To Cover or Not to Cover: The Cyber Liability Insurance Quandary Facing Small- and Medium-Sized Businesses
Much has been published about how the demand — and subsequent cost — for cyber liability insurance has skyrocketed in line with increasing incidents of cyberattacks. Some recent research has suggested that some businesses, particularly small to medium-sized ones, are terminating their policies altogether due to budget constraints. But what are the risks with this approach?
Here, we provide guidance for firms that have already, or are currently considering, taking the ‘no cover’ path.
The state of cyber liability insurance
The topic of cyber liability insurance is full of datapoints, statistics and graphs all showing upward trajectories. Whether that’s the number of global incidents and overall cyberattacks, the amount of insurance claims, the pricing of cyber insurance products, the general rise in firms applying for policies — the only way is up.
However, one statistic that has come to light recently is around a proportion of the companies who are discontinuing their current level of cover. In fact, according to Spiceworks, ‘due to budget constraints, about 30% of small and medium-sized businesses (SMBs) discontinued their cyber insurance contracts in 2021’.
This is doubtless a symptom of the soaring costs of cyber liability insurance cover twinned with an increasingly precarious economic landscape that is hitting hard for SMBs in particular. Tech Wire Asia cites that premiums could be expected to reach anywhere between US$500 million and US$1 billion by 2025. And while budgets are being stretched every which way, the short- and long-term knock-on costs of defending and recovering from potential cyberattacks can far outweigh preventative up-front costs.
Of course, insurance cover is not the only measure that can be taken. Ideally those firms that have discontinued their policies are barricaded well enough to weather potential cyber storms through their own procedures, policies, and people in place. However, research suggests otherwise. Security Magazine reports less than 10% of companies with fewer than 50 employees have dedicated financial resources for cybersecurity.
There are of course some measures that SMBs in particular can — and really should — employ that can protect themselves:
1. MFA is a necessity, not a luxury
There is a good reason that nearly every cyber liability insurance carrier requires multi-factor authentication (MFA) and why, according to wholesale specialty insurance distributors CRC Group, clients without MFA risk non-renewal or a retention hike of 100% or more. MFA has proven to be a strong preventative strategy against stolen credentials and brute-force attacks.
But MFA should not only be viewed as a prerequisite for obtaining cyber liability insurance. By verifying your users’ identities before they access your network, two-factor authentication protects your applications and data against unauthorized access — something that makes sense whether you take or leave cyber liability insurance cover. In this day and age, MFA should be looked at as a cost of doing business — not an optional extra.
Questions to ask when selecting an MFA solution should be:
Can the solution protect against unauthorized access and provide visibility of users and devices in your environment?
Is the solution compatible with remote work and cloud applications?
Does your solution work with modern and legacy systems?
For more on how to evaluate MFA solutions, check out our evaluation guide.
2. Think like an insurer
If the decision has been made not to apply for a policy or renew an existing one, but cyber security is still a concern for the business, it's worth going over the same questions that an insurer may ask and having a robust answer ready and a plan in place to mitigate potential risks.
Earlier this year, we held a webinar with providers of data-driven cyber risk analytics for the insurance industry CyberCube, in which its former head of cyber intelligence Darren Thomson shared insight into the topics insurers are prioritizing. One of the key areas he zoomed was why organizations should be doubling down on protecting themselves from ransomware attacks.
He states that five or six years ago, ransomware attacks demanded an average of $500 and targeted consumers, as opposed to enterprises, and ransom demands can now sometimes reach $10s of millions. “That has driven insurers to harden the market and to be in a situation where they really want to understand what the risk of ransomware is to their potential client before they underwrite a policy.”
"That has driven insurers to harden the market and to be in a situation where they really want to understand what the risk of ransomware is to their potential client before they underwrite a policy." - Darren Thomson, Head of Cyber Intelligence for CyberCube
Thomson outlined how the best practices that were best practices five years ago still tend still to be the best practices now, advising firms to: “go through traditional means to mitigate the ransomware risk. What are you doing about backups? How are you protecting your endpoints? Are all of your network ports closed?”
As outlined in our ebook Protecting against ransomware zero trust security for a modern workforce, zero trust is a security model that is built on the principle of “never trust, always verify.” It can help organizations proactively implement best practices known to protect against cyberattacks, including ransomware — whether there is a cyber liability insurance policy in place or not.
3. Ensuring minimal rough patches
Another key area of investigation for insurers when making a decision on how much to charge for coverage is how exposed firms are to software exploits if patches are not rolled out when needed. This is because unpatched vulnerabilities are the most consistent and primary ransomware attack vectors. So making sure this is managed effectively — even if a company does not apply for or renew cover — also makes business sense.
But ensuring all systems, computers, applications, and software within your firm are as current as possible is difficult to manage, especially considering the amount of technical debt held at many firms. Findings from McKinsey estimate that technical debt amounts to 20 to 40 percent of the value of firms’ entire technology estate before depreciation, and 60 percent of the CIOs we surveyed felt their organization’s tech debt had risen perceptibly over the past three years.
The best way to defend your organization in these cases is to install a system that warns you when your software is out of date, requires software updates before allowing access, and even blocks access from devices that don't meet your organization's requirements.
Next steps for small- and medium-sized businesses
If firms employ the three areas mentioned above, they will be well armed to protect themselves from a good amount of threats facing SMBs today. This proactive defense is especially crucial if a firm has decided to opt out of cyber liability insurance cover. In the long run, a solid cyber security practice could also bring premiums down, ensuring a ‘belt and braces’ approach for the company.
For more on this take a look at our guide: How Cyber Insurance Can Be a Lifeline in Today’s Evolving Threat Landscape.