Imagine one of your administrative employees checks their email and sees a supposed communication from one of your vendors. They think a legitimate invoice is attached, so they download the PDF attachment and open it up. Unbeknownst to them, opening the document activates some code that allows a cyberattacker to gain access to your systems through a software vulnerability.
A week passes. One day, all your computers display a red screen demanding a ransom, your data is encrypted and inaccessible, and your customer data has been exfiltrated to the servers of a cyberattacker. Depending on your data backup and disaster recovery measures, your time to recover from this incident may take weeks or months. You’re also unable to do business for many days, you must tell your customers about the data breach, and your reputation may be permanently damaged.
For many businesses, the news is much worse:
- After a cyberattack, 60% of SMBs go out of business within 6 months. (Source)
- “28% of all SMBs in the U.S. were forced out of business because of a cyberattack in 2021.” (Source)
- 83% of SMBs do not have cyber insurance. (Source)
So, without cyber insurance—and following cyber insurance requirements—it’s likely that your employee’s click of the mouse might lead to you going out of business.
Cyber Insurance Problems Facing Small and Medium Businesses
With the cybersecurity landscape rapidly evolving, increased premiums, stricter requirements, and vulnerabilities from employee behavior are increasing the risk of businesses losing cyber insurance—or not being able to get it at all.
1. Cyber insurance is growing too expensive for many businesses.
From 2019 to 2021, premiums doubled on average. In 2023, the number of organizations unable to acquire or retain affordable cyber insurance is projected to double. Insurers are also decreasing coverage limits and increasing deductibles.
These premium jumps are due to the increased number and severity of cyberattacks. Cyberattacks are now mostly driven by nation state actors (mostly cybercrime gangs sanctioned directly or indirectly by nation states such as China, Russia, North Korea, and Iran) that conduct much more sophisticated attacks than we saw even just a few years ago.
That’s partly why cyberattacks on small and medium businesses increased by 424% in 2021, with 43% of all breaches targeting them. Nation state-sanctioned cybercrime gangs are methodical, thorough, and impersonal—scanning systems around the world and looking for vulnerabilities in businesses.
But why go after small and medium businesses? Why not just go after larger targets? Sadly, smaller businesses tend to be less protected than larger businesses. Valuable information such as user credentials, bank account data, medical records, customer PII, and intellectual property is more easily up for grabs.
In addition to recognizing the sharp increase in the number of cyberattacks, insurers have also increased premiums because of an average cyberattack’s cost. Unprepared environments can suffer enormous costs in time and money to recover—and many businesses don’t recover at all.
2. Cyber insurance requirements are growing lengthier, more rigorous, and more comprehensive.
Questionnaires are growing in length and include additional areas of cybersecurity previously overlooked. Hurt by paying out expensive claims, insurance carriers are trying to avoid underwriting businesses that are too high risk. Many insurers are refusing to serve businesses, some are raising premiums to a very high level, and most are tying lower premiums (or any premium at all) to a business implementing a growing number of cybersecurity best practices.
This is part of the reason why so many small and medium businesses do not have cyber insurance. In addition to the premium expense, businesses often don’t have the budget, resources, and knowhow to keep up with all these additional cybersecurity requirements.
As requirements rapidly evolve, insurers are increasingly demanding not only technology-based cybersecurity solutions but also policies and tools to address areas of user behavior—such as threats from clicking on phishing emails, giving away usernames and passwords, and allowing unauthorized access to sensitive and confidential data.
Additional areas growing in importance for insurance carriers include:
- Conducting regular security awareness training
- Strengthening your email security against spam, phishing, and other inbox threats
- Addressing data access and permission vulnerabilities
- Using advanced cyber threat detection tools to prevent attacks
- Filtering out dangerous website content before employees can click on it
Remember, despite technology protections in place, people can still click on a phishing email, download unauthorized software, or accidently share usernames and passwords with a malicious actor.
VC3’s Protect Shield augments existing cybersecurity measures for businesses that decrease many of these employee risks as much as possible—which improves your cyber insurability, lowers your premiums, and strengthens your overall cybersecurity.
Reach out to us today to explore how Protect Shield can help you remain cyber insurable and lower your premiums.