Small Business Cybersecurity Insurance Is Vital, House Panel Told

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Daniel R. Stoller

The nascent cybersecurity insurance market can play an important role for smaller businesses, which remain a prime target for hackers and cybercriminals, witnesses and congressmen said at a House Small Business Committee hearing July 26.

Larger corporations have already begun to learn to shift and mitigate cybersecurity risks through insurance, but smaller companies need to get on board, they said. Companies should also follow federal cybersecurity guidance and understand that they must control cybersecurity risks when acting as third-party vendors to larger companies, witnesses said.

Large-scale cyberattacks, such as Petya and WannaCry, made larger companies take note of the need for insurance, witnesses and lawmakers said at the hearing. But 50 percent of reported cyberattacks are against companies with $50 million in revenue or less, Daimon Geopfert, national leader and security and privacy consultant at Risk Advisory Services in Southfield, Mich., said.

There needs to be a concerted effort from public- and private-sector stakeholders to provide guidance and get the message out to small businesses that are facing exploding cybersecurity risks, the witnesses said. Small business owner Robert Luft, president of SureFire Innovations in Cincinnati, Ohio, said small businesses need to understand that “there is a real cybersecurity risk out there.”

Committee Chairman Steve Chabot (R-Ohio) told Bloomberg BNA July 26 after the hearing that cybersecurity remains a top priority for the committee. Hopefully the hearing will alert small businesses to cybersecurity insurance as an important risk mitigation option, he said.

But cybersecurity insurance isn’t a “silver bullet” solution for small businesses to manage risk, Erica Davis, senior vice president at Zurich America Insurance Co. and a hearing witness, told Bloomberg BNA July 26. Even with insurance, small businesses should still implement cybersecurity best practices, such as adopting an incident response plan, she said.

Third-Party Cybersecurity Risk

There have been a recent string of data breaches and hacking attacks connected to the data security practices of third-party vendors. For example, the massive Target Corp. data breach that exposed as many as 60 million customers’ payment card data was attributed to a third-party vendor’s weak data security measures. A more recent example is the hack of post-production company Larson Studios, which led to the theft of Netflix Inc.'s ‘Orange is the New Black” before its scheduled release date.

Due to the cybersecurity risks associated with third-party vendors and partners, insurance may play an important role in keeping business continuity and limiting both reputational and bottom-line revenue risks, witnesses said.

Large companies often require their third-party vendors to incorporate cybersecurity standards, such as the National Institute of Standards and Technology’s Cybersecurity Framework, and may increasingly make them buy cybersecurity insurance, Eric Cernak, cyber risk and privacy practice leader at Munich Re U.S., said. The goal of third-party vendor cybersecurity insurance is to protect the larger companies from unknown cybersecurity risks and from less technically savant partners, he said.

More complex companies will have more security tools and greater technical capabilities to defend themselves against cyberattacks, Geopfert said.

Davis said that larger companies generally have “more capital and resources” to defend against cyberattacks, and that means they are “locked and loaded when it comes to risk management.” However, smaller businesses are now involved in larger companies’ supply chains, and weak data security at the vendor level can sometimes go undetected, she said.

Insurance Industry Role

To help small businesses limit their cybersecurity risks and thrive in the larger supply chain, “insurance brokers, carriers,” and large companies should increase their efforts to “educate” smaller companies on the benefits of cybersecurity insurance and better data security protections, Davis said.

Small businesses might want to turn to more established insurance carriers that are able to devote resources and have the technical abilities to provide cybersecurity insurance products tailored to their specific needs, witnesses said.

Davis told Bloomberg BNA that, for the cybersecurity industry to thrive in the small business community, it will have to make a dedicated effort to understand the community’s needs. Some insurance carriers that lack the technical knowledge or understanding “won’t be able to dedicate the full resources needed to understand the exposures,” she said.

With assistance from Brandon Ross in Washington

To contact the reporter on this story: Daniel R. Stoller in Washington at dstoller@bna.com

To contact the editor responsible for this story: Donald Aplin at daplin@bna.com

For More Information

Further information on the hearing is available at http://src.bna.com/q67.

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security