The US House of Representatives Committee on Small Business turned its attention to small businesses and cybersecurity, with speakers commenting that seeking out cyber insurance “forces” small businesses to gain a true understanding of their risk profile.
“The process of applying for a cyber liability policy forces you to acknowledge and address the potential vulnerabilities on your company. This is an assessment most small businesses have never taken,” said Robert Luft, speaking during the hearing on behalf of the National Small Business Association. “The application process made me account for several items that were not in existence for my company’s operations. For example, we did not have a cybersecurity policy, this was a sober awakening, as the sheer amount of resources to assist small businesses in building this critical document could not be more plentiful.”
However, Luft found some stumbling blocks along the way, telling the Committee, “It was my assumption that my current insurance agent would have the intimate details of potential polices thoroughly digested, this was not the case. In fact, from the time he introduced the policy to me, it was clear that he was unfamiliar with the underwriting process of cyber policies.”
While he stuck with his agent to buy coverage for his small Cinncinnati-based network management business, Luft urged others to seek out expertise instead. Cybersecurity issues for small businesses are unlikely to go away, he noted, citing data finding that 43 percent of all attacks in 2015 were aimed at small businesses.
“Despite the growing awareness of cyber-related crimes, and the increase of small businesses being a target for these attacks, 77 percent of small-business owners believe their company is not at risk for cyber-threats such as viruses, malware, hackers or a cybersecurity breach. This figure is quite alarming,” said Luft.
Erica Davis, senior vice president of specialty errors and omissions for Zurich North America, explained to the congressional panel that insurance has taken on fuller role for cyber insurance.
“It has become more of a partnership, with businesses focusing on not just what happens post-breach and a loss being paid. They value having a stable of pre-vetted vendors available to them if they are impacted by a data or security event. They are also focusing more on pre-breach services to guide them through risk mitigation tools like technology assessments,” Davis said in her testimony. She cited a few issues for insurers as cyber coverage evolves, including the lack of uniformity on state data breach notification laws, aggregation of cyber risk, and approaching cyber as a peril.