Does your small business need cyber insurance?


With attacks on the rise, organizations need to evaluate their risk and decide whether they need cyber insurance. Here are the factors that make your business a prime candidate for such extra protection.

The number of cyberattacks has rocketed over the last couple of years, fuelled by the COVID pandemic and the war in Ukraine.

With organizations disrupted by the virus and many staff working from home, cybercriminals were quick to capitalize – indeed, according to Microsoft, in the week following the World Health Organization's formal announcement of the pandemic in February 2020, attacks increased eleven-fold.

ADVERTISEMENT

And more recently, the conflict in Ukraine has led the Five Eyes intelligence alliance to warn that attackers are ramping up activity.

Demand for insurance on the rise

"The need for robust cybersecurity and cyber insurance is becoming apparent to businesses of all types and sizes, as the frequency and severity of cyberattacks continues to rise," says Ben Carey-Evans, insurance analyst at GlobalData.

"COVID-19 has also brought about a permanent shift in the way businesses and consumers operate, with remote working practices set to stay and digital consumer channels seeing more use than before the pandemic. This lasting shift in behavior will push the demand for both commercial cyber insurance and, to a lesser extent, personal cyber insurance in the coming years."

Indeed, the take-up of cyber insurance is sharply on the rise, up from 26 percent of all insurance customers in 2016 to 47 per cent in 2020, according to the US Government Accountability Office (GAO).

Small businesses lag behind

However, while nearly a third of small business owners rank cybercrime, data breaches, and fraud as a ‘most concerning' risk, only seven percent have cyber insurance, according to BizCover’s 2022 Small Business Bravery Report.

And according to a report from insurer Hiscox, small businesses hit by a cyberattack faced an average cost of around $25,600 for each incident.

ADVERTISEMENT

So who needs cyber insurance?

A business's risk can be assessed using a framework such as ISO/IEC 27002 or the NIST Cybersecurity Framework, which will not only help clarify requirements but make it easier to negotiate with insurers.

And it's important to be clear about the full effect on an organization, including legal fees, the financial impact of business interruption, and the associated costs of response and recovery.

As a rough rule of thumb, any business that accepts credit cards or stores sensitive customer or employee data in the cloud should consider cyber liability insurance.

And with supply chain attacks on the rise, firms that do business with larger enterprises should consider the potential risks.

"When you're evaluating insurance policies, determine whose data you are trying to protect and to what extent. If your company does not deal with a lot of outside data, you may want your policy to only be internal," advises the US Chamber of Commerce.

"Most businesses do collect some sort of customer data, like names and contact information, though. Carefully consider the data of others that you collect and if necessary, look into covering the loss from a third-party data breach."

While cyber insurance costs have rocketed over the last year, it's still possible for small companies to get policies for as little as a few dollars or euros a week, with most providers offering tailored cover reflecting an organization's individual risk profile.

"Brokers play an important role in advising customers to take the right level of cover, ensuring that firms are properly protected from cyber threats," advises GlobalData insurance analyst Benjamin Hatton.

"It's important for providers to assist businesses in purchasing the level of cyber insurance that most suits their individual needs."

ADVERTISEMENT