Managing Cyber Risk for Mid- and Large-Sized Companies: Why Each Requires a Specialized Approach
There’s no doubt new technology brings about vast advancements in how we operate and conduct our business. But businesses must remain ever-vigilant in a tech-savvy world: With every new technological feat comes an opportunity for advanced cyber risk.
For example, ransomware attacks continue to grow and evolve; McAfee reported a 69% increase in new ransomware from Q3 to Q4 of 2020. A survey of IT managers by Sophos in early 2020 found that 59% of companies in the U.S. experienced some type of ransomware attack, with only 25% of those attacked successfully stopping the attack before data was encrypted.
The average cost of remediation in the U.S. was estimated to be more than $600,000.
“Ransomware attacks are the most prevalent cyber risk we’re seeing right now,” said Danielle Librizzi, Head of Professional Liability at QBE North America, “but it’s not the only one. Data breaches, business email compromises and denial of service attacks and more can all pose massive threats to an operation.”
Businesses of all sizes need to be on high alert when it comes to managing these cyber risks. Typical property & casualty coverage can be limited and may exclude cyber risk, making cyber coverage and cyber risk planning a must. Just because the threats are similar for large and mid-sized businesses, it doesn’t mean they need the same insurance solution from their carrier.
“A mid-sized business should have a different solution than a large operation. Mid-sized companies may not be in the same position as larger operations with respect to risk management resources and budget, and the impact of a cyber breach could be much more devastating,” Librizzi explained.
At a time when the cost of a cyber breach is on the rise in tandem with the growing threat of bad actors, implementing best practices not only helps thwart an attack but will also assist companies in securing the best possible insurance protection.
Here are just some of the ways mid-sized businesses and larger operations should be looking at their unique cyber response plans.
Breaking Down the Cyber Landscape for Mid-Sized Businesses
What separates a mid-sized business from its larger counterparts is how it’s guarding against, monitoring for and preparing a response to potential cyber incidents.
“Larger companies have the scale to support a robust IT security function that ensures the latest best practices are in effect, such as proper network segmentation, regular and secure system and data backups, immediate implementation of system update patches, and constant employee education efforts against phishing and other scams. They have networks of people working 24/7 to monitor their systems. That’s usually not the case for mid-sized businesses,” said Librizzi.
The onus of monitoring incidents or abnormal activity falls to management and the tactics they put into place to manage cyber risks. If the company is not on top of the threats out there and they do not have a playbook to fall back on in the event an incident occurs, they could potentially risk their whole operation.
“If a cyber incident occurs, mid-sized businesses often lack the resources to manage through a ransom demand or systematically notify impacted external customers and other parties,” Librizzi said.
One way to combat this is to have a risk strategy in the books. However, in its Mid-Sized Company Risk Report, QBE found that 40% of mid-sized businesses surveyed said they did not have a digital risk management strategy in place.
Mid-sized businesses cannot sit idly by. “If an incident happens, the company doesn’t want to be waiting, asking itself whom to call or what to do,” Librizzi said. “There’s often a legal component to address, forensic questions and perhaps public relations concerns. These are the things they should be thinking about and preparing for long before an event occurs.”
Training is a great place to start. Making a concerted effort to train employees on the difference between a phishing email and a “typical” correspondence can go a long way toward stopping scammers in their tracks.
After an incident, insurers can also help get these businesses on the right track by bringing in cyber resources that will mitigate the effects of a breach or ransom demand. Knowing the right vendors and law firms to work with can be a tall task, especially when there are many to choose from and not all offer the same services.
“Insurance carriers have experience with the vendors and the law firms. We can help figure out who to pair them with that will meet their needs,” said Librizzi.
Additionally, mid-sized companies need to pay attention to the actual coverage they’re purchasing and not just buying the “next best thing” available on the market. Librizzi said this is because not all policies will be the perfect match in terms of an individual business’ exposures.
Large Companies Need to Look at Cyber in Their Own Terms
Like mid-sized businesses, Librizzi said large companies need to address their individual operation’s cyber exposures on a granular level instead of buying a one-size-fits-all insurance policy. A large company’s cyber risk mitigation efforts truly differ from its mid-sized counterparts, and the conversation it has with insurers should reflect that.
“Buying standard coverage that’s on the market because it’s available without an analysis of what is necessary to protect your business is an oversight larger companies can’t afford to make – it diminishes the value of the coverage,” Librizzi explained.
One example is payment card industry (PCI) coverage. While PCI is a vital coverage for companies that take payments via credit cards, not all operations have that kind of exposure.
“We often see companies without the exposure purchasing PCI coverage. At times less can be more, particularly when tailoring coverage,” she said.
To truly identify the most appropriate coverages, larger companies should look to their insurance partners for guidance. “Where mid-sized companies lean more heavily on the expertise of their insurance partners to link them with the best resources like vendors and provide policies to match, larger companies look to their insurance partners to tailor coverage to the risk mitigation strategies already at play,” Librizzi said.
Oftentimes, large companies tend to have a risk management team on-staff, or at least the resources to have a third party available to review risk strategies. They will likely have the budgets in place to monitor and manage a ransom demand or cyber breach if the need arises. Insurance is the added bonus to help mitigate cyber risk.
“We can step in and review coverages and say, ‘Maybe it should look more like this as opposed to the current coverage setup.’ Insurers can help make the coverage align with the business and make it more beneficial for the larger enterprise,” said Librizzi.
Where Mid- and Large-Sized Companies Can Turn to Address Cyber Risk
No matter the size of a business, one thing is clear: Addressing cyber exposures comes down to the individual company’s needs. The exact operations of a business can open the door to different levels of cyber risk. It is key to review each of these elements and work toward cyber solutions that effectively cover them.
That is the goal of QBE North America and its cyber insurance team.
With a group of underwriters dedicated to tailoring cyber coverage to meet client needs, QBE strives to come up with solutions as unique as the companies it serves.
“One of our strong suits is being able to work alongside all our underwriting departments in North America,” Librizzi said. “When we think about cyber coverage, we’re not leaving it in its own silo. We look at how it fits with other coverages to minimize potential gaps and overlaps in protection.”
Additionally, QBE’s underwriting teams work with claims and product development to help ensure that all cyber products offered are truly addressing client needs.
“We have three viewpoints we bring together to make sure the language is there, that we’re matching it to the customer’s standards,” she said. “We make sure we’re all on the same page so that when the customer works with us, everyone knows what to expect.”
To learn more, download this PDF.
This article was produced by the R&I Brand Studio, a unit of the advertising department of Risk & Insurance, in collaboration with QBE North America. The editorial staff of Risk & Insurance had no role in its preparation.