By Rob Sloan, cybersecurity research director, WSJ Pro
When faced with a cybersecurity incident, most large enterprises have well-planned and well-rehearsed procedures, but the majority of small to medium-sized businesses do not. With limited (or non-existent!) information security resources and a lack of experience of handling incidents, the likelihood of lasting damage from an attack is high.
Small businesses are at a disproportionately high risk of serious financial damage or even going out of business following an attack, which can be limited if cyberinsurance is carefully considered.
Data released this week by cybersecurity breach services firm NetDiligence shows almost half of 591 cyberinsurance claims analyzed so far in 2017 came from organizations with annual revenue under $50 million. 71% of claims came from companies with annual revenue below $300 million.
Average breach remediation costs for a larger organization were 15 times greater than the average cost for smaller organizations, though the financial burden was far greater on the SME.
The total cost of crisis services–including forensics, legal support and notification costs–for claimants varies across sectors and breach categories, but averaged $394,000 according to NetDiligence. Contrast this figure with the Ponemon Cost of Data Breach report average, which put the mean cost of a breach among 63 participating U.S. companies at $7.35 million. Statistics on costs related to data breaches should be treated carefully.
Only around 15% of small to medium-sized businesses have cyberinsurancecoverage. Despite a steady rise over the last few years, too many businesses are still exposed to the full cost of cyber incidents.
Policies have evolved to help support clients during an incident rather than simply providing financial aid after the fact.
“Cyberinsurance is more than basic risk transfer–it is more of a holistic risk management tool,” said Eric Cernak, vice president, cyber and risk practice leader at Munich Re. Insurers are increasingly facilitating relationships that cybercrime victims require to respond to an incident efficiently and effectively, such as legal, investigative and communications services.
“There are a lot of moving parts in addressing a cyber incident,” said Mr. Cernak. SMEs are rarely adequately prepared to deal with the myriad decisions they will need to make in the hours and days after a breach.
Insurance companies see all manner of breaches across multiple industries and understand how best to respond when clients have an issue. “Insurers have done the thinking on who to bring in and when and a cyberinsurance policy can provide businesses with a point a contact to initiate the response” said Mr. Cernak. “Policy-holders can also benefit from the preferred access insurers have negotiated with service providers.” This avoids victims having to agree to high day rates in exchange for third party expert assistance.
Using a carrier’s preferred service provider is not obligatory; some policies have a degree of flexibility to allow victims to use any service provider, so long as they seek approval first. Existing relationships may have other benefits–for example, the service provider may already understand the victim’s network, which would lead to a more efficient response.
When assessing breaches, Mr. Cernak recommends companies “assume the worst” and added: “Ideally, a third party forensics firm should assist–taking the wrong steps, such as hastily unplugging a system to stem the damage may eliminate crucial evidence related to the intrusion.” Mr. Cernak also recommends engaging external communications and legal experts from the start.
“All too often the mentality is ‘it’s not going to happen to us’,” said Mr. Cernak. “Once you get past that, other misperceptions about cyberinsurance persist.” Coverage is widely perceived as being expensive, difficult to obtain and contingent on lengthy security questionnaires or even network security tests. “That may have been true in the past, but it’s not the case now.”
Organizations should take a methodical approach to insurance; they must understand what they are trying to protect and what existing coverage they have in their general and professional liability policies, and their crime insurance. Assess the gaps to know where there is exposure and understand whether large clients have expectations of certain levels of cyberinsurancecoverage and what those policies should include.
Reviewing your policy requirements is also important ahead of policy renewal time. “You may not have changed, but the world around you might have changed,” said Mr. Cernak. “Changes in business operations, the regulatory environment, technology all bring new risk.”
(Rob Sloan is cybersecurity research director at WSJ Pro. Previously, Rob has worked as response director for a specialist IT security consultancy in London and built a team focused on detecting, investigating and protecting against cyber intrusions and responding to incidents, especially state-sponsored attacks. Rob started his career working for the U.K. government, looking at some of the earliest cyberattacks against the critical national infrastructure. Rob’s main interest is the requirements, motivations and technical capabilities of threat actors. For a free trial of the WSJ Pro Cybersecurity newsletter please visit: https://buy.wsj.com/wsjprocs/)