Despite the relatively new nature of cyber insurance policies, small businesses are finding value in their offerings, according to witnesses who testified before the House Small Business Committee on July 26.
“It affords me the knowledge that if we were hacked, protective steps have been taken to address any potential damages to the company and my employees,” said Robert Luft, president of SureFire Innovations.
Luft said that small businesses should “keep it simple” by adopting basic cybersecurity principles, such as the Small Business Administration’s Top Ten Cybersecurity Tips. However, when attackers are able to get past these basic preparations, cyber insurance can provide small businesses with the necessary resources they would not otherwise have.
Luft suggested that small businesses look for cyber-specific insurance providers that provide a year of retroactivity just in case there is something already lurking on their network. He added that a typical cyber liability insurance policy provides coverage for theft and fraud, forensic investigation, network business interruption, extortion, and data loss.
“It was my first assumption that cyber insurance should be like any other insurance,” said Luft. “What I quickly found was that was not the case.”
Eric Cernak, vice president and cyber risk practice leader at Munich Re U.S., said that a June report by broker Aon estimated that only 19 percent of small businesses in the United States had purchased cyber insurance, compared to 75 percent of large companies.
“The cybersecurity insurance marketplace is remarkably new, and many providers still lack the historical data to offer appropriate plans to consumers, which drives up the cost to policyholders,” said Rep. Steve Chabot, R-Ohio.
“A lack of adequate data underscores the complex nature of creating cyber liability policies for small firms,” agreed Rep. Nydia Velazquez, D-N.Y. “Also, the type of business, the risk management procedures, and the continually evolving threats make it difficult for the insurers and the small businesses.”
Witnesses responded that it was important to make small businesses understand the devastating impacts of a cyber breach, such as loss of reputation, customer data, money, and use of their network.
“Education is key to increasing the takeup rate of cyber insurance by small companies,” said Cernak. “The public and private sectors have a role to play in increasing the cyber insurance takeup rate, helping businesses overcome the ‘it won’t happen to me’ mentality, constructively addressing cyber vulnerabilities, and preparing for the aftermath of a cyber event.”
“Smaller businesses really need to understand what downtime would mean to their organization,” said Erica Davis, senior vice president and head of specialty products errors and omissions for Zurich Insurance, North America.
Luft added that small businesses need to take the initiative to attend events, such as those offered by the SBA, that educate on cybersecurity dangers and potential solutions.
However, witnesses testified that the varying requirements for insurance established by Federal, state, and foreign governments make it difficult for insurance providers to know exactly what they must fulfill in their offerings.
“We specifically encourage Congress and the administration to coordinate cybersecurity policy among Federal agencies, and designate lead agencies to coordinate discussions where appropriate,” said Cernak. “It is critical that this coordination include state insurance regulators and that we all work together to avoid a conflicting patchwork of state, Federal, and international standards.”