Stay on top of the latest trends in the rapidly changing cyber liability market.
Independent insurance agents and brokers need to stay on top of the latest trends in every market to be a trusted adviser to their clients. While cyber liability is no longer a new phenomenon, the rapidly changing nature of exposures in the market means that agents must stay abreast of where increasingly efficient and prosperous gangs of cybercriminals will strike next.
As October marks National Cybersecurity Awareness Month, here are four major takeaways from studies that will help you protect your clients and your agency:
1) Cyberattack recovery time and costs are much higher than businesses realize. Small businesses are more likely to be the target of a cyberattack than larger companies, but a recent Nationwide Agency Forward survey about cybersecurity and business owners shows they are also not prepared to recover if an attack occurs. Most small business owners also heavily underestimate how damaging a cyberattack could be for their company.
Less than 3 in 10 small business owners report having cyber coverage, compared to 71% of middle market businesses. Small business owners are significantly less likely to be taking important precautions with their employees. Just 56% of small business owners report offering cybersecurity training at least once a year, compared to 94% of their middle market counterparts. Meanwhile, less than a quarter of small business owners (24%) send regular phishing test emails to employees, compared to about two-thirds (65) of middle market business owners.
“While we often hear about data breaches at large corporations, many cybercriminals have set their targets on small businesses that are more vulnerable and often lack the protections and resources larger organizations can afford," says Peter McMurtrie, president of commercial lines, Nationwide. “It's critical in today's digital age for businesses of all sizes to have protections in place to safeguard sensitive information and prevent a breach from jeopardizing their future."
Additionally, 40% of small business owners think it would take less than $1,000 to recover from an attack—but Nationwide claims data shows recovery costs average between $15,000 to $25,000. And while 60% of small business owners think it would take less than three months to fully recover, the average recovery time after an attack is actually 279 days.
2) Cyber threats remain the top overall business concern. Cyber threats were the leading concern in the 2022 Travelers Risk Index but other issues were close behind, a change from 2021 when cyber held the top spot by 6 percentage points.
This year, 59% of survey respondents said that they worry some or a great deal about cyber threats, followed closely by broad economic uncertainty (57%), fluctuations in oil and energy costs (56%), the ability to attract and retain talent (56%), and medical cost inflation (55%).
Overconfidence in navigating the evolving cyber landscape is causing a false sense of security, with 93% of respondents stating that they were confident their company had implemented best practices to prevent or mitigate a cyber event. But when asked whether their company had taken specific prevention measures, the majority had not: 64% don't use endpoint detection and response, 59% haven't conducted a cyber assessment for vendors, and 53% don't have an incident response plan.
Even multifactor authentication (MFA) has been slow to catch on. According to this year's Travelers Risk Index, 90% of survey respondents said they were familiar with MFA, yet only 52% said their company had implemented the practice for remote access. This is despite Microsoft stating that 99.9% of account compromise attacks are blocked by adding the extra security measure of MFA to verify a computer user's identity and Arete stating that 94% of ransomware victims weren't using MFA.
“Cyberattacks can shut down a company for a long period of time or even put it out of business, and it's imperative that companies have a plan in place to mitigate any associated operational and financial disruptions," says Tim Francis, enterprise cyber lead at Travelers. “Effective measures that have proven to reduce the risk of becoming a cyber victim are available, but based on these survey results, not enough companies are taking action. It's never too late, and these steps can help businesses avoid a devastating cyber event."
3) Consumers are concerned about cyberattacks but haven't insured their digital fingerprints. From a personal lines perspective, Nationwide's Agency Forward survey about cyber security and consumers revealed that consumer concerns about a cyberattack are on the rise, especially as more people rely on technology and data for everyday tasks like grocery shopping or paying bills.
As many as 58% admitted that they are concerned about falling victim to a cyberattack, which is an increase of nine points since June 2020. Consumers said increased frequency (61%) and sophistication of attacks (51%) in recent years are causes for concern.
Further, 1 in 5 consumers report having been a victim of cybercrimes, with the most common attacks being password attacks (38%), data breaches (31%), malware (30%) and phishing (30%).
“The survey data is startling," says Beth Riczko, president of property and casualty personal lines, Nationwide. “Since cyberattacks are now commonplace, it reinforces the need for consumers to make protecting their personal cyber footprint with insurance and mitigation a priority—just like they would with their home or car."
The Agency Forward data also showed that 86% of consumers believe cyber insurance would take care of recovery needs after an attack. However, 69% of consumers do not have cyber insurance to protect their digital assets.
4) Average claim cost rises but ransomware claims are waning. During the first half of 2022, the average cost of a claim for a small business owner increased to $139,000, which is 58% higher than levels during the first half of 2021, according to the mid-year update to Coalition's 2022 Cyber Claims Report.
However, there is good news: There was a decrease in ransomware attack frequency and the amount of ransom demanded between the second half of 2021 and the first half of 2022. Ransomware demands decreased from $1.37 million in the second half of 2021 to $896,000 in the second half of 2022.
Unfortunately, phishing triggers the majority of cyber incidents, accounting for 57.9% of reported claims, leading to funds transfer fraud (FTF) claims to hold steady, according to the report.
“Across industries, we continue to see high-profile attacks targeting organizations with weak or exposed infrastructure—which has become exacerbated by today's remote working culture and companies' dependence on third-party vendors," says Catherine Lyle, head of claims, Coalition. “Small businesses are especially vulnerable because they often lack resources. For these businesses, avoiding downtime and disruption is essential."
Will Jones is IA editor-in-chief.