Historically, buyers of cyber coverage have been large organizations in industries like health care, finance and retail. Makes sense, right? They store a lot of valuable personal and financial data, and a breach of that data could be detrimental to a business when they'd need to spend millions in response. But in 2019, small to midsize businesses (SMBs) across various industries are increasingly starting to look over their shoulders at cyber coverage, watching it curiously and wondering: "Could that be for me?" The answer is: Yes. Yes it could. Picture this: An employee at an SMB receives an email from the owner or CEO asking the worker to urgently perform a task. It requires they share sensitive information over email, like passwords or bank information, or requests an electronic file transfer, ASAP. In a rush to get things done, and with a lack of awareness of how to spot threats, that employee can inadvertently expose that business to a cyberattack, costing that business losses that a traditional property policy doesn't cover. Thanks in part to the uptick in business email compromise, ransomware and malware threats in the last year — and the widespread media coverage of costly events like Wanna-Cry and NotPetya — cyber clients are growing. They recognize the need for coverage to help in the event of an attack and also for resources to help prevent attacks before they happen. Although the market is competitive and buy-in for cyber policies is increasing, insurers note that not enough clients are adopting the coverage, especially when no organization is safe from a cyber event. Meghan Hannes, U.S. cyber product head at specialty insurer Hiscox, says the company's 2019 Hiscox Cyber Readiness Report found that 53% of U.S. businesses reported a cyberattack in the previous 12 months (up from 38% the previous year), with 45% of those companies experiencing three or more attacks in the past year. "Despite these alarming trends, 27% of firms have no plans to adopt cyber insurance," Hannes explains. That statistic is especially concerning, considering the high price that comes with a cyberattack. According to McAfee's 2018 Economic Impact of Cybercrime Report, the global cost of cybercrimes is estimated to be between $445 billion and $600 billion. Yet, as Eric Cernak, president of cyber at The Hanover, notes: "Less than 20% of all businesses are buying cyber," according to a 2018 report from Keefe Bruyette & Woods Inc. "Year-over-year, there are more buyers than there used to be, which is a trend in the right direction," says Tim Francis, enterprise cyber lead at Travelers. "But there is still an awful lot of the market that does not buy cyber for one reason or another." One reason really tends to be a lack of awareness and education, and another is that ever-slippery yet dangerously pervasive "It won't happen to me" mentality. According to Francis, a mistake many businesses continue to make is "thinking about the coverage more in terms of a data breach component as opposed to a vehicle that deals with extortion and business interruption type of events that don't always have to do with data compromise." |

The rise of ransomware

While costly and dangerous, data breaches aren't the biggest cyber threat on insurers' radars in 2019. The first half of this year alone has seen an uptick in the frequency and severity of attacks that have always existed in the space in some sense but are now gaining traction among cyber criminals for being unsophisticated and easy to deploy. Francis notes Travelers is finding increases across all industry segments in ransomware, the sophistication of malware, and business email compromise claims, as well as the expense associated with those claims. Hannes says that in the last year, Hiscox has "observed a heightening frequency and severity of risk due to ransomware attacks." The attacks have resulted in business interruption events for unprepared organizations that "have difficulty in efficiently returning to normal business operations." Insurers are responding to the need for coverage accordingly. Francis notes there has been "a trend of increasing the limits and increasing the coverage around things like social engineering compromise, business interruption and systems failure, contingent business interruption, and additional coverages such as bricking." Cernak adds, "Business interruption, contingent business interruption, and reputational harm are all coverages that are becoming increasingly visible and important." Ransomware and malware aren't necessarily new exposures, but "how they are implemented in targeted attacks and the pervasive damage they can cause within a computer system continues to be a top risk," says Jason Glasgow, vice president, U.S. cyber lead, Allied World. "Prior to about two years ago, malware was sent blindly in an effort to ensnare as many unsuspecting companies who stumbled into the trap as possible. Now ransomware is targeted and deployed with other types of attacks to both extort companies for payment and damage data and systems," he notes. "The evolution of attack methodologies has been alarming. The extent of damage that a ransomware infection can cause within a single company is certainly near the top of the list of what risks carriers are watching closely." Fraudulent transfer of funds through business email compromises and social engineering tactics are a substantial area of exposure, according to Josh Ladeau, global head of tech E&O and cyber at Aspen. The awareness of the wide-scale, dramatic impacts that attacks like NotPetya raised has influenced criminal enterprises to "seek greater financial reward through larger ransom demands," he explains. "The market has really shifted to making sure that we're covering a lot of these exposures that were always there but are more prominent now because of the ease-of-use to deploy ransomware as a service or a phishing scam that could be quite lucrative for the criminal," says Bob Wice, cyber & U.S. focus group leader, Beazley. |

