Cyberattacks: The Threat Small Businesses Cannot Ignore

In the last eight years, cybercrime has grown exponentially year after year.  From WannaCry to Petya and phishing to password attacks, individuals and corporations alike are no longer safe. According to Aon Solutions and Ponemon's 2017 North America CyberRisk Transfer Comparison Report, 56% of respondents reported a material or significantly disruptive event or data breach one or more times during the past 24 months with 89% citing it as one of the top ten business risks. Conversely, according to the Better Business Bureau's report, The State of Cybersecurity Among Small Business in North America (2017), only 20% of small business respondents identified cyber threats as a top business challenge with 70% believing it to be unlikely that their business would suffer a cyberattack.

Though the publicity surrounding cybercrime tends to focus upon the impact of cyber threats on large companies (such as Equifax, Deloitte, HBO, and Anthem, among others), small companies should know that they are not immune. In fact, the Better Business Bureau's report indicates that 43% of cyberattacks target small businesses. Small businesses cannot underestimate their exposure to risk as it increases their vulnerability should an incident or breach occur. As a matter of risk mitigation, small businesses should consider taking the following three steps:

First, develop a cyber policy which should include a cyberattack response plan. According to Nationwide's 2016 Small Business Indicator Survey, 78% of small businesses did not have a cyberattack response plan. The cyber policy should be comprehensive, setting forth the types, access, usage, and classification of data as well as include procedures for remote access, the usage of social media and the protocols in the event of an incident or data breach. Ideally, this is not a standalone document, but a component of the company's Business Continuity Plan (BCP). Once implemented, the policy and procedures should be disseminated, communicated, at a minimum in the Employee Handbook, and integrated into the onboarding process for all new employees.

Second, train employees on the company's cyber security policies and industry best practices for containment. All employees should be trained annually, and if necessary, semi-annually, on the company's IT protocols and procedures, ranging from email usage to password protection, data storage and social media usage. Training should be comprehensive, consistent, and non-optional.

Third, invest in cybersecurity insurance. Approximately 75% of small businesses do not have cybersecurity insurance due to a range of reasons although cost is usually the number one factor. Unlike general commercial liability insurance, cybersecurity insurance covers two types of risk: first party and/or third party. First party coverage addresses direct costs associated with business interruption, cyber extortion, and the loss, theft, or damage of digital assets. For example, it covers costs such as notifying customers or clients in the event data is compromised. In the U.S., data breach notification laws are not standardized and vary by state.  So, too, are the penalties imposed for failing to comply with state mandated notification provisions. Undoubtedly, with the recent Equifax breach, there will be a move to impose a national, uniform data breach notification law as Europe has done with its General Data Protection Rule (GDPR) which is scheduled to go into effect in May 2018.  Alternatively, third party cyber risk insurance typically covers a company's liability to third party claims and investigation and defense costs in connection with those claims.

Cyber liability insurance is unlike other forms of commercial insurance in that it should be customized, based upon the business. Prior to acquiring cyber risk insurance, companies should develop a cyber risk profile by conducting an inventory of their data and digital assets: its composition, how it is stored and how it is protected. By doing so, it enables firms to discern vulnerabilities that will drive the customization of the policy.

Equally important is having a firm grip on the projected costs of incident response. According to Ponemon and IBM's 2017 Cost of a Data Breach Study, the average time to contain a breach in 2016 was 70 days. Whether the actual time is less or more, as a small business, the ability to quantify the costs of downtime is critical.  Understanding the potential financial loss and exposure allows the company and the broker to structure the best policy given a particular businesses operating parameters. Regardless of how the policy is structured, companies should ensure, and preferably demand, that a retroactivity clause is included. According to FireEye's 2017 M-Trends Report, the dwell time or median number of days before a breach was detected by a target company in 2016 was 99 days. Granted, this is an improvement from 2015 when the dwell time was 146 days. However, the bottom line is, from a risk management perspective, as a best practice, companies should protect themselves during the period of undiscovery by including a retroactivity clause.

Finally, all insurance brokers are not equal. Cyber liability is highly specialized and in selecting a broker, companies should work with brokers with an expertise in this sector. Like all insurance, it is better to have it and not need it, than to need it and not have it.

Cybersecurity is more than an IT issue. It is a risk management issue in today's digital world and how firms choose to manage and control this risk can have a demonstrable impact on their business. Cyber risk cannot be eliminated. It can however be mitigated by adopting this set of best practices to neutralize cyber vulnerability for businesses big and small.