• Kevin Thomas

Cyber Insurance - The Evolving Risk for SMBs

Updated: Jun 5

The following content is republished from Cysurance, the leader in protecting and recovering businesses from the cybersecurity threats facing every day.


The Evolving Risk Landscape for Small and Medium-Sized Businesses In the days of old, a small or medium-sized business’s potential risk landscape was relatively well-understood. From natural catastrophes to slip-and-falls to injured employees, the risks were well documented and well analyzed, best practices for reducing or preventing loss were established, and appropriate insurance coverages were widely available. When losses did occur they were relatively easy to verify and quantify, reducing downtime.

Those days are long gone. In our modern, connected world, the proliferation of online commerce, the Internet of Things, cloud computing and automation has opened new doors for sales, distribution, operations and customer service. But they have also opened new doors for hackers and created new opportunities for employee error. Technology has become a gift and a curse, and the exposures it creates require not only modern security software, but tailored, comprehensive cyber insurance as well.


From 2016 through 2018, cyber incidents increased by 81 percent according to the Chubb Cyber Index. And if you’re thinking that number is driven by losses at large, Fortune 500 companies, think again. In the same period, companies with less than $10M in revenue have seen cyber incidents increase by 254 percent.

But why are more than half of all cyberattacks – 62 percent in 2016[1] – directed at small and medium-sized businesses (SMBs)? After all their market share, data, and revenue are dwarfed by large corporations. But so are their IT budgets and cybersecurity programs, meaning most cannot make the significant investment needed to secure comprehensive protection against cyber risks. As a result, SMBs often run outdated or unpatched software, lack proper password hygiene, transmit unencrypted data, or fail to properly secure endpoint devices – making them ideal targets for attackers.

And while a single such company may not provide a big payday, the SMB industry in aggregate offers a substantial cumulative payout without the front-page headlines of an attack on a major global corporate. With the financial damages of cyber crime projected to reach $6 trillion annually by 2021 – more than double the same figure from 2015[2] - small and medium-sized business owners cannot afford to assume they are not a target. As we say in the industry, it’s not a matter of if you will be attacked, but when.

Case in point: a U.S. government IT contractor who works with over 20 federal agencies recently announced one of its internal servers had been breached and that hackers claimed to have sold the company’s data on the dark web. Despite appropriate industry certifications, a management team averaging over 25 years of experience, and internal policies educating employees about malicious emails, the company’s president suspects the attacker gained access via a phishing email – one of the oldest, and most effective, cyberattacks in which the hacker disguises him/herself as a trusted entity and fraudulently obtains sensitive information.

As a result, the company had to shut off the affected server for five days, run scans of its network, and hire a cybersecurity forensics firm, costing it between $500 thousand and $1 million in total. It’s also had to reexamine its security and employee training policies. The company’s president called the event a “learning experience” and said “it could happen to anyone. We keep hearing about these hacks all the time…this is not going to go away…We want to see that this doesn’t happen to any other small business…”

While not the case here, those types of losses have the potential to put an SMB out of business. Even if the business is able to resume operations, the intangible impact to brand reputation and customer loyalty can have far-reaching consequences that can impact revenue long after the breach has been discovered and patched.

What is interesting about this attack is that the same account that sold the stolen data has been active since January 2011 and has claimed other victims such as hotels in Dubai and a healthcare organization in Louisiana. This demonstrates the broad-brush, “low-hanging fruit” philosophy of many hackers and is the reason even SMBs with proven track records and basic cybersecurity procedures must always assume they are being targeted and continually update software, training procedures, and risk transfer solutions.

In addition, the investigation of the attack – which employed Emotet, a form of malware usually deployed via phishing scams which then installs other malicious software on a network – indicated that at least eight of the company’s internal systems were compromised on three separate occasions between November 2018 and July 2019. Unlike, say, a hurricane, the SMB had no warning of the attack nor any knowledge of its impact for nearly a year, creating the potential for a much larger and more complex loss.

