Legislation Highlights Why Cyber Market Should Keep Watch on Small Business Risk

The 2018 Verizon Data Breach Investigations Report cited that 58% of cyberattack victims were small businesses, and the 2019 Symantec Internet Threat Report™ stated that employees working at small businesses were “more likely” to be targeted by email threats (e.g., malware, spam, phishing) than those employed at larger companies.

Acknowledging this growing threat, the Small Business Development Center Cyber Training Act was recently passed by the U.S. House of Representatives. A companion bill is awaiting a vote in the Senate. The legislation would require counselors at small business development centers to be certified in cybersecurity to assist small businesses in preventing and responding to cyberattacks. It’s not a question of if, but when, a small business will be attacked, making this segment a bit of a paradox as it now represents one of the largest growth areas in the cyber insurance industry. Why is that the case?

Carriers, managing general agencies, and brokerage firms have flocked to small business not solely because of its substantial pool of currently uninsured risks, but because it is perceived as an area less exposed to aggregated, large loss. Bottom line, these organizations are viewed in the insurance world as safe.

The insurance policies for the small business segment have very quickly become robust, offering many of the expanded coverage grants that large, sophisticated cyber insurance buyers have pushed the market to provide. In contrast to those larger entities, however, small businesses almost universally lack the security awareness and preparedness of their larger brethren.

The Keeper Security/Ponemon Institute SMB Report cites 54% of small-to-medium sized businesses believe their companies are “too small” to be ransomware targets and Continuum’s 2019 Small Business Cyber Security Report stated that 62% of SMBs do not have the in-house skills to properly manage cybersecurity. These businesses rarely have dedicated security personnel, and their management is relatively less focused on cyber exposure. Nevertheless, they are benefitting from an insurance industry rabid for growth.

In addition to overzealous coverage expansion, policy limit grants are generous, premiums are artificially depressed, and carriers are driven to operate with minimal underwriting data if they want to gain market share in this segment. Admittedly, the inability to gather meaningful underwriting data wouldn’t improve substantially even if carriers were able to ask for more underwriting information, as small business owners typically don’t employ staff who can respond properly to probing questions regarding their company’s security posture.

Most of these organizations are not familiar with how much data they have, or how it is stored (which makes it difficult to secure). They will frequently purchase the basics of a firewall and anti-virus, but my experience suggests that their security configurations aren’t necessarily optimized. Even if well-configured, those technologies are from a previous generation of security, when the focus was keeping bad actors out of your network (most security professionals acknowledge the battle for the perimeter is lost). Generally speaking, the majority of these businesses have almost no advanced detection or response capabilities, and they lack a team of security professionals monitoring their network activity. Simply put, most small businesses aren’t adequately armed for today’s cyber battlefield.

This view isn’t intended as an affront to small business. These organizations often survive in large part due to tireless effort on the part of their ownership and staff, consistent and dedicated control of their expenses, and entrepreneurial spirit; they care deeply. They just don’t have the bandwidth or the budget to make cybersecurity a primary consideration for their businesses. They lack the resources to compete for top talent in a highly competitive cybersecurity job market (and there is not enough of these professionals to go around). Few, if any, have the time to navigate through the ever-expanding landscape of security products, or the staff to optimize their implementation (an IT professional is not synonymous with an IT security professional). And, more often than not, these businesses have neither robust security training nor tracking programs in place.

The result is that small businesses are extremely susceptible to ransomware and other social engineering-originated attacks. Moreover, they are disproportionately exposed to large-scale attacks such as WannaCry or NotPetya, the likes of which are only in their infancy. They will be least resilient, relative to their larger peers, in the event of an attack.

InsuranceBee’s Cyber Survey reported that 83% of SMBs did not have the budget to recover from the after-effects of a cyberattack. On balance, small companies are more susceptible to losing income as they don’t have dedicated failover sites, or robust testing of Business Continuity or Disaster Recovery Plans (if they even have such plans). After an attack occurs, most of these organizations do not have pre-established security vendor contacts at their disposal who will swoop in post-incident to minimize the impact of a breach or attack. While the quantum of loss may be much lower for smaller entities, the potential for widespread impact and disparity between premium collected and capacity exposed is much greater.

That the government is considering several bills aimed at improving small business cybersecurity, such as the Small Business Development Center Cyber Training Act, publicly acknowledges that these businesses represent a massive area of economic exposure and are in dire need of improvement. This isn’t, or shouldn’t be, news to the insurance industry. The white-hot market for this segment, however, suggests otherwise.