All I want for Christmas is for businesses to understand their cyber risk
As a broker, you know too well the challenges of trying to convince business owners of the importance of cyber coverage in an increasingly digitized environment.
Whether they object that their business is small and therefore not a risk or that their industry is “safe” from cyber crime, if they don’t have adequate risk management and cyber coverage in place, they are likely being tricked by pervasive misconceptions. In fact, 38% of business decision-makers failed to increase their cyber policy limits in 2021 despite knowing the heightened presence of threat actors.
Just look at the stats. In 2021, ransomware attacks cost businesses 170% more than in 2020, business email compromise claims were up 51%, and funds transfer fraud claims were up 28%. That’s a lot of threat actors on Santa’s naughty list.
As you head into Christmas with an eye on your early 2022 client coverage renewals, we’re here to help you bust the following common myths or objections to your customer’s business cyber risk exposures.
Myth #1: Our small business isn’t a target
Cyber criminals are finding it more profitable to target small and midsize organizations due to their ability to automate attacks and because businesses are more vulnerable due to the COVID-19 pandemic. In part, the rush to get up and running virtually quickly during the pandemic caused many smaller organizations with limited resources to overlook significant security risks.
In fact, according to our Cyber Insurance Claims Report, the frequency of incidents reported for organizations with fewer than 250 employees increased 57% from the first half of 2020 to 2021. Unfortunately for these smaller organizations, a ransomware demand can be catastrophic, averaging $1.2 million in 2021 for Coalition policyholders.
Myth #2: Our IT team has everything under control
Even the most skilled and well-funded IT departments need backup when protecting their organizations against cybercrime. With increased reliance on remote work and digital operational procedures, threat actors have exponentially more opportunities and ways to infiltrate any company’s network.
In the second half of 2020, the percentage of Coalition policyholders who experienced a claim due to insecure remote access increased from 29% to 39%. Additionally, the severity of these attacks increased by 103%. These numbers are likely a lot higher today. Cyber criminals are using more sophisticated techniques for classic attacks, including business email compromise (BEC), phishing attacks, and funds transfer fraud.
It’s easier than ever for someone to slip through a company’s walls of protection, and when it happens, the right insurance coverage can be there to save the day. This is even more critical for smaller businesses with fewer resources to dedicate to cybersecurity
Myth #3: Cyber criminals only target businesses with credit card and personal health information
Threat actors are no longer looking only to monetize employee or customer data; they take advantage of an organization’s reliance on it. Typically, a ransomware attack involves encrypting or deleting some or all of an organization’s critical information or data and holding it hostage at a high price.
Threat actors have also found new ways to exploit an organization’s digital infrastructure and assets. For example, two of the latest emerging risks are service fraud and bricking, wherein cyber criminals attach malware to your business network to steal computing power to mine cryptocurrency.
Myth #4: We aren’t liable for our vendors and other third-party cyber exposures
Third-party vendors such as IT service providers, customer relationship management (CRM) platforms, and cloud computing providers often require access to an organization’s network to provide their services. In such cases, these vendors can update the software on the system and trusted sources of links, files, and other attachments that can be used to distribute malware. This means that if the vendor experiences a security breach, its partner organizations could well be impacted.
There is a lot at stake for businesses through third-party risk. IBM reported that vulnerabilities in third-party software have cost businesses $4.33 million annually and were the root cause of 14% of breaches. And unfortunately, the risk and severity of these events are only increasing.
For the vendor and technology organizations, third-party and errors and omissions (E&O) liability also be costly. Even if they are not to blame for the breach, notification and litigation processes can be expensive in both time and money.
Myth #5: Cybersecurity is an IT department issue
With more than 30% of businesses conducted online, cybersecurity is not just a technology issue but a total business risk. Digitization means that a breach poses a serious threat to an organization’s entire operation, and adequate cyber protection needs to include all aspects of the organization, from the IT department to employee training and financial practices, including the right insurance coverages.
Additional resources as you build the case for cyber coverage
Ensure your clients are protected against cyber risk by making cyber insurance more accessible and understandable. We’re here to help in the process.
As you have conversations with your clients and debunk their cyber risk misconceptions, here are some additional resources to have at your disposal:
Coalition’s customized Cyber Risk Assessment and Cybersecurity Guide can be paired together to provide clarity on a client’s vulnerabilities and guidance on best practices on how to mitigate risk.
Our claims calculator uses past claims data to illustrate how expensive and damaging a cyber claim can be compared to the cost of cyber insurance.
Brush up on your cyber vocabulary with Coalition’s archive of articles and training videos. A great place to start is learning the common cybersecurity acronyms and terms.
It often takes multiple conversations for clients to get familiar with the intricacies of cyber risk management. Patience and persistence are the way in as you make this intimidating subject more digestible. Who knows, maybe your holiday wish will come true this year, and together we can make the world a little more secure from threat actors in 2022!