Cybersecurity Insurance Protection for Small Businesses

Cybersecurity Insurance Protection for Small Businesses

Cyberthreats loom large, and businesses of all sizes are at risk.  Small and medium-sized businesses are the victims of 62% of cyberattacks, and while the costs of recovering are significant for large businesses, they can be devastating for small companies. Insuring against that risk is one solution. Cybersecurity liability insurance is a relatively new product, but given the statistics noted above, both the demand and the market are rapidly growing. Offering a new product in an evolving market presents challenges, but that should not necessarily dissuade businesses in need of a backstop from buying.

Cybersecurity liability insurance grew some 50% in 2016. It is estimated that it could grow from a $2.5 billion market to $20 billion by 2025. Some 60 companies are now offering stand-alone cyberinsurance policies.

In the early stages, the challenges of offering this insurance include the lack of data to assess risk, the absence of cybersecurity standards and best practices, and the evolving nature of the threat. Other difficult dynamics are the technological interconnectedness of businesses that may affect risk, the higher likelihood that a business that already has experienced a breach will seek coverage, and the potential perverse incentive that carrying insurance could have on maintaining strong defenses. (Policymakers hope that insurance companies will require businesses to adopt best practices so that cyberdefenses are more widely adopted, not less). These challenges require insurers to assess businesses on a case-by-case basis and offer individualized coverage rather than develop standardized policies that can be marketed more broadly.

PwC estimates that one-third of U.S. companies currently purchase some kind of cyberinsurance, but a survey by Endurance International Group reveals that only 5% of small businesses carry a cyberliability insurance policy. Smaller businesses may be less inclined to purchase insurance for a variety of reasons: perceived threat, low estimates of the costs associated with a breach, the price of insurance, and lack of information about coverage offered.

There are plenty of scary stories and statistics about cybercrimes perpetrated against small and medium-sized businesses and the financial costs of recovering. Those facts and figures should make insurance coverage attractive. The costs of a breach are many and could be covered by a cybersecurity liability policy, including:

  • forensics investigation
  • notification of customers
  • credit monitoring
  • legal fees
  • public relations
  • loss of income due to business disruption
  • regulatory penalties or fines
  • data loss recovery (including ransom)

As for insurance premiums, the customized nature of policies makes it difficult to generalize, although a recent article by Property Casualty 360o estimates that a company with $5 million in revenue can expect to pay a premium of $5,000 annually, and the premium for a company with $8 million in revenue would be about $7,000.

While this market is still going through some growing pains, it does offer some important protections for businesses that realize the prospect of a cyberattack is more likely a matter of when, not if.