Smaller Business, Bigger Risk

By: | December 1, 2013 • 3 min read
Ara Trembly is founder of The Tech Consultant and The Rogue Guru Blog. He can be reached at [email protected]

More and more hacking incidents and identity thefts are reported in the mainstream media, and most of us are thus uncomfortably aware of the fact that such attacks are increasing. What may not be as obvious, however, is that more and more cyber criminals are targeting smaller enterprises — because they tend to have fewer defenses and because they may provide a gateway to larger, more profitable targets.


In its 2013 Internet Security Threat Report, Symantec Corp., a provider of security software, found that the largest growth area for targeted data attacks in 2012 was businesses with fewer than 250 employees (31 percent of all attacks targeted them).

“This is especially bad news because based on surveys conducted by Symantec, small businesses believe they are immune to attacks targeted at them,” the report noted.

Indeed, the same may be said for smaller insurers and a plethora of insurance brokers. As the report pointed out, however, “While small businesses may assume that they have nothing a targeted attacker would want to steal, they forget that they retain customer information, create intellectual property and keep money in the bank.”

Confidential customer and industry data ripped from smaller enterprises are just as valuable to identity thieves as information stolen from larger systems.

And while some may argue that larger enterprises present more profitable targets, it could also be said that smaller operations — with smaller operating budgets — will tend to have less sophisticated defenses, and thus be easier to attack, the report added.

“Criminal activity is often driven by crimes of opportunity. With cybercrimes, that opportunity appears to be with small businesses,” stated Symantec.

“Even worse, the lack of adequate security practices by small businesses threatens all of us. Attackers deterred by a large company’s defenses often choose to breach the lesser defenses of a small company that has a business relationship with the attacker’s ultimate target, using the smaller company to leapfrog into the larger one.”

This last point cannot be sufficiently emphasized. A large insurer’s system defenses may be adequate to deal with direct attacks from unknown sources, but what about things that seem to walk in the door from an agency or broker that does business with the insurer on a regular basis?

It is certainly conceivable that a cyber criminal would be able to steal the email addresses and other information about legitimate employees of an agency or brokerage — then use those addresses as a safe entry into the insurer’s systems. Once past the insurer’s “palace guard,” the intruder could then plant malware to take control of the network, or simply begin stealing information.


But would a cyber crook really go to all that trouble? If the end reward is sufficient, the answer is most certainly in the affirmative. From a larger insurer’s or broker’s point of view, then, the key is to make certain that the defenses of our smaller business partners are up to snuff. That may mean making site visits to evaluate the security profile of those partners (and of vendors, for that matter), or it may mean investing in commercial systems defenses that are then given to our partners — truly a win-win, since it protects both insurer and business partner.

Should a larger insurer or broker be forced to help fund defenses for its smaller partners? Probably not, but the investment certainly seems worth it.

More from Risk & Insurance

More from Risk & Insurance

2018 Most Dangerous Emerging Risks

Emerging Multipliers

It’s not that these risks are new; it’s that they’re coming at you at a volume and rate you never imagined before.
By: | April 9, 2018 • 3 min read

Underwriters have plenty to worry about, but there is one word that perhaps rattles them more than any other word. That word is aggregation.


Aggregation, in the transferred or covered risk usage, represents the multiplying potential of a risk. For examples, we can look back to the asbestos claims that did so much damage to Lloyds’ of London names and syndicates in the mid-1990s.

More recently, underwriters expressed fears about the aggregation of risk from lawsuits by football players at various levels of the sport. Players, from Pee Wee on up to the NFL, claim to have suffered irreversible brain damage from hits to the head.

That risk scenario has yet to fully play out — it will be decades in doing so — but it is already producing claims in the billions.

This year’s edition of our national-award winning coverage of the Most Dangerous Emerging Risks focuses on risks that have always existed. The emergent — and more dangerous — piece to the puzzle is that these risks are now super-charged with risk multipliers.

Take reputational risk, for example. Businesses and individuals that were sharply managed have always protected their reputations fiercely. In days past, a lapse in ethics or morals could be extremely damaging to one’s reputation, but it might take days, weeks, even years of work by newspaper reporters, idle gossips or political enemies to dig it out and make it public.

Brand new technologies, brand new commercial covers. It all works well; until it doesn’t.

These days, the speed at which Internet connectedness and social media can spread information makes reputational risk an existential threat. Information that can stop a glittering career dead in its tracks can be shared by millions with a casual, thoughtless tap or swipe on their smartphones.

Aggregation of uninsured risk is another area of focus of our Most Dangerous Emerging Risks (MDER) coverage.

The beauty of the insurance model is that the business expands to cover personal and commercial risks as the world expands. The more cars on the planet, the more car insurance to sell.

The more people, the more life insurance. Brand new technologies, brand new commercial covers. It all works well; until it doesn’t.

As Risk & Insurance® associate editor Michelle Kerr and her sources point out, growing populations and rising property values, combined with an increase in high-severity catastrophes, threaten to push the insurance coverage gap to critical levels.

This aggregation of uninsured value got a recent proof in CAT-filled 2017. The global tally for natural disaster losses in 2017 was $330 billion; 60 percent of it was uninsured.


This uninsured gap threatens to place unsustainable pressure on public resources and hamstring society’s ability to respond to natural disasters, which show no sign of slowing down or tempering.

A related threat, the combination of a failing infrastructure and increasing storm severity, marks our third MDER. This MDER looks at the largely uninsurable risk of business interruption that results not from damage to your property or your suppliers’ property, but to publicly maintained infrastructure that provides ingress and egress to your property. It’s a danger coming into shape more and more frequently.

As always, our goal in writing about these threats is not to engage in fear mongering. It’s to initiate and expand a dialogue that can hopefully result in better planning and mitigation, saving the lives and limbs of businesses here and around the world.

2018 Most Dangerous Emerging Risks

Critical Coverage Gap

Growing populations and rising property values, combined with an increase in high-severity catastrophes, are pushing the insurance protection gap to a critical level.

Climate Change as a Business Interruption Multiplier

Crumbling roads and bridges isolate companies and trigger business interruption losses.


Reputation’s Existential Threat

Social media — the very tool used to connect people in an instant — can threaten a business’s reputation just as quickly.


AI as a Risk Multiplier

AI has potential, but it comes with risks. Mitigating these risks helps insurers and insureds alike, enabling advances in almost every field.


Dan Reynolds is editor-in-chief of Risk & Insurance. He can be reached at [email protected]