SMES generate vast majority of cyber claims

Small and medium-sized businesses are generating the overwhelming majority of cyber insurance claims, according to the latest annual NetDiligence Cyber Claims Study.

The study found that hackers and ransomware artists increasingly target smaller companies, with attackers having shifted their preferences to the extent that the size of an organisation has become a better predictor of cyber vulnerability than its industry category.

The study analysed 3,547 claims from insurance companies in the US, Canada and the UK from incidents reported between 2015 and 2019. The report also includes 1,633 new claims from 2017 to 2019 collected in 2020.

Of the claims disclosed to the study, 98% totalling $589 million came from businesses with less than $2 billion in annual revenues.

The other 2% representing $410 million in claims came from large companies with more than $2 billion in revenues.

“Every day, SME organisations are attacked and incur losses,” NetDiligence CEO Mark Greisiger said during a webinar presentation of the study results.

“This is main street as opposed to Wall Street.”

The variances in the size of the claims are massive, resulting in sizeable differences between average and median claims. For small businesses, the cost for incident response averaged $175,000, while the median cost was $36,000. Crisis services were the next largest cost, with an average of $131,000 per response with a median of $25,000. For large companies, incident response averaged $9.1 million and averaged $716,000.

Financial services and healthcare were the biggest industry targets among small and large businesses. Small business targets also tended to be in professional services, retail and manufacturing. The large business layers generated a substantial proportion of claims from hospitality.

Ransomware has become the top category of loss cost for bigger companies, and expenses from those types of breaches have been escalating in recent years, according to the report.

The next likeliest target area for hacker attacks will be personal devices, said Michael Bruemmer, vice president for consumer protection and global data breach at Experian, a sponsor of the report.

“We think the new frontier in 2021 is going to be people’s home devices that are going to be held for ransomware,” Bruemmer said during the presentation, adding that the work-from-home trend accelerated by the COVID-19 pandemic has increased individual vulnerability to hacks.

Of the claims disclosed to the study, 98% totalling $589 million came from businesses with less than $2 billion in annual revenues.