4 Common Misconceptions Mid-Market Firms Have about Cyber Risk

A new report from insurance brokerage Assurex Global identifies four main misconceptions mid-market companies have about cyber risks.

1. Cyber attacks primarily affect large businesses. Hackers often target smaller and mid-sized firms because they usually lack the sophisticated security of large companies and can be “easy” targets, says Michael Richmond, sales executive for Risk Advisory Solutions at the Horton Group in Chicago, Ill. “You don’t hear about the breaches at $50 million or $100 million manufacturers … sometimes it’s because the cyber protection at smaller companies isn’t as sophisticated … but they are happening,” says Richmond.

The NetDilligence/McGladrey 2015 Annual Cyber Claims study found that companies with revenues between $50 million and $1 billion accounted for nearly half of all cyber claims.

2. Their type of business isn’t likely to be targeted. Mid-market organizations not only think they’re too small to be hacked but also usually hold the belief that thieves aren’t interested in their sector. Any organization that has information and commerce can be a target, says Richmond. Thieves often can target companies to gain trade secrets, steal intellectual property, gain a competitive advantage, or even ruin a company’s reputation.

According to a 2015 Symantec report on cyber breaches, the top industries breached were services; finance, insurance and real estate; retail trade; public administration; and wholesale trade.

3. They can absorb the cost of or self-insure against data breaches. The cost of a single data breach can nearly wipe out a small company. These costs can run into the millions of dollars when factoring in investigation, notification, public relations, regulatory fines, and any potential settlements or judgments. Individuals are frequently filing suit against companies for such breaches, spurring companies into paying staggering defense costs.

The Ponemon Institute’s 2016 Cost of Data Breach Study found the average cost of a malicious or criminal breach incident to be $158 per compromised record. The 383 companies that participated in the study said their average total cost per breach was $3.79 million to $4 million, up 23% from 2013.

4. Outsourced network security and data management reduces risk. Mid-market companies should scrutinize their IT vendors and services much like they would investment decisions, reported Bob Guilbert, managing director at Eze Castle Integration Inc., at MiddleMarketGrowth.org.

Meanwhile, Richmond says even when outsourcing, a company can still enable and be liable for breaches. As the original data owner, the company could still be named in third-party lawsuits, and while the vendor agreement may contain indemnification provisions, there are many ways vendors can get out of them. Richmond says these indemnification provisions often have limiting and exclusionary language for amounts and certain types of breaches.