Cyber Insurance: Summer Is Prime Time for Hackers

Here's something most business owners don't think about: summer is one of the riskiest times of year for a cyber incident. Your IT contacts are on vacation. Staff coverage is thin. Response times slow down. And while your guard is down, the people trying to get into your systems aren't taking July off.

Ransomware, business email compromise, and data breaches don't respect the calendar. What they do respond to is opportunity, and a business running with reduced oversight and distracted employees is exactly the kind of opportunity attackers look for.

What most small businesses don't realize:

Only 10 to 20 percent of small and mid-size businesses currently carry cyber insurance, compared to roughly 75 percent of large companies. That gap exists in large part because owners assume they're too small to be a target. That's not how it works. Smaller businesses are often easier targets precisely because they don't have dedicated IT security teams.

The average cost of a data breach for a small business runs into the hundreds of thousands of dollars when you factor in notification costs, regulatory fines, business interruption, and recovery. Most businesses don't have reserves to absorb that. A cyber policy does.

What's changed in underwriting:

Getting cyber coverage isn't as simple as it used to be. Carriers now function more like security auditors than traditional insurers. More than 73 percent of small businesses fail their initial cyber insurance assessment, facing coverage denial or steep premium increases. What underwriters are looking for today includes:

• Multi-factor authentication on all systems and email accounts

• Endpoint protection software on every device

• Offsite data backups that are tested and actually recoverable

• A basic incident response plan, meaning someone knows what to do if a breach happens

The good news is that businesses who've invested in these controls are seeing favorable rates. The market has softened for well-protected risks, even as it's tightened for everyone else.

The summer travel angle:

If you or your employees travel for business or check work email from hotel WiFi or airport networks, that's a real exposure. Nearly one in five Americans has experienced a cybersecurity incident after using public WiFi. A VPN closes most of that risk, but it has to actually be in use. This is a good time to remind your team.

If you don't currently carry cyber coverage, or if you haven't had your policy reviewed in the past year, let's talk. The coverage has changed, the risks have changed, and what protected you two years ago may not be the right fit today.