Cyber risks, a major challenge for SMEs

A pandemic and a global lockdown, the spread of remote work and digital sales consolidation, non-stop screen time and connection to electronic devices: March 2020 saw the beginning of the perfect storm for cybercrimes. The majority of these cyberattacks have been suffered in silence, while others have made headlines worldwide, like the recent attack against the International Committee of the Red Cross. Their hacked databases contained the information of over half a million vulnerable people that had been affected by armed conflicts, migration, and natural disasters.

According to the results of the Digital Trust Survey 2022, a study carried out by the PwC consulting firm with over 3,600 interviews with cybersecurity supervisors and senior managers from 66 countries, cyberattacks will once again reach record numbers this year. The online attacks that are set to increase the most are those that target cloud storage services, those that hold data ransom (ransomware), those that infect computers through software updates (malware), and attacks on supply chain software and corporate emails.

The cybernetic fraud industry is no laughing matter, as the FinCEN (Financial Crimes Enforcement Network) is more than aware. FinCEN is a bureau of the US Treasury that collects and analyzes information about financial transactions in order to combat money laundering, terrorist financing, and other financial crimes. Its latest investigation reports that between January and June of 2021 it identified more than 5.2 billion dollars (4.5 billion euros) in bitcoin transactions that were potentially linked to ransomware payments. In other words, payments made to meet the ransom demands for stolen data.

Cybersecurity is key to any company’s survival. It’s true that most large companies are better prepared to handle these types of incidents. For example, in August 2020 –just a few months after the beginning of the coronavirus pandemic– MAPFRE suffered a cyberattack, and the very same Spanish Data Protection Agency (AEPD) pointed out that “the exfiltration (data extraction) attempts were detected and prevented which, together with the speed in making the cyberattack public, enabled customers, employees, collaborators and providers to act effectively, thereby minimizing the impact.” 

Given that SMEs have lower budgets and are presently less well known, they have become the main targets of cybercrime. Their main challenge in 2022 will be to stay prepared for any cyber risk, as the onset of COVID-19 obligated many of these companies to rethink their work structures, forcing them to incorporate remote work and digitalization. SMEs bore the brunt of these assaults, as 53% of them suffered some sort of cyberattack, and over 40% of them were victims of more than three cybercrimes, according to Hiscox’s latest report. The average cyberattack cost a small business 75,000 euros, as SSH Team Consulting reports. 

“SMEs still do not have the technology or preventative measures that will prepare them to face cyber risks. Companies with fewer than 10 employees seem to think that they could never be the target of a cyberattack, but they should ask themselves what percentage of their production processes depend on data and technology. Probably all of it. If they have to temporarily cease operations due to a cyberattack, and they aren’t adequately prepared, in the worst case scenario that could lead to them going out of business,” explained Oscar Taboada, head of Cyber at MAPFRE RE. 

“When we refer to cybersecurity what we’re talking about is if SMEs are mature enough to handle the problem. From the very start of their business, how much have they thought about training their IT technicians in cybersecurity, or setting up programs to raise awareness on the issue? It’s also important to have an information security manager –also known as a CISO (Chief Information Security Officer)– in charge of ensuring the safety and correct handling of data. It really depends on the business sector. If your operations rely heavily on technology, it’s likely that you took cybersecurity into consideration,” explained MAPFRE’s Marc Rivero, senior investigator at the Global Team for Threat Control run by Kaspersky, a multinational cybersecurity provider operating in over 195 countries. 

It’s a given that the pandemic sped up the digital transformation process for small and medium-sized businesses. In Spain SMEs make up over 99% of the corporate landscape, 62% of the country’s GDP, and 60% of total corporate employment. They provide jobs to over 2 billion people worldwide.

