4 Cyber Risk Management Features Middle Market Businesses and Their Brokers Should Look For

Consider these four risk management tips when assessing cyber risk for middle market organizations.
By: and | January 17, 2022

Conventional cyber insurance isn’t enough to solve the cyber risk challenges that most middle market businesses face.

Company boards and senior management of businesses with $100 million or more in annual revenue all have cyber exposure risk on their radars and are all aware that assets and reputations can be at risk if a cyber event leads to litigation.

However, awareness of the risk is not the problem facing midsize companies. The real challenge is how to put solutions in place that actually reduce cyber exposures prior to an incident.

Most midsize businesses buy property and casualty insurance, and most have in-house information technology departments that are responsible for the company’s cybersecurity posture.

But these organizations have been increasingly targeted by cybercriminals and other malicious cyber actors, and, without standalone cyber insurance, they can be especially vulnerable to the impact of these attacks.

The Costs of Cyber Attacks for Midsize Businesses

According to IBM Security’s Cost of a Data Breach Report, the average cost of a breach increased to $4.72 million for midsize organizations in 2020. Fifty-two percent of those breaches stemmed from malicious cyberattacks.

But breaches aren’t the only cyber event businesses have to worry about. Ransomware attacks, especially those that occur in conjunction with data breaches, have skyrocketed over the past several years.

Furthermore, supply chain attacks similar to the one that affected Kaseya (a multinational information technology software company) demonstrated that cybercriminals are leveraging their access to attempt to victimize thousands of businesses that rely on third-party software and network services.

As a result, midsize organizations face significant and growing expenses from cyber risk and potential exposures.

In the face of mounting cyber concerns, the question for risk professionals to ask is, “How can we effectively manage cyber risk to prevent a breach from becoming a loss?” The answer is in specialty solutions that combine cybersecurity solutions with insurance coverage.

Cyber Insurance Matures

Insurance products have a maturity curve. It takes years for insurers to fully grasp the scope of a risk and develop coverage features that address it. Directors and officers liability and environmental liability policies went through their own growth process. Cyber insurance is coming into its own: it has become a more mature product than it was 5-10 years ago.

More insurance solutions are available in the marketplace today to address various cyber risks, and midsize organizations should explore specialty cyber insurance to find an optimal solution for them.

In addition to the traditional coverage elements for response services (forensic investigation, legal advice, breach coaching, and incident-related expenses), there are some additional features middle market businesses and their brokers should look for:

1) Cyber risk assessment: Organizations that can recognize their risks before they turn into losses have a big advantage in reducing those potential liabilities.

2)Guidance towards improving cybersecurity: Solutions that identify areas in need of remediation and offer best practices on cybersecurity can go a long way in preventing costly losses and business disruption.

3) Incident simulation: Drills and tabletop exercises of risk scenarios are a valuable way to demonstrate an organization’s preparedness, as well as highlight where additional attention must be paid. Middle market businesses can benefit greatly by working with partners that can simulate cyberattacks and other incidents.

4) Continuous threat monitoring: With the rapid evolution of cybercrime and the growing connectivity of businesses in all industries, cyber defense must become a full-time commitment. Continuous threat monitoring allows an organization to gain visibility into the dynamic threat environment and enable action. &

Amy Chang is the Head of Risk and Response at Resilience. Justin Shattuck is Vice President of Security Operations at Resilience. He has been a relentless security threat hunter for the last 15 years and has participated in tracking some of the industry's most notable threat actors while assisting law enforcement agencies. They can be found at [email protected].