Cyber Risk Underwriters

Beyond Antivirus & Firewalls: Easy & Cost-Effective SME Cyber Security Solutions Agents Need To Know

Unlike traditional business risks such as fire and workers’ compensation, the cyber risk landscape continues to evolve. As with any relationship, agents must first establish trust and address risks honestly, educate and provide practical and usable recommendations to insured’s to minimize risk. To do so, agents must expand information security knowledge. Those who don’t, risk of losing business to competing agents as well as being dis-intermediated by holistic solutions sold direct by a growing number of savvy and well capitalized on-line insurance and security providers. 

To many SME’s and their agents, the terms “cybersecurity” and “cyber insurance” trigger equal amounts of anxiety and confusion. Simply put, smaller insureds don’t actually know what the names of the tools they need and don’t know the proper, technical words that are going to lead them to an effective solution. 

In our experience, most SME’s are not confident about the security of their networks. They are not sure what their biggest cyber risk is and are confused by the current information security landscape. Most know of other businesses that lost money and data due to attacks targeted at employees resulting ransomware and wire transfer fraud. These executives want to know what are the most cost effective things they can do to mitigate risks to cyber attacks.

The Latest Scary Stuff

As many cyber security experts will admit, the cyber security industry is broken.
Despite astounding market growth for security software and services, the increased
frequency of attacks is equally astonishing.

  • In 2017, the cyber security market was worth over $120 billion (up from
    $77 billion in 2015) yet incidences of successful hacks continue to rise.1
  • Ransomware attacks saw a 350% increase in 20182.
  • Only 10% of small businesses surveyed had a separate budget for cyber
  • Cisco’s 2018 SMB Cybersecurity Report found that 53% of midmarket
    companies in 26 countries experienced a breach.
  • Over 40 percent of companies have sensitive files that are unprotected
    and open to every employee.4
  • Most research suggests that more than 90 percent of successful hacks and
    data breaches stem from phishing scam emails crafted to lure their
    recipients to click a link, open a document or forward information to an
    unauthorized party.
  • According to the results of a survey by Barkly (now AlertLogic) of 60
    companies that were hit by successful ransomware attacks over the past
    12 months, 77 of respondents said the attacks bypassed email-filtering
    solutions, 95% bypassed firewalls and 52% bypassed antimalware
  • Cryptojacking is the unauthorized use (via malware) of computer
    resources used to mine cryptocurrency. This exploit can result in utility
    fraud leaving insureds with higher utility and other computing costs.
    Cryptojacking is one of the fastest growing cyber security threats in 2018,
    with 25% of all businesses already falling victim cryptomining exploits2
  • 68% of U.S. businesses have not purchased any form of cyber liability or
    data-breach coverage2

Easy & Cost-Effective Security Solutions For Your Insureds

Most small to middle market business executives assume that if they spend $40 per
employee for a firewall, patch, install the latest antivirus, and use the cloud, they
have a padlock on the doors that keeps the bad guys out. All are great foundational
tools but they are not designed to stop evolving criminal attacks. Using email,
attackers easily bypass these technologies altogether when users are victimized by
email fraud, credential theft and vendor risk. In our experience, the most costeffective cyber risk management tools that will prevent loss are easy, cheap (if not
free) and readily available.

Limit User Administrative Privileges

Ransomware is a type malicious software designed to block access to a computer system until a sum of money is paid. 

The most common delivery method is phishing spam or attachments that come to the user in an email that are disguised as trusted files. Once downloaded and opened, the criminals take control and block network access until a ransom is paid. The vast majority of ransomware exploits are prevented by making sure users are blocked from downloading and software onto the network. This is a simple risk control that restricts “administrative privileges on workstations and PC’s that so that software can only be installed by an IT administrator.
Ransomware claims are best prevented by limiting user privileges according to Nick Economidis Vice President of eRisk for Crum & Forster, “We frequently offer insurance buyers the opportunity for a lower premium in exchange for implementing simple risk controls that, we believe, will significantly reduce the occurrence of the type of claims that we see most often. One of the things that we suggest is restricting administrative privileges on PC’s/computer workstations so that software can only be installed by an IT-administrator. We believe that this can significantly reduce the possibility of ransomware (or other malware) infecting the machine. If a user clicks on a rogue link or attachment, the machine will not install the malware because the user is unable to provide the administrator password (and even if they have the administrator password, we hope that the fact that the machine is asking for it will be enough of a warning).

Get Phished

According to Verizon5, email fraud accounts for more than 93% of enterprise attacks which result from phishing scams or fake emails designed to lure recipients to click an infected link or document or forward information to a fake sender. Over 60 companies that were hit by successful ransomware attacks over the past 12 months, 77 of respondents said the attacks bypassed email-filtering solutions, 95% bypassed firewalls and 52% bypassed antimalware solutions.2

In our experience, the most effective form of training is the use of phishing simulations. Phishing security tests provide an indication of how many employees are susceptible to email social engineering attacks. A well-designed phish-testing program trains employees how to spot a phony email and are proven successful in reducing risks of successful ransomware attack. When combined with typical user training, the results are stunning.

