How is it that 76% of small-to-medium businesses (SMBs) in the U.S. experienced a cyberattack in 2019, and yet only 31% had Cyber insurance a year later? With the sharp increase in ransomware and online attacks aimed at employees working from home, it remains a mystery why most SMBs still lack Cyber insurance protection.

What is not a mystery is this: 70% of ransomware attacks targeted small businesses in recent years, and the overall number of such attacks grew by more than 100% over last year.¹ Or that only 17% of SMBs established or reiterated their IT security protocols with employees after the pandemic forced many to work from home.

The 2020 CyberScout survey offers more insights into the gap between a business’s cyber exposures and its security and insurance practices.² Here are a few interesting findings:

• Cyber Attack Frequency - 16% of SMBs reported suffering a loss after falling victim to a cyberattack. Given the much higher share of SMBs that reported attacks, it seems that a significant number escaped or have not yet discovered any consequences. With the FBI reporting a 400% increase in attacks post-COVID, we expect the victim population to rise.³
• Top Security Concerns - When asked to identify their cyber worries, SMBs cited:
  • 38% Data Breach
  • 17% Malware
  • 10% Ransomware

While data breaches involving customer information should be top of mind for a business, the ransomware threat is underestimated given recent experience. A NetDiligence study reported that ransomware was the leading cause (26%) of all SMB cyber claims in 2015-2019.⁴ In another finding of high concern, 40% of SMBs admitted that if they were to fall victim, they would not know who to contact for help.

• Lack of Insurance - The share of businesses buying cyber protection has grown over the past decade. In fact, a Zurich Insurance and Advisen Ltd. study reported that companies (all sizes) purchasing coverage grew from 34% in 2011 to nearly 80% in 2020. However, in the small business marketplace the picture is different: 69% of SMBs did not have a Cyber policy at the time of the CyberScout survey.

Businesses with Cyber insurance are protected when data breaches, malware, and ransomware hit their systems and cause losses. Cyber insurance also provides businesses with access to experts when they need it most, so why don’t more SMBs purchase a Cyber policy?

The disconnect can be attributed to lack of knowledge and cost, for the most part. The good news is that the top concerns of SMBs, and all size companies for that matter, are aligned with the typical coverage grants in Cyber insurance policies. Also, businesses and agents/brokers know much more about cyber risks today, and more affordable coverage options are available in the market, particularly for small businesses buying Cyber endorsements for their BOP or General Liability policies.

These recent studies from CyberScout and other organizations can go a long way to helping insurers close the education gap between exposure and protection - and offer meaningful coverage. As always, please reach out with any questions or to share your thoughts on the information presented here.

Endnotes

1. https://www.beazley.com/news/2019/beazley_breach_briefing_2019.html and later Beazley reports at www.beazley.com
2. CyberScout, 2020 SMB Cybersecurity Survey: Small Business, Huge Risks, https://go.cyberscout.com/rs/746-PTV-801/images/CS-2020-SMB-Cybersecurity-Survey.pdf
3. https://thehill.com/policy/cybersecurity/493198-fbi-sees-spike-in-cyber-crime-reports-during-coronavirus-pandemic
4. NetDiligence preview of 2020 Cyber Claims study (webinar); see also https://netdiligence.com/wp-content/uploads/2020/02/NetD_2020Spot_Ransomware.pdf
5. https://www.zurichna.com/knowledge/articles/2020/10/tenth-annual-advisen-information-security-and-cyber-risk-management-survey