Spotlight: Cyber - SME cyber – Size does not matter in cyber attacks

The pandemic accelerated SMEs reliance on technology, making it easier and more profitable for criminals to target them. On an individual basis, a cyber event can be just as devastating for a SME as for a large corporate.

However, despite more SMEs now wanting cover, it is becoming increasingly difficult to get, even for bigger companies. Chris Cotterell, divisional director of Howden’s cyber team, says this is the hardest market he’s ever seen. He warns the industry must be careful it doesn’t chase too many companies away through the cost becoming untenable.

Jonty Mongan, head of cyber risk management at Gallagher, adds there’s a capacity shortage because loss ratios are so high. “Admittedly, you struggle to make money on insurance investments because people keep claiming; however, new mandatory controls are starting to generate some green shoots. If you make the barrier to cyber insurance higher because of better controls, you have less claims and hence losses.”

Despite many fallouts – for example Ascent, an MGA writing SME business that recently failed to get its binder renewed – a few more carriers are entering the market thanks to movement in underwriting talent, says Cotterell. US specialist cyber MGA Coalition is also planning to launch in the UK this year.

Cotterell thinks it’s a good time to enter the market as rates have increased substantially, all the information needed to underwrite a risk is available, and various stipulations can be put into policies.

While the cost of premiums is rising, so too are the services included. SMEs just need to be made aware of the benefits of the offering.

James Burns, head of cyber at CFC Underwriting says in the UK less than 10% of SMEs purchase cyber insurance. “It all comes down to making the offering understandable and accessible. Cyber is viewed as a complex exposure and cyber insurance a complex product but essentially it offers protection against what is essentially the modern form of crime.”

“We need to get better articulating this to SMEs and help them see the value of the services included. It’s developed beyond being just a financial indemnification product; the services that accompany it are critical for SMEs now.”

Martin Smyth, Airmic insurance special interest group chair and Next’s insurance manager, adds: “Provide real-life tangible examples of how the product has assisted similar businesses to survive. Simplify the product offering and language being used, and make claim payments promptly – SME’s generally do not have the liquidity headroom to survive for long.”

Would packaging cyber up with other covers help encourage take-up? Smyth thinks the danger with this is it builds expectation of what is covered which can differ to the reality. With the handling of Covid-19 claims fresh in mind, he suggests bundling up a fundamentally complex insurance cover is not advisable.

Stephen Wares, Coalition’s head of risk engineering, Europe, agrees: “Because cyber risk is constantly evolving with new threat vectors and actors and because it can threaten to halt business operations entirely, finding coverage that can address the unique nature of these threats is essential. The events of the past two years have made it clear that digital risk is different and, therefore, it requires a distinct policy to cover it.”

Risk management

Most carriers now include risk-management features with policies. For instance, Beazley’s incident response teams connect clients with a range of outside experts, including legal services, digital forensics, crisis communications and ransom negotiators. While broker Gallagher offers ‘Cyber Defence,’ an optional product providing benefits like dark web and vulnerability scanning and employee training.

“What’s critical is that SME cyber policies go above and beyond the traditional insurance policy and even the traditional incidence response model. The new battleground in the cyber world is now all about proactive security services,” Burns emphasises.

“CFC has a 100-plus in-house response team which is a huge value-add because it means we can help our policyholders identify threats and issues and nip them in the bud before they become meaningful claims.”

Ransomware is the single biggest digital threat facing organisations today and CFC conducts threat intelligence-gathering to see if policyholders are being targeted for future ransomware acts.

“Most SMEs wouldn’t be able to obtain this service otherwise as cost would be prohibitive, but we include it as part of their cyber insurance. It’s a completely new way of managing that exposure and risk,” Burns adds.

Cyber insurance also caters for uncontrollable losses like litigation claims or if a wrong email is sent. SMEs are unlikely to have the money or in-house expertise to deal with such issues.

Those we talked to agreed it was inappropriate to simply adapt corporate policies since SMEs have very different needs. Unlike large corporates, SMEs don’t have large in-house security and IT teams and rely far more on these add-on security services.

Furthermore, Mongan explains how mid-sized companies usually have outsourced their IT but lack in-house expertise to set network standards. Which is why Gallagher’s Cyber Defence team helps clients establish a framework between themselves and IT provider. This is important because when a claim happens, the IT provider usually has no liability since it was never asked to build a network in a particular way.

Cyber threats

Over the past 12 months there has been a shift from ransomware that encrypts data to stealing information and threatening to publish it if a ransom is not paid. This has been a huge driver of claims, particularly from professional service organisations hosting sensitive information on behalf of clients. Reputational damage is one of the biggest exposures clients face and has driven demand for the product.

To counter the surge in ransomware attacks all policyholders are now mandated to have multi-factor authentication. For companies with a turnover of £50m or more another mandatory requirement is ‘endpoint detection and response’ to continually monitor for malicious cyber threats.

As to transparency and information-sharing, the industry has come a long way. All carriers are starting to correlate claims data with causation and sharing this through updates on the latest security threats, publishing case studies and hosting webinars and events.

“Cyber insurers need to take education seriously because we are in a unique position, with a duty to share our intelligence to help protect clients and for them to protect their clients,” Burns concludes.

Sponsored