Globally ransomware and cyberattacks are on the increase and criminals are commonly targeting small to medium sized businesses (SMB’s) rather than global multinationals. The bigger firms know the cost of being attacked and spend a great deal on cybersecurity. By contrast SMBs are easier targets. They don’t take threats as seriously and don’t spend a significant amount on securing their assets.
Criminal syndicates are well aware of this. Statistics reflect that in 2021 68% of SMBs reported a cyberattack. Of these 83% were not financially prepared – 50% suffered financial loss, 25% filed for bankruptcy and 10% went out of business.
These are alarming statistics and reminder to SMBs that cyberthreats are very real and need to be considered a liability. With the speed that attacks are evolving, it’s no longer a case of whether an attack will happen, rather it’s when. This raises the question: how can companies be better prepared to defend against attacks and ensure any losses incurred are minimized?
Why cybersecurity needs to be considered a separate business liability
General and professional liability have traditionally been standard forms of business insurance. With the increased threat of cyberattacks, it’s no longer enough to have cybersecurity written into those policies. The average cost to remedy a cyberattack is $2,98 million. Unless it’s a clearly defined and separate policy, the cover offered under general business insurance won’t begin to cover the costs.
A cyberattack could come in a number of forms and require a host of services as part of the recovery. This may include:
- IT forensics to determine where and how the attack occurred and what data was impacted.
- Legal fees to manage resulting liabilities.
- Customer notification services to keep customers informed of the nature and impact of the breach.
- Media relations support to help a company manage any damage to their business reputation.
- Business interruption costs resulting from being locked out of systems.
- Bricking costs where assets need to be rebuilt or repaired as they’re not functioning as they should.
For businesses to have peace of mind, and be able to go about their daily business, they need to understand what’s at risk, and what actions should be taken to mitigate this. Most importantly, if they choose to take out cyber insurance, they need to understand what’s covered in their policy, what insurance requires for a claim to be considered valid and what the business responsibilities are in this regard.
Qualifying for cyber insurance:
Completing a cyber insurance application of questionnaire can be a lengthy process. Before accepting an application, insurers want to know what the business has in place to reduce its risk. There are typically four primary requirements insurers want to know before issuing a policy:
- Multi-factor authentication (MFA)
While most end users will complain about the hassle involved with MFA, it remains one of the most effective deterrents for cybercriminals. Statistics reflect that 97% of ransomware attacks can be thwarted by MFA. Criminals are typically looking for vulnerabilities that are easy to exploit so that they can gain access to systems. MFA puts an additional roadblock in the way that significantly complicates access.
- Off-site or cloud backup
Having a backup that is hosted on the same system or server defeats the purpose of having a backup. It needs to be hosted separately either in the cloud or offsite. This reduces risk as the backup is not accessible on the system and can be used for recovery.
- EDR, MDR or XDR
End point Detection and Recovery, or, Managed or Extended Detection and Recovery work to consistently track system activities, log any unusual activities and respond to them early on. It is a more advanced and proactive way to secure data and systems which helps to greatly reduce the time that cybercriminals go undetected within a system.
- Governance, staff training and compliance
Lack of knowledge or awareness is often a vulnerability in employees that cybercriminals exploit. This can be mitigated by having documented cybersecurity policies in place and conducting regular training to ensure staff are aware of the need to follow these policies.
Additionally, having a documented Incident Response Plan, a Disaster Recovery Plan, a Written, Information Security Policy, and maintaining good governance including documenting when training is done with staff, shows insurers that a business is being proactive about cybersecurity. This not only improves the chances of obtaining cyber insurance, but could also reduce insurance premiums as having these things in place helps reduce risk.
Cybersecurity insurance takeaway
Like most forms of insurance, cybersecurity insurance is not necessarily something a business wants to spend money on, but it is an important part of taking a stronger security stance. It’s the final line of defence that can ensure business survival when a cyber security incident occurs. The first two forms of defence are having the right cybersecurity tech stack in place and ensuring good governance and compliance. It’s how SMBs can avoid becoming easy targets for opportunistic cybercriminals.
The way that cyberattacks are being implemented changes on a daily basis as criminals seek to identify new vulnerabilities that’ll give them access to business systems. It’s not easy to keep ahead of all the different types of threats, but having a solid posture on cybersecurity does give businesses a better chance of defending against them and minimizing the damage.
To learn more about insurability for cybersecurity, watch a recent AMA session with Larry Meador from DataStream. In the AMA, he discusses how insurers look to reduce risk and what SMB’s need to obtain cyber insurance. It’s an insightful discussion that is well worth listening to and highlights the need to be proactive about cybersecurity.
To understand more about what cybersecurity tools and technologies help meet the requirements for cyber insurance, reach out to Logically at marketing@Logically.com