Another way cyber threats differ from other exposures faced by small and medium-sized businesses is that the SMB doesn’t even have to be the target of the attack to be affected. In early 2018, the city of Allentown, PA suffered a malware attack that cost it nearly $1 million. Despite “extensive” antivirus and firewall systems, the city’s financial operations were impacted, and its finance department was unable to make any external banking transactions until the breach was fixed.

Hackers are also growing more detail-oriented in their efforts to convince targets of the validity of phishing scams and other cyberattacks. When the owner of a hotel development company had his email hacked, the perpetrator gained access to a long history of correspondence with the firm’s bookkeeper and all the details needed to commit wire fraud, costing the business over $1 million. According to the owner, the attacker mimicked his style and language to give the accountant a false sense of security. And because his online calendar was also compromised, the wire requests always came when he was in meetings. As a result, the attacker was able to respond to questions, complete the transfer and delete all record of the communications before the owner could check his email. This continued for several weeks before being discovered by the business.

This illustrates a very important point many SMBs don’t realize – under the Uniform Commercial Code, banks are not liable for losses to a business account in the same way they are for losses to a personal account, even if the businessowner is a single person. As long as the bank uses “commercially reasonable safeguards” to protects its business account owners’ data, they do not have to repay stolen funds. In this case, there were multiple warning signs that should have alerted the bank to fraud – including the size, frequency and destination (China) of the fraudulent transfers – but the bank declined to reimburse the businessowner.

This also demonstrates the importance of enabling Dual Authorization for ACH transactions and wire transfers. With this security feature, a single user cannot initiate and authorize a funds transfer. In the above example, the bookkeeper’s request for funds could not have been authorized and completed without the owner signing off in a separate, secure platform. While it is always recommended that a requested transaction be confirmed by a direct phone call between the parties, this added layer of security can help prevent fraudulent payments.

These are just a few examples of the risks SMBs face without trusted financial and insurance partners. When combined with potential customer lawsuits, the cost of complying with different jurisdictions and regulations in every state, reputational damage, and the impact to employees, it is easy to see how 60 percent of SMB’s suffering a cyber breach go out of business within 6 months[3].

Cysurance can assist your small or medium sized-business by recommending insurance coverages that may help protect your own, your customers’ and your vendors’ networks and data. The policy, which in most cases does not require an individual application or underwriting, offers broad terms and conditions that may help you recover from a cyber incident more quickly and completely, such as payments to third-party experts to fix the problem, no deductible for remediation services and an included cybercrime endorsement. Further, Cysurance’s proprietary network sensor monitors your network for breaches in real-time, and if an attack occurs its blockchain-powered smart contract provides automated, irrevocable breach verification to enable full transparency, and also automatically triggers the breach response team.

In today’s connected world, SMBs face a cyberattack every 14 seconds[4]. Don’t become a statistic – contact Cysurance CEO and Co-Founder Kirsten Bay to understand what types of first and third-party cyber insurance coverages are right for your small or medium-sized business.


Kirsten Bay Chief Executive Officer Cysurance Tel: 917-503-8031 kbay@cysurance.com

Insurance offered by Cysurance, LLC. NY License #1578397. Chubb is the marketing name used to refer to subsidiaries of Chubb Limited providing insurance and related services. For a list of these subsidiaries, please visit www.chubb.com. Insurance provided by ACE American Insurance Company and its U.S. based Chubb underwriting company affiliates. All products may not be available in all states. This communication contains product summaries only. Coverage is subject to the language of the policies as actually issued. Nothing in this communication should be construed as involving the sale, solicitation or negotiation of insurance, the provision or offer of insurance services, or the provision or offer of legal advice or services.

[1] https://smallbiztrends.com/2016/06/cyber-security-strategies.html [2] Chubb Cyber Security Business Report, January 23, 2018 [3] https://smallbiztrends.com/2017/01/cyber-security-statistics-small-business.html [4] https://www.varonis.com/blog/cybersecurity-statistics/