their incident response plan was, ‘I have a number I know I can call, and things will begin to happen,'” he said. “Sometimes, I would say small businesses are actually better in an event because big companies tend to think they can solve it themselves because they have IT staff, they have resources, and that almost always goes wrong, but it takes a while for them to appreciate how wrong that’s going.”
One of the virtues of being a small business is while they might not be fully aware of their exposures, it’s okay to have a plan that’s proportional and reasonable for their own business.
Small to mid-sized companies, however, are more likely to admit they need someone to help and bring people in who know what they’re doing and do this everyday, he said.
Burns added that this type of response once again points to the role of the insurance industry in managing cyber risk and educating small and mid-sized companies about the space.
“The small businesses do tend to lean on their insurers a little bit more for advice, for risk management, for preloss services in terms of things like formulating a response plan, and that’s absolutely fine,” Burns added. “That’s what we’re here to do. Those are the tasks we’re here to perform as cyber insurers.”