As incredible as it seems, more than 37 billion electronic records were compromised in 2020, according to Risk Based Security's 2020 year-end report. Furthermore, research from IBM and the Ponemon Institute's 2021 Cost of a Data Breach Report shows that the average cost of a data breach is $4.24 million.

These days, it's hard to keep up with the deluge of information on cybercrime and the latest changes in cyber insurance. Nowhere is this more evident than in the small and midsized business (SMB) market, a segment of the economy where the need for cyber coverage is great—yet misconceptions abound as to what SMBs can do to protect themselves from bad actors.

SMBs in the Bull's-Eye

One of the enduring misconceptions about cybersecurity is that criminals only target large corporations or certain industries. But cybercriminals are increasingly going after small businesses. The 2021 Verizon Data Breach Investigations Report found that the gap between small and large organizations has narrowed considerably, with 263 breaches of small organizations in 2020 compared to 300 for large ones.

Large data breaches make the news and can impact millions of consumers. However, for every big one you might hear about, multiple smaller attacks are seriously harming SMBs and their customers.

Smaller companies are the proverbial low-hanging fruit when it comes to cyber vulnerability. Many small businesses don't have anyone dedicated to the IT function—and the bad guys know that they haven't invested in any type of security framework. They also know that SMBs possess a treasure trove of customer information, such as medical records, credit card numbers, Social Security numbers and bank accounts that can be easily hacked.

The Hiscox Cyber Readiness Report 2021 found that cyberattacks on average cost small businesses over $25,000 during a 12-month period, with more than half of small firms reporting they feel more vulnerable to attack due to an increase in remote work arrangements.

SMBs face significant downtime after a cyberattack. This is especially the case with ransomware, which can shut down a business for days as it scrambles to reestablish its networks—assuming it has backup files—or negotiate through a third party to obtain a key to decrypt its ransomed files.

Finding Affordable Coverage

SMBs must objectively analyze their risk and vulnerabilities, better protect their networks and obtain affordable cyber insurance coverage. Yet, at a time when SMBs should be addressing their cyber exposure, the insurance choices are less clear cut and the insurance market is more difficult to navigate than ever before.

Many middle market companies are just beginning to seek out standalone cyber policies, products designed to fill the gaps in a traditional property or a general liability policy with cyber-specific coverage.

The Government Accountability Office (GAO) noted in a report last summer that this market faces challenges due to insurers' lack of historical data on cyberattack-related costs and a lack of clarity regarding what is covered in a policy. GAO cited differing definitions for policy terms such as “cyberterrorism." GAO also pointed to the issues of rising premium costs and lower coverage limits in some industry sectors, such as health care and education.

In addition, many agents haven't aggressively marketed these standalone policies, perhaps because there is so much uncertainty in the market.

Mounting Losses Spell Trouble

From the insurer's perspective, there are huge risks. As cybercrime has escalated, claims costs have soared. Last summer, AM Best noted that the “cyber risk hazard environment" had “worsened significantly," to the point where the “prospects for the U.S. cyber insurance market are grim."

AM Best notes that ransomware now accounts for 75% of cyber claims. “The loss ratio for cyber insurance rose dramatically in 2020," AM Best says, “to 67.8% from 44.8% in 2019." Fitch Ratings put the losses for 2020 even higher, with direct losses for stand-alone policies at 73%.

Consequently, AM Best states, “[I]nsurers urgently need to reassess all aspects of their cyber risk, including appetite, risk controls, modeling, stress testing and pricing, to remain a viable long-term partner dealing with cyber risk."

In particular, AM Best is concerned about the rapid growth in exposure without adequate underwriting controls, the growing sophistication of cybercriminals, the possible cascading effects of cyber risks, and the lack of geographic or commercial boundaries.

7 Misconceptions About Cyber Risk

So, what's an agent to do if their clients have significant cyber exposure? A good start would be to educate yourself about the risks and the current market situation.

Here are seven misconceptions about cyber liability that, if we work together to correct, would go a long way toward clarifying client needs and improving coverage:

1) Third-party risk-rating tools are effective at determining cyber risk. While many agencies and insurers now use some type of cyber risk assessment for their clients, these rating tools are often of little value.

