Cybersecurity for Small and Mid-Sized Businesses

Now more than ever, entrepreneurs, startups and businesses, including small and mid-size businesses, need to be cyber savvy and aware of the risks associated with the increasingly digital nature of business.

As far back as 2016, 93% of small and midsize enterprises (SMEs) that experienced a cyber incident reported that it had a severe impact to their business. Almost all reported money and savings losses, and 31% reported reputational damage, according to research from the Janet & Mark L. Goldenson Center for Actuarial Research at the University of Connecticut.

That’s why it is vital for insurance agents and brokers to counsel their small and mid-sized business clients on cybersecurity threats. For starters, cybersecurity is not just about privacy, and it doesn’t begin and end with passwords. It has now become a critical part of a company’s ongoing operational plan—regardless of size and scope. 

Three Risks A Company Should Never (Want To) Face

Three risks every company can potentially face as a result of a cyber breach include:

1) Damage to its reputation. This affects a company’s brand in the eyes of its consumers, investors and other key stakeholders. 

2) Inability to use its computer systems. Financial loss—some of which can be significant—can occur from not being allowed to operate for days or weeks at a time. 

3) Increased liability to third parties. For example, when attacked, a company may be sued for liability due to the cyber impact to customers, vendors, suppliers or others.

Agents and brokers can help their clients mitigate the potential risks by sharing best practices around preparation. The goal is to limit a company’s losses when a cyber incident occurs. Part of that preparation includes making sure the company has a comprehensive cyber insurance policy in place that provides access to financial risk transfer, loss mitigation services that identify and mitigate key cyber exposures, and incident response services that help post breach.

Do You Recognize This Client?

Consider the following hypothetical scenario: Jack is the CEO of a $50-million business with 100 employees that provides backoffice services for clients’ employee benefits programs. That sounds straightforward.

The hidden risk, however, is that the computer interconnectivity between Jack’s company and each of his clients exponentially increases its exposure to potential compromise, meaning that Jack and each of his 100 employees are connected to the records—names, addresses, and social security numbers—of every one of the employees in every one of his client’s offices.  That’s potentially hundreds of thousands of records. If just one person within that network clicks on one bad link, the entire interconnected network may become compromised.

Although it’s the large-scale cyber incidents that garner media focus, the reality is that small businesses are often the victims of cyberattacks. But why are smaller businesses targeted?

Bad actors—the cyber criminals—may know that SME leaders like Jack often mistakenly think that cybersecurity services and cyber insurance are beyond their means, making them under-protected and more easily accessible. Moreover, cyber criminals frequently target SMEs’ vulnerabilities, which often include weak or compromised passwords. Or in Jack’s case, someone who innocently clicked on a link they shouldn’t have.

A Necessary Conversation: Risk Mitigation Questions to Consider with Clients

How should insurance agents and brokers approach the cybersecurity topic with their clients? Below are a few risk mitigation questions and considerations to keep in mind during client discussions: 

1. Does the client keep an inventory of authorized devices or software that connects to the business network? What about any open or vulnerable Remote Desktop Protocol (RDP) ports that allow remote users access?

2. Does the company control the use of administrative privileges? This allows businesses to track who has access to its systems and data. Also, does it have a protocol in place to remove users no longer with the firm or who have changed roles?

3. Does the client have an incident response plan in the event of a cybersecurity incident and do they test it? The plan should be robust, tested often and have the buy-in of key decision-makers. In addition, the enterprise’s cyber insurance policy should be an important part of the plan.

4. Does the business conduct staff cybersecurity education? A business is only as secure at its employees. The best technology won’t help if employees fall victim to phishing and other types of scams. Education is key to preventing cyber incidents.

The answers to these questions will reveal a variety of opportunities for agents and brokers to better educate their clients and ultimately reduce the potential for compromise and business interruption—at least temporarily, and sometimes permanently.

Cyber Insurance Plans: One Size Doesn’t Fit All

When considering cyber insurance offerings, agents and brokers should consider the carrier partner’s financial strength to handle a breach; its cyber experience and depth of knowledge; and its suite of critical services available to its insureds, such as legal counsel, public relations, fraud consultation, identity restoration, computer forensics and other post-breach resources. Having access to outside experts who have extensive experience helping other impacted companies respond to a cyber incident is critical in how a company responds to an event.

With the right cyber insurance, an SME can have access to a myriad of claims and risk management optional services in addition to bottom-line financial protection. 

Continuing Education is Key

The topic of cybersecurity is ever-evolving and at times may feel overwhelming.  One way for agents and brokers to continue providing value to clients is to undertake additional training so they have the knowledge and confidence to engage in ongoing conversations.

In today’s digital world, it is critical for agents and brokers to educate their clients on all the potential cyber exposures they face and help them to incorporate effective cybersecurity measures. Businesses of all sizes need to be educated properly and take the time to understand their exposures and options before it’s too late.

Bobbie Goldie is senior vice president of Chubb financial lines.