Do small businesses need to invest in cyber insurance?

Cyber insurance can limit the damage—but it can’t prevent the attack.
Cyber insurance can limit the damage—but it can’t prevent the attack.
Image: REUTERS/Andrew Kelly
We may earn a commission from links on this page.

With online attacks aimed at businesses increasing exponentially in recent years, more and more companies are looking at purchasing cyber-liability insurance, which explicitly covers losses in the event of a cyberattack.

For a long time, many small- and mid-sized businesses (SMBs) eschewed purchasing this type of insurance, believing that cyber criminals targeted only big companies. However, as more of these black-hat hackers move downstream to what they see as easier pickings, SMBs must consider whether this type of risk protection is necessary, and how it might help.

“Cyberattacks and data breaches are expensive and increasingly common, particularly for a small business like ours,” says Barbara Karasek, CEO and co-owner of Paradise Advertising and Marketing of St. Petersburg, Florida. “Small businesses often have weak cybersecurity, which makes them an attractive target.”

While Karasek feels confident in her business’s cybersecurity team and protocols, thousands of other SMBs have not done their due diligence.

Jim Trainor, senior vice president of Aon’s Cyber Solutions Group, points out that ransomware threats, in particular, are on the rise, with cyber-criminals holding data hostage for hundreds or thousands of dollars per incident. “The ransoms have escalated,” Trainor says. For businesses, “the question is whether to remediate or negotiate.”

Trainor, a 16-year-veteran of the FBI, points out that when a business cannot even use its IT systems because of a hacker attack, it’s a “business continuity” struggle, especially for SMBs.

Cyber insurance is about recovery, not protection

The surge in ransomware attacks on businesses of all sizes has increased—along with the premiums on cyber insurance—forcing owners to consider if insurance policies could in fact reduce the financial impact of these intrusions. “Cyber-insurance can provide some comfort in recovering your business from a security incident, but using it as an excuse to avoid other security best practices is a mistake,” says Tyler Healy, vice president of security for DigitalOcean, a New York-based cloud infrastructure firm.

“Cyber insurance is not a protection, it’s a recovery mechanism,” Healy adds. “The juncture at which it makes sense to invest in a cyber insurance policy will depend on the type of business, the number of employees, the connection linking technology to revenue, and whether investment in security protections will mitigate a greater amount of risk as a first-step investment.”

For example if, you’re running an interior design business, “invest in simple protections like anti-virus, and backups of your CAD files before you look at cyber insurance—but you’ll probably want cyber insurance before employing a full-time security professional,” Healy says. Whereas, if you’re building the next “cloud-based photo sharing startup, investing in a security team first is a better bet” than cyber-insurance because technology is the service that’s being sold.

What types of data does your small business store and where does it live?

Sofya Pogreb, chief operating officer for NEXT Insurance, says that when evaluating insurance needs and determining if cyber insurance is necessary, “small business owners should ask themselves what types of data they store and where it lives. Any business that uses a computer [or] mobile phone, accepts credit cards, or that stores sensitive data in the cloud or on an electronic device should have cyber liability insurance.” Sensitive data might include information about customers, employees, or the finances of the business.

“With more small businesses embracing digital practices, the importance of cyber insurance for SMBs will only continue to grow” she adds. “As a small business owner, you may think that you are immune to cyberattacks—but that isn’t the case.”

Aside from direct assaults, SMBs that do business with larger enterprises also must consider the security compromises that simply use them as a stepping stone to larger online prey. Case in point: The infamous 2014 breach of Target’s systems, which arguably brought cybersecurity issues to a mainstream audience; the attackers accessed the retailer’s systems by first breaching a vendor who simply provided HVAC services to Target.

“While large organizations have used cyber-insurance for nearly two decades to transfer risk, evolving attack campaigns are placing the SMB market clearly in the crosshairs,” says Joseph Krull, senior analyst in cybersecurity for Aite-Novarica Group. He points to ransomware groups like REvil and Darkside that now license their ransomware tools to affiliates and take a share of the ransoms collected. “As more affiliates lease the tools and mount their own campaigns, these affiliates are achieving economies of scale by attacking large numbers of organizations of all sizes.”

New vulnerabilities for small companies

Michael Del Giudice, principal consultant in the cybersecurity practice at Crowe LLP, says that cyber-insurance is not a “magic bullet—nothing can be 100% secure.” But it does provide ways to effectively cap the losses from cyber attacks.

According to the Mid-Year 2021 Cybercrime Report released by security software firm Sontiq in July, “small business threats is the leading cybercrime trend in the first six months of this year, and the one that poses the greatest risk to consumers.”

The quick transition to remote work in the wake of the pandemic seems to have exacerbated the threat. “Cybercriminals seized on new vulnerabilities created by remote work and the general chaos of the pandemic. Small businesses, in particular, were not as well-equipped to fend off cyberattacks,” Jim Van Dyke, senior vice president of financial wellness at Sontiq and a former advisor to the Consumer Financial Protection Bureau, said in a release. “Most people do not realize how dangerous these small-scale data breaches can be.”