As published in Insurance Journal
Most businesses recognize a cyberattack can have a potentially devastating effect on their operations. These same businesses have purchased insurance for traditional cyber risks, such as breaches involving the unauthorized use of personal information, and report they are confident they have the right insurance protection in place, according to a study conducted by The Hanover Insurance Group and Zogby Analytics.
But do they have a false sense of security? Very often, the answer is yes. As the study concludes, the evolving nature of cyberattacks is leaving some businesses exposed to emerging and increasing cyber risks they may not yet realize they face.
This presents an opportunity for independent agents to serve as trusted advisers, educating clients about cyber risks, key insurance coverages and important risk mitigation efforts to help protect their businesses.
Perception vs. reality
The reality is most businesses face cyber threats, and these threats are only growing in complexity and frequency as companies become more digital and interconnected organizations. Not surprisingly, nearly 70% of businesses surveyed identified breaches of personally identifiable information (PII) as their top concern. However, although breaches of PII frequently make for very public headlines, only 19% of respondents experienced a breach over a 12-month period.
In contrast, the study found only 11% of businesses were concerned with supply chain risks. Yet, cyber supply chain risk is one of the fastest growing cyber threats facing businesses today. Nearly 90% of businesses reported being dependent on third parties or outsourcing to vendors, including two-thirds that outsource their security operations or critical IT resources.
Although it is encouraging to see that businesses recognize the need to leverage third-party experts to better protect their operations and data, it also is important to understand that outsourcing such a critical function can introduce an increased level of risk—specifically, business interruption exposure.
While these third-party security organizations are often more difficult to breach, bad actors recognize the access they could gain to a larger number of businesses if they are breached, making them a desirable target. This has been playing out recently with managed service organizations increasingly being targeted by ransomware attacks.
Given the prevalence of cyber risks, it’s important for businesses to have the proper insurance protection and risk management plans in place. Independent agents can help their clients identify risks and structure insurance programs that help mitigate possible exposures and address their unique needs.
Three cyber coverages to consider are:
1) Business income. Would a business be affected if a malware attack forced it to close its doors? Business income loss coverage covers the cost of lost income and extra expenses incurred while a system is being restored following a cyberattack.
Also consider whether there would be any implications to a client’s business if one of their suppliers were to experience a cyberattack. In these cases, it’s often beneficial to add coverage for contingent business income, as well.
2) Reputational harm. What would happen if a business has its systems fully restored after an attack, but revenue does not immediately return to its pre-attack level because customers are hesitant to return? Reputational harm coverage goes beyond traditional business income coverage to help address a reduction in revenue after a system is restored.
3) Systems remediation. Would a business have funds available to address systems vulnerabilities while also dealing with the fallout of a cyberattack?
Some cyber offerings only pay for a business to mitigate the effects of a cyberattack. However, others also provide funds to help address system deficiencies identified after a loss. This can help reduce vulnerabilities to emerging attack vectors that may not have been previously recognized or understood.
Leveraging outside experience
To protect against emerging risk, businesses need more than just the right insurance protection. It’s the combination of coverage and risk mitigation that will yield the best results.
Many businesses are taking initial steps to help reduce cyber threats and the majority have plans in place to identify, respond, and prevent cyberattacks, including employee training programs. While these are great steps in the right direction, less than 50% of businesses engage external experts in the preparation of their plans, which is where insurance carriers can step in with additional resources to help best protect businesses.
Some carriers partner with incident response or risk prevention vendors that can help businesses develop and implement response management and prevention plans. Agents can help encourage clients to take advantage of these education and loss mitigation resources.
As new technologies continue to emerge and businesses become increasingly interconnected, it is more important than ever for businesses to have the right cyber insurance protection in place. With more than 70% of businesses purchasing cyber insurance on the recommendation of an independent agent, it’s evident that your advice and influence is critical in guiding business owners to the right protection that addresses both the traditional and emerging cyber risks they face.
About the author
Eric Cernak joined The Hanover in 2018 as president of cyber, overseeing the corporate cyber strategy for commercial lines and specialty businesses. He manages the continued evolution of The Hanover's cyber risk product set, and risk management and loss control services, ensuring a cohesive offering of products and services for the company's independent agent partners.