The latest information on SME digitalization, provided by the National Observatory of Technology and Society (ONTSI), a project belonging to the State Secretariat for Digitalization and Artificial Intelligence, illustrates that many small and medium-sized companies are modernizing their digital resources. Almost all (98%) SMEs use the internet in their operations. An example of this is the fact that 77.3% of SMEs and large corporations and 55.1% of microbusinesses give their employees mobile devices with internet access for company use. 63% of SMEs/large corporations and 35% of the smallest businesses use social networks and almost a third of companies hire cloud computing services. As for purchases made via e-commerce, the figure was 35%. 

“Criminals are rapidly adapting to digitalization and they’re taking advantage of it. Dealing with them will require a broader view of what cybersecurity means, as well as preparing in advance for attack risks, something that isn’t always possible for SMEs and freelancers,” stated Jorge Sicilia, business development manager for MAPFRE ESPAÑA Companies.

According to figures provided by ObservaCiber, a space recently created by the National Cybersecurity Institute and ONTSI, 18% of companies in Spain have insurance that protects them in the case of cybernetic security incidents, which is below the European average of 24%. 

We need to make a distinction between cybersecurity—that is, preventive protection measures that a company can include in its IT protocols to try to fully avoid potential cyberattacks like data theft, work stoppages, etc.—and cyber risk insurance, which is coverage based on the limits of what the (re)insurance company is willing to underwrite, and therefore to take on,” explained Oscar Taboada, head of Cyber at MAPFRE RE.

“The nature of these risks, and the complex role they play in a dynamic, shifting, and worldwide context, means that it’s fundamental for us to correctly understand, analyze, control, and measure them,” asserted Oscar Taboada.

Reinsurance companies play a vital role in the world of cyber risks, as they do in other lines of business. They assist in transferring insurance companies’ risks, managing the control of potential catastrophe accumulation, and contributing to product development that provide solutions and advice for mitigating and preventing said risks. 

“At MAPFRE RE for example, we are actively working to understand and analyze different catastrophe accumulation models and scenarios in the face of large-scale events. We use AI (artificial intelligence), and this allows us to generate predictive statistical models that can estimate potential losses,” commented the head of Cyber at MAPFRE RE. (See breakdown). 

From January to June 2021, MAPFRE carried out innovative research by tracking conversations on social networks and forums about cybersecurity. The main conclusion they reached is that users, who have become more and more used to doing everything online, are worried about what type of cybersecurity the companies they buy products and services from and provide their personal details to have. 

For this reason, and given how vulnerable SMEs are to cyberattacks, MAPFRE has developed the CIBER On insurance plan for freelancers and small and medium-sized companies that invoice up to 10 million euros. With this cyber insurance, customers have specialized teams available to them at any time, giving them the best coverage possible in the event of a cyberattack and its consequences. This can help SMEs to protect their IT systems from any damage, work stoppages, cyber extortion threats, third party liability, and tech support coverage so that they can go back to their normal state of affairs.

Technology, algorithms and artificial intelligence (AI) have become essential tools to create predictive models that help (re)insurance companies estimate the potential impact of a cyber event.

At the beginning of 2021, Mapfre RE signed an agreement with KOVRR, a leading company in cyber risk modeling and quantification, based in Tel Aviv (Israel) to be able to deepen the knowledge, analysis and assessment of this type of risk. Through a sophisticated evaluation analysis of the technological systems of each risk/company, Kovrr is capable of estimating, based on predictive models, the potential maximum expected loss based on a broad catalogue of cyber events.

This makes it possible to determine the exposures that a company faces based on a portfolio at a given time, being able to quantify, measure and price the risk based on the coverages offered, comments Oscar Taboada, head of MAPFRE RE’s Cyber business.

Joan Cuscó, global transformation manager at MAPFRE Open Innovation (MOi) confirmed that “KOVRR is one of the biggest successes of our partnership program with startups. Our mission is to adopt disruptive solutions for the insurance industry, and the collaboration with MAPFRE RE is an example of what (re)insurers and technology startups can accomplish when they bring their expertise together.”