In today’s digital landscape, small and medium-sized businesses (SMBs) face growing threats from cyber attacks that could cripple their operations overnight. With limited resources and varying security postures, many SMBs are left vulnerable to catastrophic events that their insurance may not fully cover. A report from Guy Carpenter’s Cyber Center of Excellence and At-Bay, a provider of insurance and cybersecurity services for small and medium-sized businesses (SMBs), explores how to improve cyber catastrophe (CAT) models for these enterprises.
Cyber CAT models help insurers estimate potential losses from large-scale cyber incidents, like ransomware attacks or data breaches, by analyzing patterns and assessing risks across various scenarios. The report identifies critical limitations in current CAT modeling for SMBs and suggests ways to enhance risk assessment and capacity management in the rapidly growing cyber insurance market.
Over the past five years, SMBs have come to represent 45% of total market exposure in the cyber insurance sector, a significant increase from five years ago. This shift makes it crucial for insurers to accurately measure the potential risk of SMBs to manage their exposure and deploy capital effectively. However, the report notes that while SMBs may appear less complex than large corporations, their unique risk profiles and varied security postures require specialized modeling techniques to avoid inaccuracies in risk assessment.
Here are some of our takeaways; you can get the full report here.
Differences in Security Postures Among SMBs
One of the report’s main findings is the substantial variation in security postures between SMBs with and without cyber insurance coverage. SMBs with cyber insurance generally have stronger security measures in place, making them less vulnerable to attacks than uninsured businesses. This difference in security levels is critical for cyber risk models to consider, as it can significantly impact the calculation of potential losses and overall risk exposure.
Current cyber CAT models often fail to capture these differences due to a lack of reliable, specific data about SMBs. Most models use data from larger companies, which do not adequately reflect smaller businesses’ diverse characteristics and vulnerabilities. As a result, there is a pressing need to adjust existing models to account for the varying levels of security controls across SMBs.
Adjusting CAT Models to Include Security Controls
To address this gap, the report recommends modifying CAT model outputs to include the effects of key security controls, such as multi-factor authentication (MFA) and endpoint detection and response (EDR) systems. Integrating these controls into the models allows insurers to differentiate risks better and gain a more accurate understanding of potential losses for SMBs.
An example from the report demonstrates how this approach can reduce estimated losses. When the effects of MFA and EDR are factored into CAT models, there is a 17% reduction in CAT-only tail losses on a 250-year return period. This reduction highlights the value of including data on security controls in cyber modeling for SMBs.
Challenges in Modeling SMB Cyber Risk
Despite the benefits, the report acknowledges several challenges in implementing these adjustments. The main difficulty is the lack of reliable data on SMBs’ cybersecurity practices and incident histories. Unlike larger companies, SMBs are less likely to report cyber incidents, and detailed information about their internal security controls is often unavailable. This lack of data complicates efforts to model SMB risks accurately.
The report suggests collaboration between insurers and model vendors to overcome these challenges and enhance existing models with more detailed data. By combining self-reported information from insured SMBs with external data sources, insurers can better understand their security postures. This enriched dataset would improve risk assessments and help insurers make more informed decisions about coverage and capacity.
Supporting the Growth of the SMB Cyber Insurance Market
The report also emphasizes the need for CAT models to evolve in response to the changing cyber threat landscape, especially as the SMB market grows. Cyber threats are increasingly targeting common vulnerabilities across a wide range of businesses rather than focusing on specific organizations. This shift has led to increased cyber claims from SMBs, underlining the need for more advanced modeling techniques.
By adjusting CAT models to incorporate security controls and reflect the unique characteristics of SMBs, insurers can more accurately quantify the aggregation risk for their portfolios. This approach helps manage exposure and supports the growth of the SMB cyber insurance market.
Improving Cyber Risk Modeling for SMBs
“Small Businesses and the New Frontier of Cyber Catastrophe Modeling” calls for enhanced cyber CAT modeling practices for the SMB segment. By recognizing the unique risks and security profiles of SMBs, the report offers a framework for more accurate, data-driven risk assessments that align with the expansion of this market.
Modifying model outputs to account for security controls is essential for insurers seeking to understand potential losses better, manage capital effectively, and support the continued growth of SMBs as they navigate evolving cyber threats.
Source: Small Businesses and the New Frontier of Cyber Catastrophe Modeling.
Other News: The cybersecurity threat facing SMBs.