Many small businesses suffer from the misconception that they are less likely to be targeted by cyberattacks than larger companies. In reality, cybercriminals are increasingly taking aim at small to medium-sized businesses (SMBs), making a robust cyber insurance policy essential rather than optional. However, not all cyber insurance policies are created equal, with some falling short when businesses need them most. In a recent webinar, cybersecurity experts from TechMD and FifthWall Solutions shared how SMBs can distinguish between good and bad cyber insurance policies and how a strong cybersecurity posture can lower insurance premiums.
The rise of cybercrime and its impact on small businesses
The rising impact and frequency of cybercrime on SMBs is alarming:
- 73% of small businesses were targeted by a cyberattack in 2023.i
- In 2023, cyberattacks increased 132%.
- 82% of ransomware attacks targeted companies with fewer than 1,000 employees.
- SMBs experience 350% more social engineering attacks than larger enterprises.
On average, ransomware attacks result in 15-20 days of downtime, with ransom payments exceeding half a million dollars—costs that can cripple small businesses with limited resources. As a result, more than 50% of businesses in the U.S. have now adopted cyber insurance to mitigate these risks.
What is cyber insurance?
When a breach occurs, cyber insurance covers the range of expenses that arise. These include identifying and solving the breach, recovering data, customer notifications, PR costs, possible credit monitoring expenses, legal expenses, potential fines from compliance regulators, extortion costs from ransomware, and general business interruption.
How to identify good vs. bad cyber insurance policies
There are a wide variety of cyber insurance policies available. Some provide comprehensive coverage with the right protections, while others leave your business vulnerable when it matters most. Understanding the difference between good and bad coverage is key to ensuring your business is fully protected.
3 signs of a bad cyber insurance policy
- Sublimits. These limit coverage on key claims, such as ransomware or data recovery. You may have a $1 million policy, but ransomware coverage could be capped at $250,000, leaving you responsible for the remainder.
- Exclusions. Some policies may exclude coverage for ransomware payments, business interruption, or data restoration. Policies may also exclude incidents like cybercrime, such as wire fraud and phishing, which often have significant financial consequences.
- Hidden costs. Look out for co-insurance clauses that reduce your payout. For example, a $1 million business interruption policy with 25% co-insurance means you must cover $250,000 of the loss before insurance kicks in.
6 things to look for in a good cyber insurance policy
A good cyber insurance policy provides comprehensive coverage without hidden costs, sublimits, or damaging exclusions. Here’s what to look for in a robust policy:
- Full coverage across three key areas
–First-party coverage. Protects your own business from direct losses like ransom payments, business income loss, and recovery costs.
–Third-party coverage. Covers damages to third parties affected by a data breach, including notification costs, call centers, and potential fines or penalties.
–Cybercrime coverage. Essential protection against wire fraud, phishing attacks, and other types of cybercrime, ensuring you’re fully indemnified. - No sublimits. A strong policy ensures the same coverage limit applies across all types of incidents. For instance, if you have a $1 million policy, it should provide up to $1 million for all covered events, including ransomware, business interruption, and data recovery. Sublimits may reduce the amount available for high-cost incidents, so it’s important to minimize or eliminate them.
- Dependent network interruption coverage. This coverage protects you if a third-party vendor experiences a breach that affects your business operations. For example, if a tire distributor lost income because their supplier experienced a cyberattack and couldn’t deliver their products, good insurance will cover that loss. A real-life, recent scenario in which dependent network interruption coverage was essential centered on a third-party outage affecting car dealerships.
- Customized coverage based on business needs. A good policy isn’t a one-size-fits-all solution. It should match your specific risk exposure based on the size, revenue, and industry of your business. For example, if your business is highly dependent on third-party services, ensure your policy covers those risks adequately, including network dependencies.
- Transparent cost structure. Look for policies with clear terms around deductibles, co-insurance, and payout limits. Avoid hidden costs like high deductibles or excessive co-insurance percentages that might leave you covering a large portion of a loss on your own.
- Incident response and legal support. A good policy will provide access to incident response teams and legal counsel, helping you manage a cyber event quickly and effectively. This reduces the impact of an attack and ensures you comply with regulations related to breach notifications.
How a strong cybersecurity posture lowers insurance premiums
By leveraging the support of a Managed Services Provider (MSP), such as TechMD, you can not only improve your cybersecurity posture but also become more insurable. Here’s how an MSP can help accomplish this:
- Proactive cybersecurity controls. TechMD provides services like multi-factor authentication (MFA), managed detection and response (MDR), and offline backups that are essential for lowering premiums and deductibles.
- Security training. Employee training is vital to preventing cyber incidents. TechMD offers phishing simulations and other training programs to create a human firewall within your organization.
- Custom-tailored coverage. By working with MSPs like TechMD, businesses can implement security measures that align with insurance requirements, reducing costs while improving protection.
Case study: How a hospital saved over $80,000 on their cyber insurance premium in one year.
A hospital with poor security controls—no MFA, no employee training, and no incident response plan—was seeking cyber insurance, but could not afford the high premium. After working with an MSP to implement better security measures, including MFA, their insurance premium dropped from $141,000 to $54,000. Additionally, their deductible was cut in half, and they secured full ransomware coverage up to $5 million.
Why cyber insurance is a must-have for businesses
As cyberattacks increase in sophistication, it’s imperative to protect your business with both a comprehensive cyber insurance policy and robust cybersecurity measures. TechMD’s managed IT and cybersecurity services provide the protection you need, while partners like FifthWall Solutions ensure you have the right insurance coverage in place.
Don’t wait until it’s too late—make sure your cyber insurance and cybersecurity posture are working together to protect your business from the growing threat of cybercrime.