Leading training vendor KnowBe4 conducted a study6 of 6,000,000 users in 11,000 organizations encompassing almost 250,000 tests. Across several industry verticals, initial baseline click rates ranged from 25%-35% for SME’s under 1000 employees. At 90 days, rates ranged from 10%-17% and at 12 months rates dropped to 1.5% to 3.2% 

Phase one is establishing an initial baseline. A phishing test template is designed based on the employer’s unique environment and a landing page (often a training site) is created for users after they click. The users are provided a summary of what was missed and the employer is provided charts indicating “phish-prone” rate. Most vendors also provide a comparison to others in the subject industry vertical. Additional tests are sent out randomly during the course of the following 12 months. 

These programs are simple and easy to implement. Several vendors offer free phishing simulation service for companies with up to 100 employees including online registration, monthly phishing exploits, and detailed analytics to isolate opportunities for improvement. For advanced versions, pricing runs from $5 to $15 per seat per year.

Multi-Factor Authentication (MFA)

In our experience, multi-factor authentication is possibly the single most cost effective strategy for SME’s to mitigate a litany of risks. An insured can install antivirus, firewalls, deploy encryption and perform vulnerability tests but without multifactor authentication, all these measures are easily compromised.

Multi-factor authentication strengthens access security by requiring two or more factors to verify users identity. These factors can include something you know (username and password) plus something you have (smartphone) to approve authentication requests. Most of us are familiar with the process of getting a code texted to your phone to login into banking and other applications. This tool is highly affective against phishing and other forms of social engineering as well as password brute-force attacks and secures your logins from attackers exploiting weak or stolen credentials. Without the code, malicious actors are not able to gain access to your system. 

Versions of MFA are available free with Office 365 & Google Suite (make sure your insured’s turn it on!). Expect to pay up to $6 per user per month for advanced versions.

DMARC (Domain-based Message Authentication, Reporting and Conformance)

Email spoofing is the use of an email message from a forged address that hides the sender’s true identity. The objective is to trick the recipient into taking an action designed to perpetrate business email compromise and email scams leading to growing frequency of social engineering attacks that often lead to successful wire transfer fraud.

DMARC acts to provide greater assurance on the identity of the sender of an email message and gives email domain owners the ability to protect their domain from unauthorized use often referred to as email spoofing. Once DMARC is turned on for the insureds domain, only emails that pass the authentication will be trusted and delivered. Emails that fail the check are quarantined or rejected.

DMARC is free but you may need the webhost or email administrator to assist enabling since DMARC is not turned on by default.

Business Vendors: Get a Pre-Nuptial

Vendors are often the weakest links for in the security defenses of most insureds. In the past few months alone, we seen several claims resulting not from actions (or inactions) of the insured but due to breaches suffered by contracted vendors. One involved a healthcare provider infected with ransomware delivered via a record transcription service with access to patient files. The claim resulted in over $100,000 of remediation expense and business interruption loss.
Managing vendor cyber risk is not unlike risk management services that agents provide to clients for other business contracts. In addition to typical requirements such as favorable hold harmless and indemnity provisions, vendor risk management contracts should include:
  • Description of the PHI/PII and confirmation of authorized user access.
  • Minimum required security controls including basics such as the use of firewalls, anti-virus, patching and encryption. Vendors need also be compliant with relevant regulatory and industry requirements such as HIPAA and PCI-DSS when applicable
  • Security audit clause so the organization has the right to audit security controls periodically.
  • Incident reporting requirements for the stating under what circumstances and means a security event is reported to the contacting organization.
  • Insurance requirement for a stand-alone cyber policy that includes first and third party coverage parts. The contract should require additional insured status (when possible) and provide a minimum limit of $1M.
Knowledgeable agents can assist insured’s conduct effective vendor risk management. Some agents use cyber insurance applications as guides to develop templates. More complex risks need consider Vendor Risk Management (VRM) products that provide vendors security scores, vendor on-boarding and ongoing monitoring of third-party networks. VRM software products are easy install and use with prices starting around $500 per vendor.


Beyond a fundamental understanding of how cyber insurance responds to a claim, our most successful agents also possess a basic understanding of what security tools offer the biggest bang for the buck for their insureds. These agents close at 2-3 times the rate of agents relying on the insurance policy to sell itself and are most likey to retain business and keep new direct writing insurance platforms at bay.

About the Author

Jeffrey founded Cyber Risk Underwriters to offer tech-backed cyber insurance and related products distributed to insurance agents, cyber security providers and “InfoSec” investors.

Prior to joining Cyber Risk Underwriters, Jeffrey enjoyed over 25 years of success providing complex P&C insurance and risk financing design, brokerage and relationship management expertise for complex risks including technology, healthcare, private equity, and real estate.

Cyber Risk Underwriters maintains offices in Atlanta Georgia, Park City Utah and Huntington Beach California.

Contact Information 
Cyber Risk Underwriters

1 Cybersecurity Market Size Will Reach $300 Billion by 2024
2 Cyber Security Ventures 2019 Cyber Security Almanac
3 The National Center for The Middle Market, “Cybersecurity and the Middle Market, The Importance of Cybersecurity and
How Middle Market Companies Manage Cyber Risks,” 2016.
4 Varonis 2018 global data risk report
5 Verizon’s 2018 Data Breach Investigation Report
6 2018 Phishing By Industry Benchmarking Report