How to prevent small business clients from hitting cyber blind spots

Ask five key questions to help identify cyber risk

As seen in Insurance Journal

In an increasingly digital world, it’s important that small businesses don’t get left behind when fending off cyber threats. While a recent study by Forbes Insights and The Hanover shows that most small business owners recognize they are exposed to cyber attacks (94 percent), only 20 percent feel adequately insured against cyber risks. This “coverage gap” is driven largely by the challenges businesses face when valuing their (or other’s) digital assets and what makes them potential targets of a cyber breach in the first place.

Assessing digital risks

Helping businesses understand they are big enough to be targets and recognize they have ample digital assets of value to a cyber attacker is a critical first step. A second crucial step is for independent agents to guide business owners through the complexities of a cyber risk analysis so they can identify high-risk areas in their operations. Often, business owners conclude they do not have any personally identifiable information in their systems, and their analysis stops there. Unfortunately, when it comes to small commercial insurance, and especially cyber, it is more complex than that.

The following are five key questions agents can ask to determine their customers’ most significant cyber risks:

  • Does your client’s business have digital assets? Without knowing what the client is trying to protect, it is difficult to design a risk mitigation program. Small businesses can have many digital assets, including design or manufacturing specs (their own or customers’), personal information, and mergers and acquisitions activity.
  • Do they know where those assets are located? Understanding where and how assets are stored is critical in determining what kind of coverage is needed to protect them. This can include on-site systems, cloud back- ups, historical hard copy information, data entrusted to third parties (e.g. employee data managed by an HR suite or compensation management software provider) and more.
  • How do they value those assets? Is the client in a “high-trust” field (e.g. doctors, lawyers, etc.) where a cyber attack would reduce consumer confidence? Reputation management is a key consideration in designing cyber insurance coverage plans. For more industrial or manufacturing-based clients, questions related to the importance of the digital assets include: “Would a shutdown cause the client to miss key deliverable dates?” and, “Could the data be easily recreated?”
  • Do they have access to a third party’s system? Your clients may not store valuable assets themselves but could be targets due to their access to larger, more data rich organizations with which they have business relationships.
  • How long, or in what capacity, could they run their operations if their point-of-sale or other systems were taken off-line? Some attacks are indiscriminate and cast large nets. An unknowing employee could erroneously click on a malware link in an email that results in files or systems being “locked.” Having coverage to mitigate risks associated with human error or employee negligence cannot be overstated for most clients, especially those relying heavily on point-of-sale, manufacturing or other systems.

Customizing coverage

Once digital asset risks are identified, the final step in a cyber risk analysis is determining which cyber insurance fits clients’ needs. Cyber insurance can provide coverage for first- and third-party risks, adding a level of complexity for businesses evaluating their needs. With almost every business relying on computers, optimizing policies for coverages and appropriate limits is challenging. It’s critical to consider coverages and limits that address the exposures specific to each customer’s class of business. Here are three cyber coverage types to consider, based on clients’ needs:

  1. Baseline. This coverage often is the best option for clients that do not have substantial exposures and do not require extensive protection. For instance, if a client does not collect extensive amounts of personal information and does not have highly automated and connected manufacturing systems, a “bolt-on” product could be added to their existing package policy, offering added coverage needed to protect against cyber exposures. These bolt-on coverages are generally simpler and easier to purchase, as they may not require an underwriting application.
  2. Stand-alone. For larger clients or more complex needs, stand-alone cyber coverages can provide businesses with more comprehensive coverage and greater limits. While these products generally require underwriting applications, the simple process of completing the application is often beneficial to small businesses, as questions typically involve security-related best practices.
  3. Coverage continuity. It is also important to be mindful that some cyber risks may be covered under other lines of insurance coverage. For example, false pretense coverage may be covered under a client’s crime insurance policy. However, this client could still benefit from obtaining explicit cyber coverage on a cyber-specific policy, depending on the cyber exposures they would like to cover.

When helping small business owners evaluate cyber insurance exposures and needs, agents can look at all available lines (cyber, package, crime, management liability and more) to ensure small businesses’ needs are addressed.

By placing all coverages with a single carrier, the potential for coverage friction is reduced, resulting in a better and more seamless customer experience for the insured.

Eric Cernak

About the author
Eric Cernak is vice president of cyber practice at The Hanover Insurance Group. In this role, he is responsible for overseeing The Hanover's corporate cyber strategy across all of its commercial lines and specialty businesses, to ensure a cohesive offering of products and services for The Hanover’s independent insurance agent partners.




All products are underwritten by The Hanover Insurance Company or one of its insurance company subsidiaries or affiliates (“The Hanover”). Coverage may not be available in all jurisdictions and is subject to the company underwriting guidelines and the issued policy. This material is provided for informational purposes only and does not provide any coverage.