SMEs are particularly vulnerable to cyber attacks
The digital shift accelerated by COVID-19 has meant that small and medium enterprises (SME) are increasingly on the radar of cyber criminals, particularly in the healthcare, professional and financial services sectors. They face much higher costs than large companies after a cyber attack, which is another reason for SMEs to strengthen their cyber defences.
Article information and share options
SMEs have become easy targets for cyber criminals due to their relatively low defence capacity. Most companies are uninsured or significantly under-insured for cyber exposures. According to a new publication from the Swiss Re Institute (SRI), the total claims arising from a cyber attack suffered by a SME is in relative terms three times larger than for bigger firms, with forensic costs typically ranging from USD 20 000 to USD 100 000 for a company with turnover of less than USD 50 million.
Once attacked, the financial resilience of a cyber entrant is lower than that of an enterprise that has had cyber hygiene measures in place for some time. This is because a company without initial cyber capacity generally has little attack preparedness and incident response protocols in place. It will thus take longer till the threat is detected and resolved and during this time, first-party losses rise.
Ransomware most common
In three out of four successful cyber attacks on SMEs ransomware, social engineering and business email tactics were employed, as claims data from 2016 to 2020 reveal. Average costs of an incident are USD 152 000 million (see graphic).
The financial, administrative and legal burden from a cyber attack targeting an SME is generally considerable. Apart from forensic costs, court proceedings by customers may also lead to financial compensation obligations. Meanwhile, the company incurs internal costs to get its operations back up and running, and to address the damages it has suffered from the attack.
Cyber insurance policies typically cover most of these elements. They often also offer rapid incident management services that provide step-by-step guidance and swift access to a network of specialised service providers along the incident management cycle to facilitate prompt and effective intervention.
Insurers can help to bridge cyber-defence gap
Insurers can help to bridge the cyber-defence gap for smaller companies by raising risk awareness, establishing cybersecurity requirements and incentivising continuous monitoring/adjustments to risks.
