Understanding Cyber Risk and Insurance for Small Businesses

This is a companion blog to the “The SafeHouse” podcast dated October 3, 2024, 2024 with host Jeff Edwards, Co-Chair of the SafeHouse Initiative and his guest Eric Cernak, President of Cyber at the Hanover Insurance Group, who shares valuable insights into how businesses can manage their cyber risks effectively.  Listen and View the podcast here: https://safehouseinitiative.org/cyber-risk-and-insurance-for-small-businesses/

The Need for Cyber Insurance Education

Eric Cernak has been in the cyber insurance industry for over 20 years, witnessing firsthand the evolution of exposures faced by small businesses and the corresponding solutions. He emphasizes the dire need for education in this area, especially for small to midsize businesses that often overlook their vulnerabilities. “It’s about understanding the world we live in today when it comes to cyber risk,” Eric states.

Common Misconceptions About Cyber Risk

Throughout his career, Eric has encountered various misconceptions about cyber risks among small businesses:

“We’re not big enough to be targeted.” Many believe that hackers only go after larger corporations.

“I operate in a safe industry.” Businesses in sectors perceived as low-risk often underestimate their exposure.

“I don’t collect personal information.” Even businesses that don’t handle sensitive data are at risk.

“I can trust my employees.” Employee negligence or insider threats can lead to significant breaches.

“We’re not dependent on computers.” This assumption ignores the pervasive role of technology in modern operations.

The Evolution of Cyber Insurance

Cyber insurance has rapidly evolved, especially in response to emerging threats like ransomware. Initially focused on privacy exposures, the industry has shifted towards business interruption risks. Eric explains, “Ransomware attacks have become more sophisticated, often exploiting vulnerabilities in businesses that rely heavily on technology.” The introduction of cryptocurrency has made it easier for cybercriminals to operate anonymously, further complicating the landscape.

Key Aspects of Cyber Insurance Policies

When discussing cyber insurance, Eric highlights the critical elements that a typical policy should cover:

Third-Party Liability

• This includes coverage for privacy and security liability, protecting businesses from claims related to data breaches.

First-Party Coverage:

First-party coverage can be broken down into three main buckets:

·       Breach Response Costs: Covers forensic investigations and notifications to affected individuals.

·       Business Interruption: Protects against income loss due to cyber incidents.

·       Fraud Protection: Includes coverage for funds transfer fraud and social engineering attacks.

Proactive Measures and Resources

Aside from coverage, Eric emphasizes the importance of proactive measures. Insurers often provide additional resources such as:

• Consulting services for secure email configurations and network segmentation.
• Access to tools for endpoint detection and response.
• 24/7 support from claims adjusters specialized in cyber incidents.

Starting Your Cybersecurity Journey

If you’re a small business owner without a cyber policy, Eric recommends starting with some basic steps to bolster your security posture:

• Create an Incident Response Plan: Outline who to contact and the steps to take during an incident.
• Implement Multi-Factor Authentication: Start with critical accounts to enhance security.
• Regular Backups: Ensure backups are immutable and practice restoration processes.
• Deploy Endpoint Detection Tools: Monitor for anomalous behavior and isolate issues quickly.
• Consider Managed Detection and Response Services: Professional management can help monitor and respond to threats.

Final Thoughts

In a rapidly changing cyber landscape, small businesses must remain vigilant. “Managing cyber risk is an ongoing endeavor,” Eric advises. “You can’t simply purchase every technical solution or rely solely on insurance; you need to start somewhere.”

As we conclude, remember that being proactive is key to safeguarding your business against cyber threats. For more information about the SafeHouse Initiative and resources to help you navigate these challenges, visit our website.