History Repeats Itself: 3 Avenues to Reducing Cyber Exposure

Like fashion trends and music genres, life is cyclical. So is insurance.

Prior to the Civil Rights Act of 1991, businesses did not believe they needed employment practices liability insurance (EPLI). For those who had gone 30 years without an employee complaint, the Act rewrote the rules of business exposure. Suddenly, the flood gates opened for exemplary, punitive damages, jury trials, and exorbitant attorney’s fees.

Today, EPLI is a standard P&C business policy, not unlike your general liability (GL) or property coverage. But it took as many as five years for it to catch on.

 Cyber insurance is the EPLI of 2021.

Small and mid-size businesses are asking why they need the coverage. The Facebook, Instagram, T-Mobile, and The Colonial Pipeline data breaches give a false impression that larger businesses are the sole target of bad actors.

The truth is, 66% of small to mid-size businesses (SMBs) have experienced a cyber attack in the past 12 months. And, according to the U.S. Small Business Association, 88% of SMBs say their business is currently vulnerable.

Why is that? Because malware is easier to execute on a network with fewer and less effective firewalls, phishing emails are more successful with employees that have not been trained to recognize them, and ransomware attacks can command a hefty sum from a business that does not have adequate backup or is ill-prepared.

If you still think you are not at risk, imagine a day without access to your payroll system, or the ability to access your employee and customer records or product inventory, and what the above will do to the reputation your business has worked so hard to build.

The recent spike in cyber insurance claims and subsequent high-figure losses has led to limited market capacity and higher insurance premiums. This is nothing new either. When carriers exit the market, underwriting criteria becomes more rigorous, and premiums rise.

So, what can you do? (Short of taking out your checkbook.)

Enter: diligent risk management and cyber security hygiene. Once you have offloaded your risk to cyber insurance, here are three things your business should do today:

1. Protect keystrokes and mouse clicks. Oftentimes, the vulnerability is not your hardware or software — it’s your employees. In fact, 88% of data breaches are caused by human error. Nearly half of the time, “distraction” is the culprit, as phishing emails look awfully legitimate. Reduce the chance your employees will make these easy mistakes by instituting regular cyber security training. Employee education is an employer’s first line of defense against bad actors.
2. Do your own underwriting. Cyber insurers are no longer here to sell your business cyber insurance. Today, the presentation and sales process have been reversed. You are now selling your risk to them. Market your business and what you are doing to ensure a secure environment by showing the underwriter your business is best in class from a cyber hygiene perspective. This means addressing critical, and past weaknesses head-on and informing the underwriter what the business is doing or has done to resolve it.
3. Do not go it alone. Your business — regardless of its size — can no longer manage the current cyber threat environment without leaning on dedicated resources. This includes your local Brown & Brown risk management team. Now is also the time to bolster your recruitment efforts. No matter how your business chooses to do it, hiring the necessary IT expertise in-house or retaining them externally.  

In the ongoing work-from-home environment, cyber risks will continue to rise. Make sure your organization is prepared with a combination of robust insurance coverage and active risk management — or you will have to face the music like it’s 1991.