Cyber Risks Are Shifting

By Harry J. Lew

As cyber-breaches continued to afflict U.S. businesses in 2017, both small and large-sized businesses continue to give data security a big priority. That’s the takeaway from a recent survey by USI Insurance Services.

However, according to its 2017 Cyber Security and Data Privacy Study, the top concern of companies with $100 million or more in revenue has evolved from private data loss or leakage to managing reputational and regulatory risk.

Meanwhile, smaller firms—those with $5 to $100 million in annual revenue—were more concerned about leakage of private data (42 percent of the smaller companies vs. 19 percent of the larger ones). Smaller firms were also more worried about loss of data (16 percent vs. 11 percent) and software vulnerabilities (9 percent vs. 5 percent).

The USI survey shows why companies remain so concerned about cybersecurity. According to the report, companies of all sizes reported incidents in 2018, including data privacy loss, impostor fraud, and ransomware. As a result, many firms have increased their information technology budgets to better manage cyber-risks last year, and a majority of firms purchased cyber-security and data privacy insurance.

In addition, both large and small firms more often develop incident-response and business continuity plans, the USI report revealed.

Based on a survey of 100 decision makers at firms with $100 million or more in annual revenue and another 100 at firms with $5 million to $100 million in revenue, USI’s report painted a picture of escalating cyber-risks for firms of all sizes. For example, it found that 32 percent of smaller entities were victims of impostor fraud, 25 percent suffered ransomware attacks, and 32 percent had a data privacy incident.

One of the more ominous trends is the rise of so-called impostor fraud. This involves incidents of criminals posing as customers, executives, or employees of a target company in order to divert company money to external bank accounts. According to the USI report, large firms that experienced such an attack lost anywhere from $100,000 to $500,000 per incident. Smaller firms lost between $25,000 and $250,000.

Data privacy incidents and ransomware attacks were more likely to occur in large firms, USI found. However, smaller companies were more prone to experience theft of portable devices or hard drives.

Although mounting numbers of firms are now purchasing cyber-risk insurance (91 percent of large firms and 84 percent of smaller ones), significant percentages still found buying it challenging. For instance, cost was a barrier for 45 percent of large firms and 38 percent of smaller companies, while 40 percent of large firms and 43 percent of small ones found it difficult to find policies that fit their needs.

Despite the purchase difficulties, 54 percent of large firms and 24 percent of smaller firms filed a cyber-insurance claim in the past year, with nearly all satisfied with their coverage adequacy (92 percent for large firms vs. 100 percent for small).

The differences between large and small companies were especially apparent in how they prepare for future cyber incidents. For example, 96 percent of large companies vs. 81 percent of smaller businesses have written, detailed incident- response plans, while 84 percent of large vs. 70 percent of small companies have tested those plans. Clearly, smaller companies need to raise their games if they wish to prevent major cyber-incidents in the future.