American businesses were nearly one-third more likely to experience a data breach last year than they were five years ago, yet most were no more prepared in 2019 to respond to a cyber attack, much less recover from one, than in 2014. While business leaders today are more aware of cyber threats in theory, most small-to-midsize firms have not put strategic risk management into practice at the top level of the organization, opening the door to an increase in data breaches that smaller firms are often underinsured against.
According to cybersecurity reports from the Ponemon Institute, the Pew Research Center and others, 2019 was the year that data breaches began to disproportionally affect small businesses, with 60 percent of the breaches reported in the last year affecting companies with fewer than 500 employees. That’s a troubling statistic for two reasons.
First, small-to-midsize firms are less able to recover from the staggering costs of a data breach, which in 2019 averaged 8.19 million in the U.S. It’s taking longer to identify and contain data breaches, which only adds to the financial pain. And second, smaller firms are more likely to either not have cyber liability coverage at all, or to have minimal coverage policies that were not designed to protect against some of today’s more complex cyber threats.
The cyber liability insurance market is rapidly evolving in an effort to improve a product that most in the industry agree is too broad, with too many gaps, overlaps and exclusions in coverage. 2020 will bring modest rate increases in the five-to-10 percent range, along with growing pains, but good and necessary ones, as the cyber market looks to data analytics to improve underwriting and expand product offerings. Verisk, a data analytics provider, recently debuted an insurtech tool to give cyber underwriters what they’ve been missing all this time—solid data upon which to assess real risks and their actual costs.
Better underwriting should go a long way to addressing gaps in coverage on standard and package policies, many of which do not cover the costliest part of a cyber claim: business interruption and customer turnover. There are some things cyber policies may never do well, such as protect against social engineering, the cause of one in every five data breaches today. More than 70 percent of data breaches are the result of some kind of criminal activity, and while cyber insurers have developed solid programs for standard variety hacking and ransomware incidents, they’ve been reluctant to insure against criminal acts that required the assistance of a duped employee.
The good news for insureds is that the property and casualty market is getting better all the time at coverage specificity and multi-policy layering. Development of stand-alone cyber policies are leveraging strengths in two other lines of coverage: directors and officers (D&O), and crime. The latter, as it turns out, is often a better market for social engineering claims, just as the purchase of a D&O policy not only protects company executives in the event of a lawsuit, but also allows for better limits and retentions on the cyber policy.
From clever manipulation of technology vulnerabilities to ever new and creative means of capitalizing on human errors, today’s cyber criminals are essentially too smart to head off at every pass. Rather, there is a growing realization among insurers and risk managers that the best risk management strategy is to worry less about prevention and focus more on preparation. This approach, known as cyber resilience, is quickly becoming the cyber security strategy of choice.
Cyber resiliency tactics essentially prepare an organization to resume normal business operations in an ever-shortening time frame. The idea being that the more cyber resilient your organization is, the less time, money, and customers a data breach will cost. Over time, this approach could make inroads on reducing both the severity and frequency of cyber attacks. As one cybersecurity expert put it, “cyber resiliency robs cyber criminals of their ability to gut punch, and without that, they eventually become irrelevant.”
Four Steps to Become Cyber Resilient
Manage and protect network and information systems. Identify and assess data security risks. Upgrade and improve IT defense systems as necessary. Develop network security protocols and train employees to be consistent. Be stingy with regard to network access and build in safety redundancies. Encrypt company and client data.
Identify and detect. Test network security, defenses and access regularly, with vulnerability scans and penetration testing.
Respond and recover. Develop a business continuity plan that enables quick detection of a data breach, swift response time, and the appropriate court of action to keep operations on track
Govern and assure. Develop an enterprise risk management (ERM) program that places the impetus for cybersecurity at the executive level. Complete a detailed annual risk assessment and internal audit of data security measures, applications, systems, personnel and programs.