Chipping away at growth

The growth opportunity for insurers is with SMBs across all industries, says Glasgow. "Many of these businesses purchase a cyber policy due to a contractual requirement to do so, but all of them could benefit from the risk management services, expertise and financial backing a strong cyber carrier can provide." An industry segment where there has been a notable uptick in cyber insurance adoption has been manufacturers and wholesalers, according to Wice. The increase in ransomware and malware attacks has left supply chains extra vulnerable to business interruption and contingent business interruption. "A contractor or a manufacturer may be a target because the entities with whom they conduct business are the ultimate targets," says Cernak. "They may have systems access or other pertinent information that criminals will look to exploit in their quest to access their ultimate target." For example, if companies a manufacturer relies on "from a hosted environment, credit card processing or E&S servicing standpoint" were to be compromised, those companies are exposed to a business interruption loss that isn't covered by a traditional property policy, Wice explains. "That really lured a lot of manufacturers and wholesalers — companies that really did not have much data other than their own employee data at stake," he continues. "They're looking to buy because of business interruption and cyber extortion issues. Once that started to become standard offering by the insurance market, a lot more buyers came in." "Manufacturers, distributors, and contractors increasingly rely upon computer systems to run their operations," explains Cernak. "Any type of system outage — including ransomware attacks — could result in a meaningful loss of business income." According to the Council of Better Business Bureaus' 2017 State of Cybersecurity Among Small Business in America report, 65% of businesses would be unprofitable in less than one fiscal quarter if they apparently lost access to essential data. "We are paying considerable attention to supply-chain-related threats," says Hannes. According to the Hiscox report, 56% of firms experienced cyber-related issues in their supply chain in the past year alone, and only 7% are increasing evaluation of their supply chain threats as a result of a cybersecurity incidents. "Businesses are only as secure as their supply chain and a third-party cyber incident can yield considerable financial challenges." But other businesses are slow to realize the potential for an attack, whether individual or contingent, oftentimes making the mistake of not recognizing the value of a cyber policy and expecting other general policies to cover them in an event. "Some clients believe they are protected from cyber exposures such as false pretense or business email compromises based on contracts with suppliers," says Cernak. This can offer a false sense of security, as many contracts don't provide adequate protection. "[These] businesses continue to rely upon other lines of business such as property, D&O and professional liability to respond (or partially respond) in the wake of a cyber event and, therefore, do not feel the additional affirmative protection afforded by a cyber policy is necessary," Cernak explains. "Cyber risks pose a real threat to businesses of all types and insurers continue to respond with coverages that help protect against these risks," Cernak says. |

Think again

We can all agree on one thing: No business is immune to cyber threats, no matter the industry or size. As Cernak notes, as long as an organization uses a computer in any part of its business processes, they are at risk of some kind of cyber event. "The businesses that think they are free of risk are the ones most likely to be exposed," Glasgow adds. Risk management and prevention are key to mitigating cyber risk, and many insurers are providing resources and programs to help clients educate and train employees to recognize an attack before it happens. But organizations need to be diligent on their end and recognize that cybersecurity needs to be taken seriously across the board. "There still seems to be a lack of institutional buy-in around cybersecurity at many organizations," Ladeau notes. "This can be characterized by things like a [chief information security officer] being buried in an organization chart, with no direct exposure to the board or top executive leadership and a budget that's indistinct from IT. "As an underwriter, the top organizations that I've seen view cybersecurity through the lens of competitive advantage; there is consistent investment and active participation at all levels of management," Ladeau says. "Generally speaking, those companies that are not patching their systems as frequently as they can be are more vulnerable," Francis explains. "Additionally, those that are not doing employee training around how to identify and reduce the chance of opening up an email that might have malware associated with it increase their vulnerability." "Companies of all sizes and in all industries need to work with their broker to understand the exposures they face and how they can best be prepared," Glasgow says. |

Let's get this

How companies prepare for the cyber risks they face makes all the difference, Glasgow adds. "Understanding threats and training employees and having senior executive-level incident response plans that are frequently tested can help prevent many cyber events as well as greatly mitigate the damage they can cause." Cyber risks have numerous stakeholders, so myriad organizations have been coming together to provide agents and clients with the proper resources to help mitigate risks. "Insurers are partnering with various InsurTech-related companies to better help assess, prevent, mitigate and manage cyber-related threats and exposures," Cernak says. "Agents can leverage carriers' InsurTech relationships to educate their clients and assist them in developing plans to assess, prevent and respond to cyberattacks." See also: |

• Top 10 writers of cybersecurity insurance
• 10 cyber insurance selling points
• Study and adapt: 2018's top four cybersecurity breaches