Cyber Consulting Could Save Your Clients’ Business
The 2019 Travelers Risk Index states that cyber risk is the number one concern for all businesses.
Breaches have increased 73% for large companies, 200% for midsize businesses, and 300% for small organizations. So everyone is in the crosshairs. But according to Travelers, only 51% of businesses have purchased cyber insurance. Agents and brokers are hungrily going after the remaining half of the market that hasn’t purchased a cyber policy, but they need to grasp that close to 100% of the market needs cyber consulting services.
Although cyber insurance is certainly a good risk transfer measure, buying a cyber policy does not ensure that a company will be able to stay in business following a serious cyber attack. The business interruption costs, loss of customers, and fees associated with forensic investigations, consultants and legal counsel can break a company. According to the Accenture/Ponemon 2019 report “The Cost of Cybercrime,” the average cost for malware attacks was $2.6 million. The Keeper/Ponemon “2019 Global State of Cybersecurity in Small and Medium-Sized Businesses” report puts the average cost of business interruption from a cyber event at $1.9 million and the average cost of damage/theft to IT assets or infrastructure at $1.24 million.
Many small and midsize businesses (SMBs) could not absorb these costs and sustain operations. Even large companies face being overwhelmed by the costs of a significant cyber event. Consider the 2017 NotPetya attacks that caused Merck, Maersk and FedEx three weeks of business interruption losses ranging from $300 million to $670 million. Companies need to undertake cyber risk assessments so they know the cyber risks associated with their operations and the financial impacts of possible attacks. With this knowledge, they are better prepared to buy appropriate insurance coverage and close major gaps in their security program. Failure to do so could be their closing note.
SMBs tend to think about cyber attacks as “breaches” involving personal identifiable information (PII). They do not understand that the cyber threat environment has become very sophisticated and the cyber criminals are targeting them. Why are they targeted? Because SMBs often have valuable intellectual property and weak security controls, run unpatched or out-of-support equipment, and do not have good backup/recovery systems or incident response plans. In a word, they are easy, and their lack of good controls and their poor incident response increase the odds that the criminals will not be tracked and traced.
Attacks today are often multi-pronged. Any company that does not have an incident response plan to guide it through a serious attack will be sorry. Companies of all sizes tend to think they will not be targeted, and they do not ensure that their backup/recovery plan is complete and tested and their employees are trained. Ransomware has proven how foolish this is.
The bottom line is that agents and brokers need to be doing more than selling cyber policies. They need to be offering cyber-security consulting services to their clients or steering them to a trusted provider who can help them develop a cyber risk transfer plan that is anchored to their operations and actually addresses the risks that could put them out of business.
A risk assessment is the first step. It is a best practice that is required by many laws and regulations. It will identify the gaps and deficiencies in a cyber-security program and the remediation measures necessary to mature their security posture. Some assessments are also able to quantify the impact of cyber risks. This can be particularly valuable to the client and broker because it enables them to understand the financial impact of cyber events and develop a comprehensive risk transfer plan. Most importantly, it helps them understand the types of cyber coverage they need. Cyber insurance policies may not cover all of the exposures a client may have from various cyber attacks. When a client realizes its cyber policy will not pay all of the claims related to an incident, it is likely to blame the broker or agent for not selling it the right kind of coverage.
All companies should perform regular cyber risk assessments because it shows that a company is trying to manage its cyber risks. That can buy a lot of forgiveness from regulators and investors when facing the fallout from an incident. Everyone understands no one has perfect security, but if a company is trying to secure its systems and data, conducting assessments, and working on a remediation plan, there tends to be a lot less blame, and the company has a stronger defense against lawsuits. The company that has not done a cyber risk assessment, however, is almost assuredly guaranteed nothing but scorn and fines.
Cyber consulting services also can help clients develop incident response and full backup/recovery plans. Ransomware has proven that these services make the difference between being able to restore and continue operations and facing massive business interruption losses.
If agents and brokers are going to get in the business of offering cyber consulting services, however, they need to understand there is no silver bullet. Every company has its own system architecture, policies and procedures, compliance requirements, culture, business processes, jurisdictions in which it does business, partners, and vendors. It is impossible to quickly spit out generic answers. Cyber risk assessments and incident response plans have to be done properly and analyze the details of the organization’s operations and system architecture.
In merger and acquisition situations, clients who are selling will benefit from cyber consulting, because cyber-security reviews for M&A and startup funding are now considered a best practice. Companies that have their cyber act together are more attractive in the marketplace; no one wants to buy a problem. It is far better to be attractive to investors than to cyber criminals.
In sum, agents and brokers should evaluate what cyber services they are offering their clients and examine whether they are really helping them to manage their cyber risks and to stay in business or if they are just selling a policy.