The US cyber insurance market is not keeping up with the cyber risk needs of small businesses. Despite cyber being one of the most ubiquitous risks around – one that requires concerted response from all commercial entities regardless of size or sector – there remains a significant disconnect between insurers and the small business community.
This was made abundantly clear in the results of a recent survey by CyberScout, a global leader in cybersecurity and identity theft resolution services, which revealed that 76% of US small and medium-sized businesses (SMBs) experienced some form of cyberattack in 2019, but only 31% had cyber insurance coverage.
There is a significant coverage gap that US insurers could fill, if their products actually met the needs of small businesses. This is where the market is falling short, according to Matt Cullina (pictured), managing director of Global Markets at CyberScout. In recent years, cyber insurance has evolved with standalone products geared for the needs of large enterprise risks, but the same effort and focus has not kept pace for the small business market.
Small businesses are more geared towards buying insurance in commercial package policies or business owner policies (BOP) because they like the convenience of bundling their insurance needs together and paying one premium. In contrast with their larger counterparts, they’re not as apt to buying standalone insurance products, like a separate cyber policy.
“Standalone cyber policies for small business are just not the right fit. They’re simply not being purchased,” Cullina told Insurance Business. “Adding cyber coverage to small commercial package policies via endorsement is a much better fit for a small business. The market has to meet them where they’re at, versus trying to sell them something that they’re never even going to consider purchasing based on how they typically buy insurance today. The standalone products are almost a non-starter for most small businesses.”
The market has made some progress in recent years. In the late 2000s, insurers started offering light cyber coverages within the context of small commercial package policies via endorsement. At first, the coverage was very much geared towards first-party data breach issues, the costs and services associated with handling those breaches and the tools needed to mitigate potential privacy issues. Since then, the coverage has evolved alongside the ever-changing nature of cyber risk, but it’s not evolving quickly enough, according to Cullina.
Small business cyber risks, especially in the COVID era, are going through the roof. Today, they’re falling prey to the same cyber issues as their larger counterparts, albeit on a smaller scale. In recent years, the small business community has seen a dramatic uptick in extortion claims, social engineering scams, and electronic funds transfer scams. Hackers are targeting small businesses more than ever, especially while they’re more reliant on online connections and technology due to the coronavirus pandemic.
“The small business cyber coverages have not kept pace with that risk,” said Cullina. “What we’re finding is that the coverages, like cyber extortion and cybercrime, have not kept pace with the needs of the small market, so when we’re handling claims for these folks, there are gaps in coverage and gaps in limit, and often the insureds have to pay out of their own pocket for losses. For commercial insurers offering these cyber coverages to small business, they really have to adapt and evolve their programs every four to five years, or their offerings inevitably become stale.”
Cyber insurance for small business isn’t just about the financial risk transfer; it’s also about delivering expert crisis management services and support, and providing small businesses with a holistic approach to managing their cyber risk. Cyber insurance coverages typically come with a wide range of value-added services, including pre-breach risk migration, education, training and risk assessment tools, as well as post-breach crisis response, incident coordination, and legal and regulatory advice. Again, these are offerings that insurers need to upgrade regularly in order to meet the specific needs of small businesses, according to Cullina. Insurers can turn to organizations like CyberScout and the reinsurance community for help in doing that.
“Cyber risk is ubiquitous for small businesses; it’s a top concern,” Cullina stressed. “Small businesses go to their insurance policies to cover all of their risks including emerging risks, and as cyber exposure evolves, the coverage must keep up. Therefore, it’s incumbent upon insurers to make sure their solutions and their services are evergreen and mainstay, and when marketing their solutions, they must educate the retail agents so they can best talk to their clients about these exposures because every small business needs strong cyber insurance today.”