Rating tools rely on so-called externally observable data, such as pinging a client's firewall or analyzing their website. They don't provide an inside look at the organization, which is crucial to determining whether a company has the necessary controls to protect against a cyberattack. A remote testing service can't tell you whether a client has practices and policies in place to mitigate their cyber risk, and it may give your clients a false sense of security. Agents are better off working with an independent cyber risk consultant who knows how to identify key exposures and can quantify these risks for your clients.

2) Cybersecurity controls are all a client needs to protect themselves. It's great if a business has adopted cybersecurity policies, but that doesn't mean they're following them.

A lot of companies rest on their laurels. They go through the process of instituting safeguards and doing some employee training. Ticking off boxes is important but verifying compliance with internal controls is even more important. It may also be that employees aren't aware of the procedures a company has put in place, which leads to the next misconception.

3) Technology alone can solve the cybersecurity problem. A lot of cyber threats come down to human behavior, because no amount of technology can stop an employee from clicking on a link in a phishing email and unleashing malware.

According to the 2021 Verizon Data Breach Investigations Report, 85% of data breaches involved the human element, with various forms of social engineering the leading means of attack. This is why employee training and awareness are so critical. In addition, businesses must be especially vigilant about employees connecting to their company's networks through personal devices.

4) A cyber policy is all that matters. I often hear business owners say, “I have a cyber policy with $1 million in coverage. I'm set." It would be nice if that were the case, but it's not. Rising losses have forced insurers to tighten up their cyber contracts. Restrictive definitions and sublimits can reduce that $1 million in coverage to as little as $100,000 for certain types of incidents. Agents must explain these limitations to their clients. More importantly, they need to make sure there is enough coverage in the policy.

In addition, “silent cyber" has become a real problem, especially when it comes to claims. This is when a property or general liability policy is silent on whether it covers cyber damages. Clients who may have thought they were covered by a policy purchased years ago can be in for a rude awakening when they file a data breach or ransomware claim.

5) Insurance must talk like IT people. It's never a good idea to use technical jargon when discussing cyber liability with your clients, yet many agents do it. Owners and executives want to talk about the impact of cybercrime on their operations in plain English. They speak the language of business outcomes, and you should, too.

Clients don't want to hear about data loss prevention engines or expired SSL certificates. Agents must find clear ways of communicating risk to their clients, explaining how controls can offset those risks and make them more insurable. To do otherwise is to alienate or even misinform your clients.

6) Insurance applications can uncover risk. As insurers search for the best application form to capture every conceivable risk, the cyber insurance application process has become a jumbled mess in recent years. Many of the questions are difficult to answer and don't get at a company's true exposure. Worse, agents are starting to place their business with companies whose apps are the easiest to fill out. Don't be fooled into thinking the app process is a substitute for uncovering your clients' risks.

7) Agents should become cyber experts. If you hold yourself as an expert or give your clients faulty advice regarding cyber insurance, you put yourself at risk. You don't want to be on the receiving end of an errors & omissions claim because you didn't sell the right type of coverage or failed to recommend coverage when it was needed. A more sensible approach might be to partner with an independent cyber expert who can assess your client's insurability and recommend the appropriate coverage limits.

Cybercrime isn't going away. If anything, it's getting worse and more expensive to insure. Until SMBs take these risks more seriously—similar to the way nearly all companies today have HR policies to protect against employment practices liability—cyber will continue to be a huge exposure.

Cyber remains a dynamic, fast-changing market. Price increases, lower limits and greater demand for insurance make the agent's role all the more important for this key coverage. But agents don't have to go it alone. Seek out a cybersecurity partner who can help you determine your clients' cyber risk and insurability.

Bill Haber is co-founder of TEKRiSQ, a technology company focused on helping agents in the small to midsize market quickly diagnose their client's cyber risks and develop mitigation strategies. He has more than 25 years of commercial and operational leadership experience in enterprise software, digital health, medical device and network technology startups.