Insurance vs Cyber Attacks: A Conundrum for SMEs

Of all the sectors of the business community, the SMEs (Small & Medium Enterprises) are the most vulnerable when it comes to cyber attacks, malware infestation, phishing and security breaches. Unlike multinational companies like Facebook or Sony, the capability of an SME to bounce back after a major cyber attack or any other IT issues are highly improbable. That is given since these companies have less market influence, less funding for top-of-the-line cybersecurity defense spending, they are left open for malicious 3rd parties to take advantage of.

With regard to consequences of cyber attacks, the cyber security community recognizes that it can take on many dimensions whose values vary from firm to firm. For example loss of reputation, loss of money, legal liabilities, loss of intellectual property, etc. can all be consequences of an attack, and different companies place different values on these consequences. The damages absorbed by the victims after the attacks are enormous. The recovery of the brand they are promoting will be in doubt, unless they were able to successfully claim insurance benefits quick enough to conduct damage control.

“Cyber insurance products for small businesses generally tend to reimburse the policyholder for the costs of retrieving or repairing data, software and hardware following a cyber-attack, compensation in the event that customers’ data privacy is breached and support in areas such as forensic investigation, as well as legal and compliance-related advice such as fulfilling regulatory responsibilities and repairing reputational damage,” explained moneysupermarket.com in their latest Risk of Cybercrime in Business report.

Cybersecurity insurance is a new package offered by Insurance companies, however, not all of them will be able to claim enough funding for their rebuilding strategy. Insurance policies and coverage for cyber attack victims need to be reformed early on, as the expectation of more attacks in the coming years is already assured. “Businesses should ensure that the costs of the interruption of their business activities caused by cybercrime are covered, and that their policy includes practical support in the aftermath of this event. At a minimum, a business should ensure they have strong anti-virus protection that’s regularly updated, and that they are regularly updating their data to help prevent and protect against cybercrime,” added moneysupermarket.com.

The ratio of social value of the Internet to reach the target revenue of a business will continue to grow. Thus, under-investment in security becomes more and more likely, which creates a very vulnerable atmosphere for a business. Consequently, if in the near future, vertical integration in e-commerce does not take place, some form of regulation may eventually become necessary, the government will need to legislate laws to create an atmosphere of control. If that is not acceptable for the business community, companies would need to produce a standardized analysis of security risks that identifies and ranks risks from their users’ perspective and propose investment plans to mitigate these risks. Such plans can only be decided upon after careful analysis of the systems and networks that were deemed vulnerable, through penetration testing process. Spending for penetration testing is not a cost, but rather an investment for a hack-free future.