News, news analysis, and commentary on the latest trends in cybersecurity technology.

Making Cyber Insurance Available for Small Biz, Contractors

Cyber-insurance companies are moving down-market to offer policies to help protect remote employees, independent contractors, and small businesses from the cost of cyberattacks.

4 Min Read
Silhouettes of people looking at different products such as a house on a blue screen.
Source: Rawpixel Ltd via Alamy Stock Photo

The soaring costs of recovering from a security incident or data breach is driving interest in cyber insurance. While cyber insurance is typically viewed as a product mainly for large organizations seeking coverage and protection against state-sponsored attackers, criminals, and politically motivated hackers, it is also valuable for small and midsize businesses (SMBs) and independent contractors.

Regardless of size, a cyber insurance policy can cover the costs of a ransomware attack or business email compromise (BEC), losses stemming from an outage as a result of a breach, and expenses incurred in rebuilding compromised systems. While the Federal Trade Commission (FTC) and the National Association of Insurance Commissioners (NAIC) have issued guidance suggesting small businesses consider cyber insurance as a means of resilience against cyberattacks, the fact remains that classic cyber insurance is expensive. It is often too difficult for small businesses to qualify for those policies.

To address this situation, companies are increasingly rolling out new products for work-from-home employees, SMBs, and micro companies with 50 or fewer employees. Earlier this year, Internet of Things (IoT) platform provider Pepper partnered with Embedded Insurance to offer policies covering IoT networks and mobile devices. In October, eSure.ai announced its own offering — underwritten by an unidentified "Top 5" insurance company — that would allow remote employees, independent contractors, and micro businesses to get insurance without going through the underwriting process.

The insurance product from eSure.ai covers traditional endpoint products, such as computers and laptops, but not mobile devices. To ensure potential customers have adequate security controls in place to qualify for a policy, eSure.ai requires that applicants go through a managed services provider (MSP); the product itself is sold through the MSP channel. It is unreasonable to expect this group to have the security wherewithal and resources to install and maintain the necessary security controls, says Chase Norlin, CEO of Transmosis and president of eSure.ai, a Transmosis company.

Insurance or Warranty?

When individuals think of cyber insurance, they think of identity theft products offered by banks and other companies, but this perspective misses the bigger picture, according to Norlin.

"A lot of consumers falsely believe that identity theft is going to somehow provide some broader cyber insurance coverage, which it does not," he says, noting that riders to homeowners' or renters' insurance policies "are incredibly weak."

Last year Transmosis launched a program to cover SMBs for losses they may incur from cyberattacks, but since that program's contracts are not underwritten by an insurance company, it is not an actual insurance policy. Rather, it is more like a financial liability protection program or a contractual indemnity, where the company selling the protection is on the hook for any losses the policy holder suffers up to the value of the coverage.

One of the challenges SMBs could face when considering cyber-insurance-type offerings from companies that are neither insurance brokers nor carriers is distinguishing between actual insurance versus the warranty/guarantee model. Because not all warranties and guarantees are the same, those that opt for this model need to determine what coverage is offered and compare the warranty coverages to traditional cyber insurance.

"When a company comes to you and says, 'I'll give you $1 million of liability if you sign on with us, and we'll protect you,' is that $1 million shared with everybody else? Is that dedicated to that person?" says Peter Hedberg, vice president of cyber underwriting for Corvus Insurance (which was acquired by Travelers Insurance last month). "Do they actually get an insurance policy, or is it a contractual indemnity for $1 million that you're promising that the person is going to have to sue to access anyway?"

Hedberg cautions prospective customers to ask questions so they know precisely what they are getting and any possible conditions, limitations, or exclusions associated with the agreement.

Does Everyone Need a Policy?

Individuals with a high net worth, such as entertainers, athletes, celebrities, and corporate executives, should consider cyber insurance, but individuals who don’t fall in those categories may have a difficult time making the financial case to buy cyber insurance, says Hedberg. Organizations that are supply chain feeders to larger companies could be targets of cybercriminals, so those companies need to consider the risks. Micro companies, such as law firms, accountants, healthcare offices and clinics, private equity firms, and other financial services companies that have few employees but are big targets for attackers, should also be looking closely at cyber-insurance policies.

However, most mom-and-pop companies would not likely require the same type of business insurance, Hedberg notes, since their risk profiles might not justify the cost of cyber insurance.

A full cyber-insurance policy is generally more expensive and provides far more coverage than most individuals will ever need, save for those with high net worth, says Jeffrey Brown, CISO for the state of Connecticut, a member of the board of advisers to Cowbell Insurance, and the former head of information security, risk, and compliance at AIG. While having cyber insurance can be useful, becoming better educated on how you can protect yourself is a better first step, Brown says, noting that training and awareness webinars can help individuals become savvier on cyber issues.

It's in everyone's best interest — the insurance buyer and seller — when nothing happens.

About the Author

Stephen Lawton, Contributing Writer

Stephen Lawton is a veteran journalist and cybersecurity subject matter expert who has been covering cybersecurity and business continuity for more than 30 years. He was named a Global Top 25 Data Expert for 2023 and a Global Top 20 Cybersecurity Expert for 2022. Stephen spent more than a decade with SC Magazine/SC Media/CyberRisk Alliance, where he served as editorial director of the content lab. Earlier he was chief editor for several national and regional award-winning publications, including MicroTimes and Digital News & Review. Stephen is the founder and senior consultant of the media and technology firm AFAB Consulting LLC. You can reach him at [email protected].

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights