written by Asaf Lifshitz, in the July 6, 2020 edition of The Insurance Journal.
According to the IBM “Cost of a Data Breach Report, 2019”, business interruption (BI) represents 36% of the cost of a cyber breach, averaging a whopping $1.42 million per breach. The report states that, for the last four years, lost business represents one of the largest expenses of a cyber breach, changing only slightly as a share of the total cost. In a world where digital exposure is only increasing, especially with people now working from home due to the COVID-19 pandemic, so is risk — and therefore the potential loss.
What does it mean for businesses, and specifically, what does it mean for small and medium businesses (SMBs)?
Different businesses are affected differently. For instance, an online retailer would feel the impact of a cyber breach/attack a lot more than a hair salon.
Business size also matters. For example, the NotPetya attack on Merck shut down their production of the human papillomavirus (HPV) vaccine Gardasil 9, forcing Merck to “borrow” 1.8 million doses from the Pediatric National Stockpile. It took Merck 18 months to resupply the vaccine doses, valued at $250 million. The financial impact? By the end of 2018, Merck estimated losses of $740 million.
Or Capital One: Last August, the bank had to put its $400 million cyber risk insurance in play after a hacker got into its cloud, accessing sensitive information for more than 100 million customers. The bank expects the incremental costs of the incident to be $100 million to $150 million, mostly tied to providing credit monitoring and legal support for affected customers.
This problem is not exclusive to big/blue-chip companies. SMBs are exposed as well. Most SMBs are not fully prepared nor fully aware of the risks and costs of a cyberattack.
Furthermore, a cyberattack affects SMBs more profoundly than larger organizations. According to the IBM report mentioned above, small businesses face disproportionately larger costs per capita relative to larger organizations and enterprises.
The total cost of a data breach for the largest organizations (more than 25,000 employees) averaged $5.11 million, which is at most $204 per employee. Smaller organizations with between 500 and 1,000 employees averaged at least $2.65 million, or $3,533 per employee. Therefore, smaller organizations, relative to their size, incur more than 15 times the cost as compared to larger organizations which can hinder their ability to recover financially from a cyber incident.
So, how can you help your SMB clients reduce their BI and Contingent Business Interruption (CBI) costs?
Work to Minimize Downtime
Forty-three percent of cyberattack victims are small businesses, according to the Verizon 2019 Data Breach Investigations Report. Knowing it’s not a question of “if” but “when” all parties’ interests are aligned to one goal — reduce BI as much as possible by minimizing downtime. This is a case where time is money — literally. According to the Ponemon 2019 study, Global State of Cybersecurity in Small and Medium-Sized Businesses, the need to increase response time to a cyber incident is real. Some 74% of SMBs saw increased (39%) or flat response times (35%) as compared to the year prior. Carriers have a big incentive to get customers to take preventative action as well as provide substantive support when a breach occurs, enabling SMBs to quickly get back on their feet.
This presents a great opportunity to reduce cyber business interruption while providing real value to clients.
Below are steps to help navigate insureds to smoother recoveries while reducing downtime and the impact of BI.
Be Preemptive and Proactive: Encourage SMBs to Take Preventative Steps
In the Southeast, every business has a plan in case of a hurricane. SMBs should have the same mentality when it comes to cybersecurity, specifically for recovering fast. How prepared a business is for a possible breach is the key to minimizing the impact of an attack. Encourage SMBs to be proactive and assume a breach will happen. Have a team (in-house or outsourced) and an actionable plan in place to minimize downtime and therefore BI.
A reduced premium and/or access to post-breach services if SMBs create an incident response (IR) plan are both good examples of incentives. It doesn’t have to be complicated – only effective. Help them build the plan in case of a breach: who to call and when, what to tell customers, do’s and don’ts, etc. The FTC’s “Data Breach Response: A Guide for Business” is a great starting point for creating an IR plan. Further, much like knowing a hurricane will inevitably come, SMBs should do drills and have their game plan ready to execute. According to the aforementioned IBM report, organizations that formed an incident response team and built a response plan saw an average savings of $360,000 per incident. Further, companies that tested their IR plans through exercises and/or simulations helped teams respond faster in real-life situations, realizing an additional $320,000 saved per incident. Details of a given plan vary according to the individual business, but there are steps a business can take to specifically address BI.
Four key preventative measures are real-time monitoring, redundant systems, consistent backups, and tailored cyber hygiene practices.
1. Invest in real-time monitoring. The effectiveness of an attack is directly correlated to how much time the hacker has to infiltrate the system once in. This metric is called “dwell time” and is directly correlated to the cost of a breach — the longer it takes for a company to contain an attack, the costlier it will be. The IBM report notes that “breaches with a lifecycle less than 200 days were on average $1.22 million less costly than breaches with a lifecycle of more than 200 days ($3.34 million vs. $4.56 million respectively), a difference of 37 percent.”
2. Employ redundant systems. For small businesses, this usually takes the form of a software-based solution called High Availability redundancy. It is not a literal duplicate system (enterprises often have Fault Tolerance systems where the hardware and software of the business has a literal mirror system in place that immediately takes over in case of failure). With High Availability, if something goes wrong with one server, backup servers take over and restart applications that were running on the failed server. This solution will experience a brief loss of service while the backup servers reboot applications, but the time lost is kept to a minimum.
3. Backup regularly and often. Wendi Whitmore, director of X-Force Threat Intelligence at IBM says, “In cases of ransomware or destructive malware, we see that organizations lose access to their most critical data, and then they spend a lot of time trying to rebuild environments getting access to it again. I would recommend having offline backup of your most critical data.” Backup critical files and customer data via third-party cloud services regularly, daily if possible, to ensure quick restoration of business activities. Consult with an IT professional or Managed Service Provider (MSP) to determine the best strategy for how and how often to backup for the swiftest possible recovery.
4. Tailor cyber practices. Seek out security solutions and employ best practices that are tailored for the type of business. For example, Distributed Denial-of-Service (DDoS) attacks, in which cyber criminals try to take down a website or server by flooding it with traffic, are particularly detrimental to online retailers who rely heavily on website visitor volume. Employing increased bandwidth, allocating traffic across multiple servers (being sure to employ load balancing), and using anti-DDoS hardware and software modules are a few solutions applicable to specifically slowing, mitigating and in some cases, preventing DDoS attacks.
In addition, SMBs should adapt general cyber best practices. These include consistent staff training and operational readiness plans for specific attack scenarios (e.g. social engineering, ransomware, phishing emails), periodical threat hunting and/or vulnerability assessments as well as penetration testing (depending on the business). These are a must for the cyber-aware business.
Please note that many SMBs don’t have the IT resources to implement the steps above. They should engage with a MSP or Managed Security Services Provider (MSSP) to help with these initiatives. Consider providing these services or, at a minimum, a list of recommended providers.
Finally, encourage businesses to adapt and evolve. Cybersecurity is never a “set it and forget it” situation. Your customers’ cyber posture is something that needs constant adaptation. According to the latest IBM study, DevSecOps approaches (i.e. “everyone is responsible for security” mindset), employee training, cyber insurance, and getting the board involved in security are also found to reduce the cost of a breach by more than $100,000 each on average.
In a recent blog post, Austin Murphy, vice president of managed services with CrowdStrike, recommends approaching security as a process as opposed to a state you must achieve. “We know successful organizations understand that the concept of ‘secure’ is not something that you are — rather, security is a process that you participate in.” He adds, “cybersecurity needs to be part of the organization’s core business process.”
A final thought on preparedness: While self-evident, ensure the client’s cyber coverage aligns with their business needs. This is especially true for the business interruption, contingent business interruption, and BI waiting period clauses.
Be There. The Day Of and the Day After a Cyber Event
The Day Of. Be the go-to place for insureds to help address the breach and execute their incident response plan, as well as alert you ASAP to get a claim started. Beyond ensuring coverage and setting the SMB in motion to recovery, consider providing incident response services either internally or outsourced (e.g., a MSP or MSSP) as mentioned above. Further, use past experience from similar claims to address issues that arise that may not be in the insured’s plan. For example, directing the insured to media resources to help manage reputational damage, guiding them in maintaining customer relations, and pointing them to legal services. Smaller businesses without IT support would find this very helpful, even life-saving. Most importantly for all parties, a swift response will reduce downtime, and of course, BI.
The Day After. After the insured has recovered from a cyber attack, help create a post-event summary and revised incident response plan with the goal of improving that particular insured’s cyber defenses and minimizing BI in the future. Did the recovery plan execute as expected? What were the sticking points that slowed down the recovery? What could have been done better? What could have prevented the breach? Conduct this analysis in-house or hire a forensic expert. Collect and learn from the data in aggregate to better understand and assess risk as well as mitigate BI for the insured, their segment, and your portfolio as a whole.
Reducing BI represents a huge cost and time savings opportunity for carriers and insureds alike. The key to mitigating this expense is minimizing the downtime an SMB experiences. Preventative measures and proactive support that focus on reducing downtime as well as address the uniqueness of the insured will yield faster recoveries, happier clients, and cost savings for all.
We felt this was a great article and wanted to share with our clients – If you have questions regarding Cyber Liability, please call Samantha Kato at 800-362-2809. Our team will work to provide coverage for your potential cyber risk.