Today, the U.S. Chamber of Commerce and FICO released the latest Assessment of Business Cyber Risk (ABC) finding that the level of cyber risk to the U.S. business community is slightly improved from 2019, with a national risk score of 694 (was 688 in 2019).
The ABC provides a national risk score that enables U.S. businesses to understand their cyber risk within the context of similarly-situated firms. It is intended to advance cybersecurity awareness and improve the overall cyber defense programs for all American companies.
This quarter’s report spotlights a growing, market-based solution that is helping to mitigate the impact of cybercrime: cybersecurity insurance. While security experts and consultants work to prevent cyberattacks before they happen, insurance providers are stepping up their offerings to provide coverage once breaches occur, the report says.
“Security breaches are massively increasing among small- and medium-sized businesses, driven by a shocking rise in ransomware,” says Graeme King, managing director for cybersecurity at Volante. “But insurers are not publicizing cybersecurity insurance broadly enough.”
Malicious cyber activity cost the U.S. economy between $57 and $109 billion in 2016, according to the United States Council of Economic Advisers. With the average cost of a data breach costing companies almost $4 million, cybersecurity insurance is becoming a must-have for businesses, but still almost a quarter (24%) of U.S. companies say they have no cybersecurity insurance.
Yosha DeLong, technical director of cyber and professional lines at Zurich North America, says insurers quickly realized that they should not just offer cybersecurity insurance, but also help clients understand the cybersecurity environment and their own risk profile.
“We’re constantly evaluating what our customers need to ensure they have coverage that fits their exposure,” DeLong says. “We try to point out changes in threats, or the industry in general, that might impact the amount or type of insurance they need. For example, making sure they understand how an insurance policy responds to ransomware to make sure they have the right coverage and limits in place.”
King says small businesses are especially vulnerable when it comes to cybersecurity threats and often only think about protecting themselves once it’s too late. They also do not usually have the know-how or resources to protect themselves properly before a breach happens.
“Small businesses are at high risk because they don’t know how to protect themselves. Many still believe that standard antivirus is the best they can do, yet given the rise in successful ransomware attacks it is clear that antivirus is no longer enough. Furthermore, they’re not aware of the need for proper cybersecurity insurance or how it can save their very existence following a successful attack,” King says.
King adds that his company provides each client with a solution to prevent attacks, fully backed by comprehensive cybersecurity insurance just in case things do go wrong, as a “one-stop shop.”
He also recommends that his clients get a handle on their supply chain using the FICO® Cyber Risk Score to measure their partners’ and vendors’ cybersecurity risk. King says the Cyber Risk Score offers an “independent, empirically-derived score” that objectively measures how good the suppliers are at their own cybersecurity protection.
“Take the FICO tool and scan your suppliers,” King says. “And if you find a supplier that is a high risk, tell them: ‘You’re a high risk, demonstrating the same behaviors as companies that have suffered a breach in the last few years. Sorry, but if your score does not materially improve, we’re going to have to find another supplier.’ People have got to start taking this risk more seriously.”
DeLong says the industry also could help assure clients by working together to develop a common lexicon with clearly defined terms to describe cybersecurity insurance coverage.
“Creating a language we all can understand and speak is fundamental,” DeLong says. “I would never advocate for a uniform cybersecurity insurance policy, but we should advocate for a uniform cybersecurity insurance taxonomy. The language we speak should be consistent so that we can collaborate and share data and make our insurance safer and better.”
Taking the long view, DeLong is optimistic that cybersecurity insurance will play an important role in mitigating the impact of cybersecurity attacks, but cooperation and innovation are the key to progress.
“Cybersecurity insurance will continue to expand,” she says. “We have to work together as an insurance community to share information on threats and solutions. We’re already doing some of that with law enforcement and industry groups—we’re going to have to continue to do that—not only to recognize the threat, but also to get information out and establish best practices customers can understand.”