Venbrook | Are you sure you’re covered? A proactive approach to cyber risk management and insurance coverage

Are you sure you’re covered? A proactive approach to cyber risk management and insurance coverage

By Jeff Lang + Chris Harney • 12 Nov 2024 • 4 min read

Cyber criminals now target businesses of all sizes — and small to mid-size businesses (SMBs) are increasingly in the crosshairs. That’s because cyber criminals know that SMBs have fewer resources and often little, if any, security protections in place.

As many as 41% of SMBs fell victim to a cyber attack last year, a rise from 38% the year before.[1] For most SMBs, phishing is still the primary point of access. And the costs are significant. According to IBM’s Cost of a Data Breach Report, the average cost of a data breach on SMBs with fewer than 500 employees is $3.31 million.

More often than not, SMBs underestimate their vulnerability, believing it won’t happen to them, or that they’re adequately covered, only to find themselves exposed to significant financial and operational risks if they don’t have the right risk management and cyber insurance in place.

Are you actually covered for a cyber event today?

Too many SMBs mistakenly believe their general liability or bundled business policies will cover all their cyber vulnerabilities. In truth, even if you have some very limited cyber coverage in a bundled package, it is likely not enough to cover all that’s required post-breach, including:

Notification of affected individuals. Most states have required timelines for this.
Engaging a forensics team to do the due diligence to uncover where the bad actors got in and troubleshoot to secure your network again.
Repair/replacement of affected software and hardware.
Recovery fines to bad actors (ransomware).
Federal regulatory fines, when applicable.
A PR team to help diffuse your business’ reputation.
Getting systems and business back up and running.

When it comes to coverage, the bottom line is: Cyber risk is expensive to react to, but very reasonable to insure in advance. Do you currently have the right cyber coverage?

Start with a policy analysis. Do you have a GL policy with endorsements or a stand-alone cyber policy? Here are some ways they differ:

Limits. A bundled policy will share limits across lines of coverage, including General Liability, Crime, Cyber and Property. If multiple liability events occur during the same period—for example, a property and cyber claim in the same year—the bundled policy will be pulling from a single pool for both events and limits will be exhausted quicker. A dedicated cyber policy will have cyber-only limits and therefore more coverage capacity.
Claims handling. Similarly, a claim on a bundled policy will be handled by a general claims handler, while a claim on a dedicated cyber policy will be handled by a cyber claims expert who is knowledgeable of post-breach requirements.
Exclusions. A bundled policy will have several exclusions because it is designed to be broad, covering as all your business risk, while a cyber policy won’t exclude a cyber event.

While general liability insurance offers numerous protections for your business, it will not typically cover claims related to cyber attacks or data breach. Although some insurance carriers may offer cyber coverage as an endorsement to your policy, in order to protect your business from the financial impacts of cyber attacks, you will need to get a separate cyber insurance policy.

Having dedicated coverage is great, but avoiding a cyber event in the first place is even better. That’s why cyber risk management, combined with adequate coverage, is the secret sauce. Below are 3 key steps to safeguard your business against potential threats:

Conduct a risk assessment: Review network access and vulnerabilities across departments. Learn from other SMBs’ experiences to identify common attack vectors. Ensure sensitive data is protected with firewalls and encryption.
Educate and train employees: Prioritize regular cybersecurity training to help employees recognize phishing scams and social engineering, especially on platforms like LinkedIn, which are becoming common channels for cybercriminals to impersonate trusted connections. Early breach detection can significantly lower costs, with SMBs experiencing 17% fewer financial losses if a breach is detected immediately, compared to discovering it after a week.[2] Regular training exercises should be mandatory to lower the risk of human error in cyber defense.
Hire the right team with skilled IT professionals who can handle security risks: With remote work on the rise, mobile security is critical. Ensure your IT team focuses on multi-factor authentication, encryption, and secure access protocols, while trusted advisors manage liabilities. Consider implementing multi-factor authentication, making backup copies of important business data, controlling physical access to computers, and providing firewall security for Internet connections.

With the right policies, your business is protected from the impacts of rising threats. As cyber threats continue to evolve, staying ahead is essential for every business. Now is the time to ensure your coverage and risk management strategies are up to date, so you can face future challenges with confidence.

[1] Insurance Business, “Despite awareness, small businesses still highly vulnerable to cyber attacks,” January 26, 2024.

[2] Kaspersky “IT Security Economics Report,” 2021.