What can small and medium size enterprises (SMEs) do when the
When Change Healthcare, a $3 billion-plus company suffered a cyber attack in February, the company had the resources to support SMEs it does business with who were also affected, like pharmacies.
"Change is a little unusual, in that they basically said they were responsible," said Rich Gatz, vice president of cyber claims at Arch Insurance. "They provided credit monitoring and a fund to allow for payments to be processed, so these entities impacted can keep their revenue incoming as they wait for payments to be processed more through the normal course of their business, now that they're back up and running."
Insurance executives with cyber coverage expertise counsel SMEs to make their own preparations to recover from cyber attacks, rather than relying on less developed cyber breach insurance coverage. Or, in some cases, figure out how to adjust service and insurance contracts to get the most protection possible.
SMEs with contracts with third-party cybersecurity providers must get details on how those providers protect applications, said Hamesh Chawlam, co-founder and CEO of Mulberri, an embedded insurance platform and MGA. "That's what SMEs have not typically done in previous years," he said. SMEs need addendums detailing how coverage protects their billing system, as an example of an operational function that can be affected by a cyber breach, according to Chawlam.
SMEs can turn to carriers for some resources to proactively defend against cyberattacks, according to Tamara Ashjian, vice president of cyber and tech claims in the cyber and professional lines group of Tokio Marine HCC.
"A lot of carriers provide free tabletop exercises like phishing attack simulations and pen [penetration] tests," she said. "Do them, because you're better off being protected and knowing everything that you should know on how to put a policy in place before or if there's a big attack."
In addition, Arch Insurance offers consulting on legal, forensic, digital asset restoration, data mining and other aspects of cybersecurity breaches, according to Gatz of Arch Insurance.
Although cybersecurity insurance is making more inroads with SMEs, getting them to take policies, there are still, Gatz said, "many, many companies, hundreds and thousands of companies that don't have any cyber insurance at all."
For SMEs that do have coverage, they may not want to go after the carrier for their cybersecurity service provider if there is a loss, because that can risk the relationship they have with that vendor, according to Danielle Roth, head of the cyber claims team at AXA XL.
Also, SMEs that have experienced a cyber breach, and do pursue the insurer for the cybersecurity provider, may encounter indemnity clauses that cap what claims can be covered or compensated by a vendor's insurer, Roth explained.
"We need to look at what in a particular jurisdiction might constitute reasonable security measures," she said. "A lot of the contracts have language with contractual caps in them, and the caps are only removed if there's gross negligence. That can be pretty difficult to establish as well."