Oct 13, 2024

The Expanding Role of The Broker in Helping to Mitigate SME Cyber Risk This article is by Simon Hughes, Cowbell’s SVP, Global Distribution & General Manager UK While complacency in the field of cybersecurity still lingers among many business owners, in the last 12 months, half of all UK businesses (50%) report having experienced some form of cybersecurity breach or attack; a percentage even higher for medium-sized businesses (70%). Whether it’s down to a boost in cloud storage adoption, a rise in the use of software providers and vendors, or an increase in adversaries leveraging legitimate credentials as an initial access mechanism, one thing is for certain – cyber threats continue to escalate in complexity and frequency. On the upside, the proportion of businesses with some form of insurance against cybersecurity risks has increased from 37% to 43% since 2023 , a figure that rises to almost 2 in 3 (62%) when it comes to medium-sized businesses. However, while cyber insurance is clearly more critical than ever for businesses in the UK, is insurance alone enough? I’d argue not, and this is a sentiment small and medium-sized enterprises (SMEs) are starting to agree with too. Not only do most cyber insurance providers require some form of cybersecurity or risk assessment before offering coverage, SMEs are actively seeking ways to stay ahead with preventative measures and mitigation tactics. This is where the role of the insurance broker is key. Yes, a broker should be a safe pair of hands with insurance coverage, that’s a given. But businesses operating right now must start looking at a far more comprehensive approach to cyber risk management. What’s more, encouraging robust cyber hygiene practices doesn’t just reduce businesses’ risk, but could also see them benefit from more favourable terms when seeking cyber insurance coverage. How can brokers help mitigate SME cyber risk? To ensure a broad, multi-layered security strategy, brokers should: Encourage robust cyber hygiene practices: this should include everything from implementing common and low-cost security measures, such as multi-factor authentication (MFA) and strong password policies, through to encryption, robust firewalls, regular software updates and data backups; all of which help to proactively identify and mitigate potential threats. Push the importance of employee training and awareness programs to prevent cyber incidents: While your client may think their workforce is tech-savvy enough to spot a sophisticated phishing and social engineering attempt, recent advancements in GenAI have improved the format and grammar of phishing messages, making them far harder to identify. As such, ongoing education and awareness programs are needed alongside clear instructions on what internal security measures should be taken, such as double-checking the sender’s email address or using MFA to prevent unauthorised access if your credentials are compromised. It’s also important that your clients educate their employees about the risks of third-party software vulnerabilities and ensure they follow best practices here too, to avoid security lapses. Ensure a well-defined incident response plan (IRP) is in place: Having reliable backup and recovery plans in place is one of the best ways to minimise the impact of a ransomware event. If your client doesn’t have a cyber incident response plan (IRP) already, recommend an IRP template to start. A good IRP should include communication strategies, legal considerations, and recovery procedures; define the goals, scope, and types of incidents covered; and assign specific roles and responsibilities within the incident response team. Demonstrate the value of integrating advanced technology solutions and forming partnerships with cybersecurity vendors: As well as financial security, many cyber insurance providers also have cybersecurity analysts and consultants trained in handling cyberattacks and the claims process on hand. These experts can help victims navigate incident response and recovery, while most cyber insurance providers also offer free risk prevention services, including vulnerability assessments, threat intelligence, and can assist with cybersecurity training. Others even utilise advanced technology like AI and data analytics, which can offer more personalised and adaptive coverage, providing a better fit for your client’s specific cyber risks. Some insurers also offer APIs that integrate with a business’ existing cybersecurity tools, allowing for a seamless connection between their risk management systems and insurance policies. Advise regular cyber risk assessments to identify and address vulnerabilities: Conducting periodic vulnerability scans, running penetration testing and monitoring networks for suspicious activity is one of the most effective ways of identifying potential weaknesses in your client’s infrastructure. This way, any security gaps are addressed before attackers can exploit them. Have clients vet their service providers and product vendors: Once a vendor becomes part of a business’ supply chain, their risk exposure impacts the business’ own risk exposure. As such, when vetting vendors, businesses should be ready to ask questions that go beyond product/services delivery and cost, and inquire about their security posture. Here, questions like ‘do they encrypt data, and if so, how?’ and ‘do they have an IRP in place, if so, how will it be implemented’ are key. One quick cheat, however, is to ask service providers and product vendors if they have secured cyber insurance coverage. If they do, chances are they already went through some type of cybersecurity and/or risk exposure assessment. With these practical strategies, expert advice and ongoing support, brokers can move beyond offering a financial protection product, to becoming an essential partner that plays a huge role in the protection and preparedness of the UK’s SMEs. Share this: