The U.S. House Committee on Small Business recently held a hearing on “Protecting Small Businesses from Cyber Attacks: the Cybersecurity Insurance Option” that examined how cybersecurity insurance solutions can help small businesses recover from a cyber attack. Lawmakers considered the challenges small businesses face in selecting a cybersecurity insurance policy, as well as hurdles insurers must overcome to offer viable and comprehensive corresponding solutions.
“The cybersecurity insurance marketplace is remarkably new and many of the providers still lack the historical data to offer appropriate plans to consumers, which drives up the cost to policyholders,” Committee Chairman Steve Chabot said in his opening statement.
In its hearing memorandum, the Committee explained that small businesses often lack adequate commercial liability insurance. Those that have it are still at significant risk because commercial lines policies do not cover many cyber risks that require purchase of a special cyber liability policy.”
Given the lack of historical data, those seeking cybersecurity insurance policies are subject to qualitative assessments of their risk management procedures and risk culture as determined by the insurance underwriters. The resulting individualized policy assessments have been driving up the cost of cyber insurance policies, it was explained. The Committee noted that small businesses can face challenges in obtaining a cyber policy because many are underequipped to implement adequate risk-management techniques to protect their networks; the ways in which employees access data systems and the reliability of the business’ antivirus and anti-malware software—all of which are likely to be highly scrutinized when coverage is applied for. Another major hurdle for small business cyber insurance consumers is the complexity and variability in potential policy underwriting options.
The Department of Homeland Security’s National Protection and Programs Directorate is working with various stakeholders to find ways to expand the cybersecurity insurance market’s ability to address this emerging risk area. Meanwhile, disputes between cyber policyholders and insurers are inevitable as courts are asked to interpret policy language, while claims continue to be made by businesses carrying traditional commercial general liability policies that lack cyber insurance exclusions. The Committee warned that, as cyber insurance policyholders continue to become victims of sophisticated schemes designed to coerce businesses into authorizing transfers to fraudulent bank accounts, insurance coverage fights will persist under the computer fraud provisions of commercial crime policies.
The official Committee press release is reprinted below, along with a link to the video replay and individual witness testimonies:
SBC Examines the Cybersecurity Insurance Option
WASHINGTON – Today, the House Committee on Small Business heard from a panel of experts on how cybersecurity insurance solutions can help small businesses recover from a cyber attack. They also took a closer look at the challenges small businesses may face in selecting a cybersecurity insurance policy and how insurers can make it a more affordable option for small companies trying to grow and protect themselves.
“One case in particular that stands out is the story of a small business owner who testified before this Committee last year. He owned an indoor go-carting facility in Maine and had a number of employees and families that depended on him. He told the Committee how he was struck by a phishing scam—he logged onto his bank account and to his utter disbelief, his balance was zero. This happened on a payday no less,” said House Small Business Committee Chairman Steve Chabot (R-OH).
“In our Committee’s efforts to spotlight these serious and growing threats, it has become clear that need to think outside of the box as we work to thwart cyber attacks,” added Chairman Chabot.
“The statistics show that there is a sufficient amount of work to be done on part of small companies and their operational strategies. Sixty-five percent of small businesses reported that they do not strictly enforce their password policy; this is the largest gateway for potential breaches. It is imperative that we, as small business owners, fully enforce the most intrusive method of sabotaging our networks, and therefore our business,” said Robert Luft, President, SureFire Innovations in Cincinnati, OH.
“The role of insurance is continuously increasing as customers are now seeking industry feedback and risk insights. It has become more of a partnership, with businesses focusing on not just what happens post-breach and a loss being paid. They value having a stable of pre-vetted vendors available to them if they are impacted by a data or security event. They are also focusing more on pre-breach services to guide them through risk mitigation tools like technology assessments,” said Erica Davis, Senior Vice President, Head of Specialty Products Errors & Omissions of Zurich Insurance in Washington, D.C.
“The number one reason [that small businesses did not purchase cyber insurance] given was that they claimed they did not need it. The second was the expense of coverage, and the third was that the process was too complicated and confusing. These results suggest that education is key to increasing the take-up rate of cyber insurance by small businesses, particularly given that 86% of the respondents stated that they store Personally Identifying or Personal Health Information,” said Eric Cernak, Vice President of Cyber Risk Practice Leader of Munich Re U.S. in Hartford, CT.
- Check out Comparitech.com’s “Cybersecurity resources–A big list of tools and guides.”