As businesses grow both in terms of size and complexity, they take on new and greater risks. The collection and storage of sensitive customer information is a prime example of this. A generation ago, companies only stored basic data about their customers.
Today, it’s table stakes for small businesses to collect email addresses, demographic information and even payment information on clients. Insurance, therefore, is called for to help protect against risks like data breaches or theft.
But cyber insurance is not keeping up with the needs of U.S. businesses, says Matt Cullina, managing director of global markets at CyberScout. The gap between available coverage and business needs is especially noticeable when it comes to small businesses and cyber risk.
According to a CyberScout survey, 76 percent of U.S. small and medium-sized businesses were targeted in cyberattacks in 2019. Yet only 31 percent of these businesses had insurance that could address those events.
To secure the coverage they need, businesses must understand both the risks they face and the insurance available to them. Insurance companies and insurance agents play a key role in customer education when it comes to cyber risks.
Top Needs in Commercial Tech Coverage
The first step for small businesses seeking cyber insurance coverage is to understand the different types of digital risks and how insurance addresses them.
While many small businesses understand that they have cyber risk exposure, fewer understand exactly which types of insurance coverage address which sorts of events related to digital work or data. One often-confused issue is the difference between technology errors and omissions (E&O) coverage and cyber risk.
Technology E&O Coverage
Technology errors and omissions (E&O) coverage helps professionals in technology fields address specific professional liability risks. Technology E&O insurance helps protect companies that work in tech-heavy fields or whose uses of technology can impact third parties in ways that traditional insurance models don’t address.
For example, tech E&O coverage can often address claims of professional negligence. If a small business’s platform or app damages the user’s computer or smartphone, tech E&O coverage provides a way for the business to handle the claim. If a technology issue prevents a company from fulfilling its obligations to a customer, E&O coverage may also apply, writes Dan Burke, national cyber practice leader at Woodruff Sawyer.
Technology E&O coverage can help smooth relationships between small businesses and outside tech professionals, such as app developers. It can also help protect businesses from a number of risks related to using tech.
This coverage has its limits, however. Where tech E&O coverage ends, cyber liability coverage may step in.
Cyber Liability Coverage
While technology E&O coverage focuses on the professionals creating and distributing software and other pieces of technology, cyber liability insurance focuses on the risks that arise from doing business online. Cyber liability coverage, also known as cybersecurity insurance or cyber insurance, addresses some of the most commonly-recognized cyber risks, such as the breach of protected customer data by a third party.
While cyber liability insurance is related to E&O coverage, the two are distinct. For instance, “E&O insurance does not cover the loss of third-party data, such as customer credit card numbers,” write Dennis Shiao and Matthew Haughn at SearchSecurity. Many businesses will need both cyber liability coverage and technology E&O coverage in order to protect all the relationships they have that surround their digital activities.
Changes wrought by the COVID-19 pandemic also raised new questions for businesses seeking cyber risk protection. In addition to cyber liability and E&O coverage, these companies may need policies that address the risks of remote workers connecting digitally to the office, an Aon white paper notes. Companies will need expert advice about their cyber and tech-related policies from their insurance companies.
How to Help Customers Know What They Need
Any business that conducts any part of its work in a digital environment faces some level of risk associated with that work. The level and nature of risk, however, will vary depending on the business’s size, its available tools for identifying breaches and other events and the nature of the work it carries out digitally.
By better understanding these risks, insurance companies can in turn help business customers better understand their coverage needs.
Help Small Businesses Address Digital Risks
Large companies typically have the resources to build their own internal approach to fighting online threats. For example, these companies may have software that monitors digital traffic for signs of a security breach or other event, says Aaron Basilius, senior vice president, cyber, AmTrust Financial Services.
By contrast, small businesses often do not have similar resources. They may lack digital tools to spot breaches or other forms of cyber risk, and their teams may not include anyone specifically tasked to focus on cybersecurity, says Basilius.
Businesses of all sizes face risks in the digital world. Both large and small companies can benefit from education and insight provided by insurance companies, focusing on which risks are present and how best to address them.
Understand Different Businesses and Their Unique Risks
Different types of businesses also have different digital risk profiles due to the way they use digital tools to carry out their business goals.
For example, online retailers find themselves an ever-larger target for wrongdoers online, especially as online shopping becomes ever more vital to households in the U.S. and worldwide. “I don’t think it’s a stretch to suggest that there is a pandemic with respect to retail industry cyber attacks,” says Art Coviello, executive vice president of EMC Corporation.
Retailers face the risk of losing sensitive customer information to cyber attacks. As online commerce evolves rapidly under pressures from the COVID-19 pandemic, regulatory compliance lags. As a result, even retailers that maintain full compliance with digital privacy and security laws may not have what they need to adequately protect their business and customers from the consequences of a cyber attack.
Manufacturing companies also face cyber risks, but their profile of risk may be different. While attacks on employee or customer personal data are a risk, compromised databases or phishing attempts can also target intellectual property. Compromised web pages can also infect a manufacturer’s systems with malware, negatively affecting the manufacturer’s ability to meet its business commitments and maintain its reputation, writes Elliot Forsyth, leadership and HR consultant at Organizational Effectiveness Group.
Some businesses don’t clearly understand their own cyber risks, leaving them particularly vulnerable to attack. These businesses may purchase standard coverage for cyberattacks, for example, not realizing that the coverage doesn’t apply to particular events. Insurance companies and agents thus play a key role as educators.
Enlisting Insurance Agents as Educators
“Keeping consumers educated about the value and need of stand-alone cyber insurance coverage is absolutely critical given today’s environment of small businesses being under constant threat or attack,” says Sean Kevelighan, CEO of the Insurance Information Institute.
To help customers understand these risks, insurance companies are educating their independent agents about the nature and complexity of cyber risk. With information and statistics at hand, independent agents can then explain to customers where their risks lie and which forms of coverage are best suited to their needs, says Kevelighan.
Insurance needs related to technology and tech security are becoming more complex. Independent agents provide a way for customers to cut through the complexity and understand exactly what coverage their business needs, says Bryan J. Salvatore, EVP and president of domestic speciality insurance at The Hanover.
It’s especially important for insurance agents to put themselves in the shoes of their business clients in order to understand insurance decisions the client makes.
For instance, while many small businesses readily embrace commercial package policies or business owner policies, they’ve been less interested in buying standalone cyber risk coverage because it complicates the coverage process, says Cullina. In cases like these, including cyber risk coverage as an endorsement offers small businesses both the flexibility and the coverage they need.
Interest in cyber risk insurance is likely to increase in the near future. “Having the appropriate cyber protection will only become more important as new technologies emerge, businesses become more connected and cyber criminals develop more sophisticated methods,” says Salvatore.
To meet business’s needs, insurance companies and agents can prepare themselves to educate customers about digital risks. Education can give customers the clarity they need to acquire the necessary coverage.
Images by: Dmitrii Shironosov/©123RF.com, rawpixel/©123RF.com, mavoimage/©123RF.com