Cybersecurity Insurance for Small Businesses [Overview: 2023]

• In your cubicle on the edge of the manufacturing floor, you follow your vendor’s email instructions to make a direct deposit of $46,000 to their account, only to discover three days later that they never receive the payment...

• Cup of coffee at the ready, you sign in to your computer at your practice at 7:30AM sharp and discover a message. “All files on your computer have been encrypted. You must pay this ransom within 72 hours to regain access to your data...”

• You own a small-town café with public Wi-Fi. You open your business mail during a mid-morning lull and discover a notice that you are being sued. One of your customers was hacked while using your internet access and is holding your business liable for their losses...

Now what?

Fund Transfer Fraud (FTF), Business Email Compromise (BEC), ransomware, cyber liability, or even (especially) good ol’ fashioned phishing can permanently close the doors of a small business. A single wayward click by one of your employees, clients, or vendors can precipitate any of our doomsday examples above.

We hope you already implement cybersecurity measures designed to prevent a cyberattack—but are you prepared for one that still manages to slip past your defenses?

Do small businesses really need cybersecurity insurance coverage?

According to the FBI, in 2022, Business Email Compromise (BEC) cost US businesses more than $2.7 billion. Insurance provider Coalition reported that ransomware claim severity reached an all-time high in the first half of 2023, with the average loss per business surpassing $365,000 in ransom payments.  

Unfortunately for SMBs, these statistics do not just reflect the financial impact of cybercrime on large corporations and enterprises. If anything, the repercussions for small businesses can be even more severe since they often operate on tighter budgets and smaller capital reserves. In fact, 60% of small businesses shut down within six months of a cyberattack.

Thanks to Hollywood, most people mistakenly assume that cyberattacks usually originate from a nefarious hacker in a hoodie sipping Red Bull at midnight. However, here in the real world, cybercrime often begins in surprisingly mundane origins and impacts nearly every sector of the economy. No business with a computer is without risk.

• Auto dealerships can be easily compromised through a stolen laptop or tablet left unattended by a salesperson.
• Invoices for feed and agricultural supplies at busy times of year can be spoofed, leading farmers to make hasty payments to fake entities.
• Contractors' client databases are juicy targets for many hackers and can be accessed through third-party vulnerabilities. (Listen on Spotify to this recent podcast about how a cybercriminal abused a pool-installation contractor to scam a family out of $31,000 dollars through Zelle).  

How does cyber insurance protect small businesses?

To get an idea of how cyber insurance helps real small businesses in Missouri and across the United States, we spoke with Creig Scott, an account executive specializing in cyber coverage at SBI Insurance.

When we asked Scott how many of their clients had cyber insurance, his answer was simple – “Not enough.”

“Sure, cybercriminals might be attacking the Targets and Home Depots, but who they are really going after is the small business that is not staying up-to-date. They want to find that small business owner wearing multiple hats that just wants to pay an invoice without looking at the details and move on.”

According to Scott, most of their SMB clients elect to carry no cyber coverage at all. Those that are covered, usually only maintain a minimal offering through their business owner’s policy (BOP). Standard BOP coverage typically only covers $25-$50 thousand dollars in cyber liability, leaving small businesses completely exposed to the most common and harmful types of cyber risks: social engineering schemes, phishing, ransomware, and business email compromise.

Across the industry, most SMBs seek cyber coverage only once its too late—after they (or a close associate) have personally experienced a cyberattack. Scott explained to us that, in 2023, it can be extremely difficult to secure a cyber policy for a small business that has recently suffered a cyberattack. In the recent past , nearly any business was able to obtain a cyber insurance policy. However, as the market matures and the demand for cyber coverage increases, insurance companies have become increasingly selective to whom they provide coverage, and companies that have previously fallen victim to cyberattacks are often at the bottom of that list.

Fortunately, forward-looking companies that proactively seek help from cyber brokers are able to procure a policy before disaster strikes. SBI is a broker for Cowbell Insurance—the leading cyber insurance provider for SMEs.

SBI’s cyber offerings through Cowbell provide far greater coverage than a standard BOP policy. These dedicated cyber policies cover the types of cyber catastrophes that tend to portend a small business Armageddon event.

Scott recommends that the average Missouri small businesses start with at least $250,000 of coverage, with the disclaimer that “Something is better than nothing, but more is better.” That advice makes sense when you consider that the average fund transfer fraud cost for a small business was $247,152 at the end of 2022.

Beyond fund transfer fraud, a SBI’s cyber policies also covers other flavors of social engineering, like spear-phishing, business email compromise, and smishing attacks. This type of coverage is especially important since it accounts for human error at the office. Even for the small business that keeps its cybersecurity policies and software up-to-date, an impulsive click by an any employee can still open the door for a debilitating cyberattack.

How can a small business reduce its cyber insurance premiums?

Like any other insurance sector, cyber insurance providers want safe, healthy customers. In the world of healthcare, young people with no pre-existing conditions are offered low premiums. Those policies tend to not pay out frequently and, as a result, offset the payouts necessitated by less healthy clients. The same goes for the auto insurance industry; many providers offer rebates to drivers with exceptional safety records or extra safety training.

In the cyber insurance landscape, dedicated cyber providers like Cowbell and Coalition as well as traditional houses with cyber offerings like Travelers, Chubb, and AIG prefer clients that they perceive to be safe bets, and they are usually willing to offer discounts or incentives in order to attract them. So how can a small business become attractive to a cyber insurance provider?

Scott explained to us that his customers can obtain lower rates by through measures like up-to-date isolated offline backups, encrypted business email services, multi-factor authentication (MFA) on all accounts, policies for the disbursement of payment (like mandatory sign-offs from multiple individuals), and continual employee cybersecurity education.

In order to implement these measures, many small businesses are increasingly turning to managed service providers (MSPs) like NOC Technology. Good MSPs typically retain a variety of experts on their staff (including cybersecurity specialists) that can provide far greater IT support than a typical Missouri SME could ever contract in-house. The benefit extends far beyond help desk support. In the past year, one of NOC’s clients commented that since contracting our services, his small business’s cybersecurity premiums had dropped by roughly 10% simply due to the standard

measures we take to protect our clients.

In summary

Our conversation with Scott confirmed our own experience with local clients—Missouri small businesses are still not taking the current cybersecurity threat seriously enough. We continue to encourage small businesses, local governments, and non-profits in Missouri and across the Midwest to take a proactive approach to cybersecurity threats.

1. Implement the minimum cybersecurity measures to prevent catastrophe from happening: MFA, secure endpoints, up-to-date IT and disbursement policies, encrypted email and backup, and employee education.
2. If you need support to implement cybersecurity measures in your small business, seek help from a local, high-quality MSP that can make sure that all of your bases are covered.
3. Do not stop once you have taken every proactive measure. Maintain adequate cybersecurity coverage as a parachute in case of an unpreventable disaster.