Small businesses continue to be high-value targets for cybercriminals. Reasons for the attraction are varied, but one of the top motives is that many small businesses serve as third-party vendors to larger companies. When they aren’t properly safeguarded against cyberattacks, third parties offer attackers an unfettered path to the attack surfaces of their corporate clients.
TransUnion’s research shows that of the 3,495 compromised companies in 2022, 1,745 originated from a third-party vendor data breach. That is an increase of nearly 220% compared
to the prior year.
What’s more, third-party vendor breaches are becoming more severe as threat actors hone their craft. As measured by a proprietary TransUnion algorithm, the severity of third-party vendor breaches increased 10% in 2022. By comparison, the severity of primary breaches increased a mere 2%.
Given the criminal focus on small businesses, the business owners are realizing that they are either uninsured or vastly underinsured for cyber protection.
Claims data from Cyberscout, a TransUnion brand, shows that the most prevalent denial of coverage for small business cyber claims involves social engineering claims, which are often not a standard component of the cyber coverage attached to a small business package policy. Complicating issues is that social engineering has taken over as the number one type of cyber scheme seen today, displacing ransomware as top threat.
When neither the bank nor the insurer can help
In a recent incident, a small business owner was tricked into updating the ACH banking details after receiving a fake email from what he thought was a long-time vendor partner. The illegitimate banking info stayed in place for months, all the while the small business’s direct monthly payments went to a fraudster.
Since the business owner had technically authorized the payments, the bank could not help. Similarly, because the business owner’s cyber insurance policy excluded social engineering, the insurance company couldn’t help. In the end, the small business lost more than $50,000. The business owner lost hours trying to recover the funds while reconciling with the real vendor who never received the monthly payments owed.
Losses like this are insurable by contemporary policies. Because the industry has been slow to standardize these policies, they go by many names (e.g., financial fraud policies, computer crime policies, electronic funds transfer policies and even aptly named social engineering policies).
Brokers can bring about change
Brokers are a key resource to help small business clients and insurer partners find adequate, right-fit cyber coverage. By asking clients a few relevant, exploratory questions (and committing to repeating that process at renewal time), brokers can ensure policyholders are more adequately insured for the actual threat landscape in which they are operating. Brokers also hold a bully-pulpit position with their insurer partners — they can help push insurers to continue upgrading their cyber offerings to address the realities of the ever-changing cyber risk landscape.
As for their small business clients, here is a series of questions business owners and the brokers serving them can walk through together as they select the right cyber protection policy for their unique circumstances.
How affluent is the principal owner?
A business owner’s wealth and prominence should be factored into a cyber policy risk assessment. This is not only to calculate potential financial losses related to a cyberattack. It also is a means by which brokers can assess the likelihood and severity of certain strikes on the business.
In recent months, cybercriminals have leaned in hard on whale phishing attacks and extortion aimed at prominent individuals and key executives within under-the-radar companies. Therefore, the affluence of the business’s principal owner or owners is a factor that must be considered when determining the appropriate amount of cyber coverage.
High net worth policies tend to cover most forms of financial fraud. Yet, there are nuances to that coverage that can exclude incidents of cybercrime. Similarly, newer small or home-based business policies may include theft, but this is often limited to incidents like a stolen computer or printer, not necessarily financial losses stemming from stolen credentials, for instance. Owners and brokers should carefully go through these policies to be aware of the exclusions and to determine whether they are acceptable to the business owner.
Is personal, business and client data properly siloed?
Among the reasons small businesses are so attractive to cybercriminals is that a single compromise can pull double, often triple, duty. When a hacker successfully breaches a business owner’s personal laptop, for instance, they can often find more than just the owner’s personally identifiable information (PII). They might find valuable business data as well. This could be anything from financial account details and tax ID numbers to employee records and valuable trade secrets. If that business serves as a vendor, the hacker may also be able to compromise the business data of several clients at the same time.
To have a comprehensive view of the company’s threat landscape, business owners and their brokers should discuss how much of the principal owner’s personal information is present on the business’s networks and vice versa. They should also understand how client information is gathered, stored and protected on the business’s systems.
Historically, insurers have been good about separating personal and business coverage. However, amid the emergence of workplace trends such as bring-your-own-device, work-from-home and even side-hustle policies, things have gotten a bit murky.
Is the business following cybersecurity best practices?
Investigating the business’s cyber protection strategies is not only necessary for underwriting risk, but it can also have the added benefit of educating the business owner on emerging risks and best practices for mitigating those risks.
Brokers should ask about the business’s managed services provider (MSP) relationship. How often are they connecting with that organization to update firewalls, download security patches or integrate emerging tech?
They should also ask about backup policies and procedures. Small businesses with proper data backup are often spared the need to pay a ransom.
Brokers may also ask scenario-based questions, such as what does the business do if it receives a communication of a change in banking instructions? Do they follow up with a direct call to the bank to verify instead of relying on email or text instructions?
The behaviors of key executives should also be explored. Are leaders using a VPN regularly? Do they have their spam filters set too high? Are they participating in the employee cyber training that their business requires of its employees?
It’s no secret that this level of scrutiny can be a turn-off for some principal owners. In these circumstances, a cyber endorsement may be the best medicine. Endorsements are a good way to ease small business owners into cyber insurance with the least amount of friction. While they do not offer as much breadth as a full policy, endorsements are certainly better than no cyber policy at all. Brokers will want to evaluate the willingness of all principals to participate in exploratory behaviors and practice assessments on a case-by-case basis.
The upshot of inconsistency
No broker wants to be the one to explain to a policyholder that the premiums they have been paying are not enough to fully recover from a cyberattack. Yet, that’s exactly where many are finding themselves today as rapidly evolving threats push cyber policies into irrelevancy almost as they are written.
More than two decades into the business of cyber insurance, the industry is still constrained by a lack of standards. This requires brokers to come at each policy with a unique approach. The upshot of this inconsistency, though, is that brokers have a lot of room for flexibility and customization, not to mention the benefit of additional client touchpoints and revenue streams. The important thing is to avoid the status quo and to insist on frequent check-ins with business owners.
The pace of change — both within the legitimate business world and the world of cybercrime — is much too fast for set-it-and-forget engagements between insurers and their policyholders. We need a mindset change on policy rewrites. Rather than viewing them as upsetting the apple cart, we need to see them as an opportunity to expand clients’ awareness and improve their protection against what is, for all intents and purposes, an eventuality.
Matt Cullina is head of global cyber insurance for Cyberscout, a TransUnion brand, which he has led for more than 10 years. Cullina has also served on the board of the Identity Theft Resource Center, including a term as the nonprofit’s board chairman. He can be reached at matt.cu[email protected].
Join our LinkedIn group, ALM’s Small Business Adviser, a space where small business owners can gather to network, have discussions and keep up with the trends and issues affecting their industries, or visit our Small Business Adviser group on Facebook.
How insurers can protect against cyber crimes
How much does small business insurance cost?
Based in New York, Stephen Freeman is a Senior Editor at Trending Insurance News. Previously he has worked for Forbes and The Huffington Post. Steven is a graduate of Risk Management at the University of New York.