Cybercrime against small businesses rose sharply last year and shows no signs of abating. And yet, a survey of small businesses conducted by Appalachian State University in coordination with Selective found that only 20% of small businesses had cyber insurance.

Cybercrime is a risk for which small businesses are woefully unprepared and uninsured—this lack of preparedness takes a high toll. Research from IBM and the Ponemon Institute's 2021 Cost of a Data Breach Report shows that small organizations (those with fewer than 500 employees) spend an average of nearly $3 million per data breach incident.

However, there are other non-monetary costs. The company's reputation takes a hit because it may lose the trust of employees, customers and vendors, and it must spend valuable time and resources, including paying legal fees, to react to the attack and notify impacted parties and its stakeholders about the breach.

Protecting Small Business Through Cyber Risk Mitigation

Just as you would advise a client who buys general liability insurance to take steps to reduce their exposure, consider advising clients to take steps to minimize their cyber risk. They might be surprised to learn some of the cost-effective steps they can take to improve their risk profile.

For example, while educating and training employees is inexpensive, it may also be the single-best strategy at the disposal of small businesses to prevent cyber incursions. As many as 95% of cyber breaches are caused by human error, according to a study by IBM. A compromised password or a click on a disguised link in an email is often all it takes for a cybercriminal to access a company's data. Proper training can help employees reduce such risks.

Not all cybersecurity improvements come at a cost. Programs and tools that small businesses use today, such as Microsoft or Google Workspace, have easily enabled security features, such as multi-factor authentication (MFA). 

MFA is an effective tool to help control access to a website, secure data or an online account. MFA can block over 99.9% of account compromise attacks, according to Microsoft. Using MFA is easy and affordable—you simply have to turn it on.

Beyond Cyber Preparedness: Cyber Insurance

By ensuring your small business customers have cyber insurance coverage, you are helping to protect them against escalating cybercrime. Cyber liability policies help reduce the financial impact of a cyber event, while experienced claims handlers and breach response teams can mitigate the time your clients spend away from running their business.

Cyber insurance policies provide three main types of coverage:

• First-party coverages. For costs the client incurs as a result of a cyber event, such as expenses for recovering data, notifications to stakeholders, public relations and credit monitoring.
• Third-party coverages. For expenses incurred when a lawsuit is brought against your client because of a third-party's information being stolen.
• eCrime coverage. For expenses resulting from various types of fraudulent activity, such as telephone fraud, funds transfer fraud and social engineering.

In addition, a cyber insurance carrier will most likely provide your clients with education and risk mitigation tools to enhance their cyber posture. These typically include access to breach solutions information, incident response planning roadmaps, assessment of current privacy and security systems and employee policy templates. These services would cost small businesses thousands of dollars but carriers often bundle them into their cyber coverage at no extra charge.

No small business is immune from cyberattacks, and all data is at risk. Prevention, preparedness and insurance offer the best means of helping your small business clients protect themselves from a cyberattack as well as recover from one.

Jeff Weaver is assistant vice president of management liability insurance at Selective Insurance.