Cybercrime risks are adversely affecting all business large and small, especially smaller organizations that have taken only minimal, if any, steps to mitigate this risk.
It’s reported that 90 percent of all cyberattacks are successfully executed with credentials stolen or socially engineered by employees. Here are some additional data to digest:
• Forty-seven percent of small businesses suffered at least one cyberattack during 2017.
• Of this 47 percent, only 35 percent took any action to mitigate this risk.
• Of 44 percent of small businesses that sustained a cyberattack in 2017, most experienced two, three or four additional attacks.
The startling data are from a 2018 study “Hiscox Small Business Cyber Risk Report,” which also found:
• Only 52 percent of small businesses have a clear strategy concerning cybersecurity, despite two-thirds of all small-business owners surveyed reported cyber-risks as a top concern for potential business impact during 2018.
• Only 21 percent of small businesses have a specific cybercrime insurance policy (compared to 58 percent of larger entities)
• Only 32 percent of small businesses have simulated phishing experiments to assess employee behavior and readiness in the event of a cyberattack.
Roughly half of the firms interviewed blame costs for their failure to address cyber-risks. Yet the study reported that cybercrime risk management steps are neither complex nor costly. They typically include:
Risk identification: Include intrusion detection and on-going monitoring on all critical networks.
Risk control: Create a plan for all incidents — from detection and containment to notification and assessment.
Risk finance: Insure such risks with a specialized standalone cyber policy.
Management of this risk is minimal in cost, yet costs incurred when a cyberattack occurs are very high. During 2017, Hiscox reports such losses sustained by small businesses averaged $34,604. Larger organizations (1,000 or more employees) reported an average of $1,050,000 during 2017.
Proper transfer of cybercrime property and liability risks to a commercial insurance is complex — too complex for this space. However, your insurance broker can guide you through this maze to an effective solution.
There is no “standard form” policy available so you’ll want to confirm with your insurance broker whether each of the following risks is included in the broker’s proposal for your consideration, if it is indeed needed.
Direct property risks such as:
• Data loss
• Cyber extortion
• Computer fraud
• Social engineering loss
Indirect property risks such as:
• Privacy notification
• Crisis management expense
• Business interruption
• Extra expense (to avoid shutdown of operations from an alternate location)
Third-party liability risks such as:
• Damages sustained from lack of information security and privacy liability
• Regulatory noncompliance and penalties
• Other fines and assessments
• Website media issues
• Conventional bodily injury and property damage liability
That’s only a partial list and obviously far-reaching, yet not all that complex.
Once you will have worked through this process, you should be able to enjoy the principle benefit of sound risk management, viz., a quiet night’s sleep.
John Pryor, CPCU, ARM, AAI, AIS, is a risk management and general management consultant with CSU Bakersfield’s Small Business Development Center at www.csub.edu/sbdc.