SMEs And Cyber Insurance

Uploaded on 2017-06-13 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-Financial

Carter Schoenberg, President and CEO of Hemisphere Cyber Risk Management LLC explains the challenges of SMEs and the role cyber insurance plays to protect them today while preparing them for coming threats

Business today increasingly relies on partners.

The increase in third party risk programs suggests security leaders take this seriously. The reality is our partners, often small and medium businesses, face growing challenges, too. Understanding the situation and current limitations is a key step in making sure everyone is properly covered. Cyber insurance plays a key role here. 

Carter Schoenberg is an industry veteran of 16 years who has served commercial and government clients with industry leading predictive analysis used by law enforcement, intelligence community, legal experts, and the insurance sector to address cyber-risk. He talked at length about the challenges of the small and medium businesses. We focused on a range of opportunities, including industry approaches, cyber security, and the role of security leaders at larger organizations to influence change.

Are SME (small and medium businesses) too small to take cyber security and insurance seriously?

They used to ask John Dillinger why he robbed banks. He responded, “Cuz that’s where the money is.” Small business owners tend to forget they make up over 99% of all business in the United States, according to the US Census Bureau.  I do not know of a single small business that does not accept credit cards. 

Even micro business owners use Square or other point of sale mobile terminal capabilities. These same small businesses generally do not have network defensive capabilities let alone the ability to identify if an attack is even occurring - outside of the self-evident ransomware attack. That is a pretty “target rich” opportunity.  If you examine the fact that a recent survey by Small Business Trends where SMEs place such an emphasis on “Customer Records” but turns a blind eye to “Employee Records”, Houston - we have a problem!

“I recently worked a case where a small business had to respond to 35 state attorney general requirements for disclosing a breach of PII (employee W2 data) and it was a massive blow to them financially in terms of internal manpower and paying for external subject matter expertise”’ he said. 
 
Most SME’s fail to understand these factors and if you do not understand your risk exposure, how can you protect against or mitigate it? SME owners may say, “Why would China or Russia want to come after me?” To a certain extent, they are correct but when you add context, they are factually wrong. If we mean nation state actors, perhaps they are not what you need to worry about. Men and women in uniforms are not the issue, individuals and groups acting in a collective within China and Russia are your problem.

How do we address the challenge of translating the risk in a way that SMB (and others) understand?

People in the field of cyber-security are great at identifying technical threats. We fail miserably at translating it into business risk.  If I were to say to a SMB client, “Management interfaces and services allow the remote management and administration of a host. If these services are available to the general enterprise network, they are vulnerable to a wide range of attacks, from the enterprise network user population. Almost all administrative services are vulnerable to brute force and password guessing attacks.”. What the heck are they supposed to do with that? Now let’s look at it differently.

“You have a vulnerability that we detected that can allow unauthorized access to your payroll and accounts receivables. There is information supporting the bad guys are actively taking advantage of this weakness you have and we want to limit your exposure to it.  We have prepared some recommendations, based on risk and priority to guide you through how to resolve it. We estimate it will take about 2 man hours to resolve and have minimal impact on your business operations.”

Now you have translated a technical finding into a business risk, highlighted a solution based on priority and what is business and cost justified.  The big challenge in the industry is that cyber has become so commoditised that people have become accustomed to paying out good money for reports that add little or no value because they are not actionable or repeatable for SMEs.

What do enterprises need to think about when it comes to the SMBs they partner with or acquire?

Any technology professional who has ever lived through a merger or acquisition will tell you the same story.  The Buyer’s CEO struck a deal with the Seller’s CEO. The acquisition is complete and IT (let alone cybersecurity) staff were never consulted and is now tasked to make Sales and HR functions interoperable immediately.  

Unfortunately, while the CEO’s are busy reviewing the books (revenues, pipelines, debt, etc.) they never look at what is the cyber hygiene of the Seller. Most recently (albeit not SMBs) both Verizon and Marriott have hit the presses in the last year because of the intent to buy out Yahoo and the Starwood Group realising massive financial risk exposure after negotiations due to “undisclosed” breaches during the courting period. 

Regardless of business size, the Federal Trade Commission is taking a very stiff position on businesses that misrepresent their cyber capabilities when conducting commerce as it applies to transmitting, storing, or receiving personally identifiable information or otherwise protected data under statutory law or regulatory requirements.

What’s happening with the current state of the insurance marketplace?

Data supports that in 2015, the market value of cyber policy premiums was $1 billion dollars. This is expected to increase to as a high at $10 billion by 2025. In order to accomplish this target Cash Annual Growth Revenue (CAGR), the insurance sector must properly evaluate a business model that not only improves top line revenues but also improves bottom line estimates by reducing the volume and values of claims stemming from a cybersecurity event.

There are 63 firms selling cyber policies and one major firm alone currently has over 50,000 SMB clients with cyber coverages. Regardless of how many clients a firm has or their respective client’s size, they all continue to struggle with pricing. 

