Covering Small Business Cyber Exposure

Considering the potentially devastating effect of a cyber attack on a small business in Canada, it’s surprising to see a recent study showing that more than a third of Canadian firms do not report carrying cyber insurance coverage.

“For me, when I look at a commercial client that’s not carrying cyber insurance, that’s kind of like walking out of the house with no clothes on or driving without auto insurance,” says insurance broker Philomena Comerford of Baird MacGregor. “You can’t not have it.”

A 2018 study by Scalar Security shows smaller businesses in Canada that suffered a breach last year were down for an average of 59 cumulative hours, with an average lost revenue of about $1.1 million during that period. It costs a smaller business in Canada more than $12,000 per employee to recover from a data breach, the survey found.

Scalar’s stats could be on the high side, since the survey defines a “smaller” business as between 15 and 249 full-time employees. Some of these businesses would count as medium-sized enterprises according to Industry Canada, which defines “small business” as 100 or fewer paid employees. Using Industry Canada’s definition, 98% of Canadian businesses are small.

Does the nature of cyber risk change if the business is small?

Miki Ho, cyber risk underwriter for Beazley Canada, notes that hackers’ strategies are changing in a way that makes small businesses more interested in buying protection for ransomware attacks.

“What has caught the attention of small business is the cyber extortion element of the policy,” Ho said. “For small businesses, that’s the area of claims that we’ve really seen on the rise.”

For small and large businesses, hackers typically shut down the computer system and demand a certain amount of bitcoin to unlock the system.

“In the past, what we saw is the hackers would demand the equivalent of $100,000 to $1 million in bitcoin,” says Ho. “Now what they are doing is going for those quick wins. So, they will look at a small business and say, ‘If they are able to pay the equivalent of $500, they are likely to pay that, and they are likely not to notify the authorities. We can probably go back after them more than one time if they are paying that.’”

Small businesses generally have limited IT budgets. Depending on their size, they may not have established relationships with law firms, large technology companies, public relations firms or other organizations that can help them navigate through a cyber breach.

Consequently, instead of selling the small business owner on the transfer of risk to an insurance policy, a broker may instead choose to play up the third-party services available as part of the coverage. “Small business owners are more focused on a solution to a breach than necessarily transferring the risk,” says Ho.

Through the insurer of a cyber policy, a small business owner will have immediate access to an experienced breach response team. A breach coach will be deployed, coordinating a response with lawyers, IT forensic experts and public relations representatives on the team.

“They will know how to deal with the attacker on the other end of a ransomware incident and whether to pay them the bitcoin or tell them to get lost and shut them out,” says Comerford. “That is really valuable. A breach would be a terrifying experience for a small business owner who must use a computer [for work], but whose business is really something other than IT.”

How to start the conversation? Small business owners don’t have a lot of time to shoot the breeze in sales meetings. To define the value of the policy early, Ho recommends that brokers open the conversation by asking clients how they would respond to a ransomware attack on their business.

A small business owner may respond with skepticism. Being small, the organizations don’t have huge budgets to throw around; some small business owners may be paying for expenses out of their own pockets. Understandably, they may look for ways to reduce their insurance budgets where they can.

“A lot of brokers are afraid to have conversations that start pushing the clients’ insurance budgets higher, because they are afraid somebody else is going to come in and say, ‘Hey, I will do it for half that,’” says Comerford.

But where cyber coverage is concerned, brokers should resist succumbing to the pressure of premium pricing wars, Comerford advises. She encourages brokers to treat a cyber policy discussion with a client in the same way they would an Insurance to Value (IoT) discussion.

For example, a broker is obligated to make sure a homeowner’s property and contents are fully covered. If brokers are in any doubt about whether a home is insured to its proper value, they would call in an appraiser to determine the real value of a home. Similarly, if the coverage limits on a liability policy don’t seem right for the assets of the organization, a broker should recommend to a small business owner that an IT team be called in to assess the cyber risk.

From the September 2018 issue of Canadian Underwriter. Subscribe here.