Author: John Farley
Gallagher's survey of 1,000 US business owners revealed a significant gap between the awareness of cybersecurity risks and the adoption of Cyber insurance coverage. Cyber risk is among the top concerns for those surveyed, with 74% expressing extreme or very high concern about the impact of a cyber attack on their business. However, only 39% of business owners surveyed said they've purchased a Cyber insurance policy, leaving a vast majority of their bottom lines exposed to devastating effects of a cyber attack.
The survey participants included organizations ranging in size from one to more than 1,000 employees, with the median organization size ranging from 101 to 500 employees. These results amplify concerns, since companies of this size generally don't have the resources in place to defend themselves against hackers — especially hackers who are sophisticated and often launch attacks with the resource-rich backing of well-organized criminal enterprises or nation states, including Russia, China, North Korea.
It's hardly a fair fight: the defenders of networks need to win all day, every day; the hackers need to win just once, and then the game may be over for vulnerable businesses.
Businesses in the hacker crosshairs
A common misconception is that hackers generally target the larger, well-known name brand organizations, giving smaller business owners a false sense of cybersecurity. In fact, cyber claim studies dispel this myth. According to the NetDiligence® Cyber Claims Study 2022 Report,* small and medium enterprises with annual revenue of less than $2 billion accounted for 98% of all cyber claims. Of those claims, 149 claims had total incident costs that exceeded $1 million.
A notable takeaway from the survey: 60% of business owners with 100 employees or fewer said they were extremely or very concerned about cyber attacks affecting their business over the next 12 months. But despite this awareness of cyber threats, only 22% of these owners said they had Cyber coverage.
The challenges of today's Cyber insurance market
The Cyber insurance marketplace has undergone significant evolution in recent years. As a result, we saw changes in underwriting methodology, increases in premiums and modifications to policy language that sometimes lead to coverage constriction.
For many businesses, underwriters now demand minimum cybersecurity standards that may require a significant investment in resources. At the top of the wish list for many cyber underwriters are multifactor authentication, data backups, privileged access management, endpoint detection and response, patch management programs and incident response planning. Without these, applicants may be subject to higher premiums, offered lower policy limits, be subject to co-insurance and exclusionary language and, in some cases, denied a policy altogether.
Strategies to navigate the Cyber insurance marketplace
For those businesses with Cyber insurance coverage, it's important to consider the free and discounted cyber risk services your incumbent cyber carrier may offer. Many provide scanning services, compliance help, incident response planning and other valuable resources to their insureds. Companies that leverage these services may be better prepared to prevent or mitigate cyber incidents and ultimately be viewed in a more positive light by underwriters during the application and renewal process.
To help prepare our clients, we developed the Cybersecurity Controls Checklist, which helps explain the controls that underwriters now expect to see when evaluating an applicant's cybersecurity posture.
In addition, it's important to continually focus on all areas of cyber risk management and dedicate significant efforts to thought leadership in this space. Focusing on the latest cyber attack techniques, prevention and mitigation best practices, compliance to regulatory requirements and the latest developments in the Cyber insurance marketplace are all good steps to protecting your business from cyber criminals.