In many instances, pricing is likely set artificially high as one of the traditional questions a buyer is rated against is annual revenues. The higher the revenues, the higher the premium. In 2015, NetDiligence reported that 62% of all claims originated from small business. This data point alone could highlight a need to categorically reevaluate how to measure and assess cyber policy premiums and coverage amounts.

In the race to write policies, there was a misstep leading to the unforeseen volume and value of claims. This positioned policy writers, to create unique lines of coverage and clearly defined “exclusions” to traditional general liability or errors and omissions policies where cyber coverages may have been “thought” to be covered.

How can cyber insurance help better address these issues?

Since 2011, DHS has been working with the insurance sector to see how to best work collaboratively and find common ground as to how to address cyber-risk through insurance. The industry came back with a resounding, “We don’t have the data to standardise”.  

This has fueled the race to write policies with little regard as to how providing pre-event services (vulnerability assessments, network and host monitoring, security training, legal consultations) can dramatically reduce the likelihood of a claim instead of focusing on post-event services (breach notifications, forensics, incident response, credit monitoring, etc.) that cost an arm and a leg unless you have the power of collective buying like carriers do.

In March, the state of New York just imposed some pretty hefty cyber-sec requirements for any business in the financial services sector with $10m in annual revenues. The legislative act basically stated there was a business justification to warrant such measures. 

In 2017, there is a business justification that warrants a categorical shift in adopting pre-event service offerings within the scope of the policy premium versus waiting for the catastrophe.  

Liken this to the following historical events that we take as status quo but was not always around because legislation or industry did not mandate it:

•    ‪Seat belts‬‬‬‬‬‬‬‬‬‬‬‬‬‬‬‬‬‬‬
•    ‪Air bags‬‬‬‬‬‬‬‬‬‬‬‬‬‬‬‬‬‬‬
•    ‪Smoke detectors‬‬‬‬‬‬‬‬‬‬‬‬‬‬‬‬‬‬‬
•    ‪Removal of lead paint and asbestos‬‬‬‬‬‬‬‬‬‬‬‬‬‬‬‬‬‬‬

What resulted? Dramatic decreases in civil tort action.  We can talk cyber all day long as a national security interest but at the end of the day, the almighty dollar is what drives national policy and in this case cyber policy premium and coverage limitations.  

CSO Online

Please contact Cyber Security Intelligence for free information and support regarding Business Cyber Insurance.

You Might Also Read:

Cyber Security Myths for SMEs (£):

Small Businesses Should Consider Cyber Insurance:

Five Pitfalls of Cybersecurity Insurance:

 

« NATO Could Go To War In Response To A Cyber Attack
North Korea, WannaCry, Cyberattacks And Lazarus »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Systancia

Systancia

Systancia offer solutions for the virtualization of applications and VDI, external access security, Privileged Access Management (PAM), Single Sign-On (SSO) and Identity and Access Management (IAM).

PakCERT

PakCERT

PakCERT is the national Computer Emergency Response Team for Pakistan.

Avatier

Avatier

Avatier identity management software products automate identity access management, user provisioning and IT governance to ensure information security and compliance.

Cyber 2.0

Cyber 2.0

Cyber 2.0 is the only system in the world that blocks all forms of cyber attack within the organization, including new and unfamiliar attack methods.

Slovak National Accreditation Service (SNAS)

Slovak National Accreditation Service (SNAS)

SNAS is the national accreditation body for Slovakia. The directory of members provides details of organisations offering certification services for ISO 27001.

A3Sec

A3Sec

A3Sec provides professional solutions in the areas of Cybersecurity, Device Monitoring, Business Intelligence and Big Data.

BotRx

BotRx

BotRx is the only AI-enabled, automated fraud protection technology that allows fast & easy deployment - continually keeping invisible bad bots and agents at bay, so you can rest easy.

DigiSec360

DigiSec360

DigiSec360 is a technology firm focused on the human element of cybersecurity.

Digital Boundary Group (DBG)

Digital Boundary Group (DBG)

Digital Boundary Group (DBG) is an information technology security assurance services firm providing information technology security auditing and compliance assessment services to clients worldwide.

Tabidus Technology

Tabidus Technology

Tabidus Technology is a cybersecurity association that unites and provides the global protection options against cyber threats.

BOXX Insurance

BOXX Insurance

BOXX Insurance Inc. is a new type of insurance company for a new type of risk. Cyberboxx is the first fully-integrated cybersecurity and insurance solution for small-to-medium-sized businesses.

Flat6Labs

Flat6Labs

Flat6Labs is the MENA region’s leading seed and early stage venture capital firm, currently running the most renowned startup programs in the region.

Nightwing

Nightwing

Nightwing is the intelligence services company that continually redefines the edge of the possible to keep advancing our national security interests.

Resmo

Resmo

Resmo is an all in one platform for SaaS app and access management for modern IT teams.

Inroad Technologies

Inroad Technologies

Inroad Technologies provide IT services that help keep your business computers, servers and networks secure and trouble-free.

Secure Cyber Management

Secure Cyber Management

Secure Cyber Management provides industry-leading cloud security advice, guidance and services.