As headlines of cyber attacks on our government and large corporations increase, business owners of small and medium-sized businesses should be aware that cybercriminals are not only after the big fish. The reality is that cybercriminals don’t discriminate by size. In fact, cyber attacks on small and medium-sized businesses are more common than you might think, highlighting the need for cyber insurance for small businesses.

Small business owners in the US are aware of the threat, with 60% saying cyber security threats are a top concern. In 2023, 43% of all cyber attacks targeted small businesses, confirming their concerns.

The seriousness of these attacks cannot be understated for small businesses. One in four small businesses say that just one disaster or threat could shut down operations entirely. In fact, a cyber attack costs a small business $254,445 on average, with some attacks costing up to $7 million.

Many times, small businesses are not specifically targeted, they are simply low-hanging fruit. “Attackers often automate these kinds of attacks and mass scan the internet for vulnerabilities they already have a way to exploit,” says Kacey Wheeler, Cyber Specialist at Marsh McLennan Agency (MMA). “A lot of these are just opportunistic and take minimal resources, time and capability to compromise.”

How do you know if your business is at risk?

Your small business is at risk of attack if you:

• Use computers or other mobile devices in your operations
• Accept credit card payments or other digital payments
• Save confidential customer information
• Store medical or financial data

What could happen to your business in a cyberattack?

There are countless examples of how a cyber attack or data breach could disrupt business, cost substantial time and money, and cause long-term damage to a business’ reputation. Here are just a few:

• Medical record destruction: A hearing center permanently shut its doors after a devastating ransomware attack that destroyed all its electronic medical records. Rather than pay the ransom and rebuild its systems, the practice’s physicians decided to close.
• Payroll hack: A car dealership lost tens of thousands of dollars when cybercriminals broke into their network, swiped bank account info and added fake employees to the company payroll.
• Password breach: A real estate development firm had millions of dollars drained from its bank account after attackers gained access to a company email account. Information gleaned from emails allowed the cybercriminals to impersonate the owner and convince a bookkeeper to wire money to an account in China.
• Point-of-sale attack: A retail employee clicked on a link in a phishing email that appeared to be from a vendor, allowing a cybercriminal to install ransomware on the company network. The attack spread to the retailer’s branches and all its point-of-sale registers, effectively stopping all transactions. The business temporarily closed its stores as it could not afford the ransom and did not have security vendors to immediately help it deal with the attack.
• Photocopier breach: A real estate agency leased a printer/photocopier that had been previously leased by an accounting firm. An employee at the agency discovered that the internal hard drive still contained all the files that had been previously copied by the accounting firm, including clients’ confidential personal and financial information. By law, the accounting firm was required to report the data breach and notify clients. The firm was sued by one of its clients.

It's not just customer information that attackers want, sensitive employee information is valuable to them as well. Employee data breaches can lead to consequences, especially as we are seeing class action lawsuits related to data privacy become more common while increasingly smaller groups are involved in litigation.

The solution that could save a business in a cyber attack and data breach is cyber insurance. However, despite the rise in cyberattacks, only 17% of small businesses have cyber insurance. In light of these shocking numbers, it’s important to highlight the benefits of cyber insurance for small businesses as it is one of the best ways to mitigate cyber attack risks and losses.

How can cyber insurance help your business?

Cyber insurance protects businesses against computer and network-related crimes and losses. A cyber insurance policy is designed to cover privacy, data and network exposures. When you have a policy in place, your carrier will immediately connect you with a network of cyber security experts to help you act quickly in the case of an attack. A cyber policy may cover:

• Cyber extortion: covering costs of consultants and potential extortion payment (if deemed necessary) to coordinate and respond to threats and demands related to cyber extortion or ransomware attacks. Cybercriminals are increasingly using ransomware, a type of malicious software or malware, to deny access to an organization’s computer system or data through encryption. The cybercriminals demand ransom in return for providing the decryption key.
• Data breach: covering expenses related to managing and responding to a data breach, including notification, computer forensic analysis and legal support. Coverage may also extend to regulatory and payment card industry (PCI) fines and penalties (where insurable by law) when levied due to privacy regulations.
• Business interruption: covering lost business income when a company has its network-dependent revenue interrupted.
• Data restoration: covering costs associated with the replacement, restoration, recreation or recovery of compromised data. Data is a valuable business asset that should be protected.
• Security liability: covering defense and liability expenses for actual or suspected failure of computer systems to prevent malware, data breach, etc.
• Privacy liability: covering defense and legal liabilities for failure to keep sensitive individual information and corporate information private or the failure of a third party you have entrusted with information to keep it private.

“In addition, cyber policies may offer security consultants and resources to help you prevent different cybersecurity attacks and incidents, and also help respond and recover from these if they do occur. When it comes to cyber incidents, it is not a matter of “if” but “when,” so it is important to be prepared and have the resources to help support you. This includes potential access to employee training, continuous monitoring of systems for potential vulnerabilities, dark web monitoring and additional recommendations on effective cybersecurity controls for comprehensive cyber risk management,” says Wheeler.

There are many options for cyber insurance depending on your business’ unique risks. Working with a commercial insurance broker specializing in cyber insurance will help you find the right policy for your business and budget.

Check out our Cyber Resiliency Network for connections with trusted vendor partners to help you stay prepared and resilient.