Many also face challenges around qualifying for cyber insurance if they fail to meet the minimum information security insurance requirements. And if they do meet insurers’ stringent requirements, many forgo the purchase of cyber insurance due to prohibitive cost barriers. Cyber insurance premiums have increased anywhere from 25-400% over the past year for insureds with or without cyber claim history.
“The submit to bind ratio [for small business cyber insurance policies] is around two out of 10 – and that’s for companies under $1 billion in annual revenue,” said Kurt Suhs, founder and CEO of Concierge Cyber. “If only 20% of small businesses buy cyber insurance, what do the other 80% of companies do in the event that there’s a cyberattack? Often, even those that have cyber insurance don’t know what to do, or who to call, particularly if they suffer a ransomware attack.”
Read next: Personal cyber risks – poor behaviors remain
Suhs – a cyber insurance veteran, who used to lead the cyber divisions of Ironshore and Liberty Mutual – launched Concierge Cyber in 2019 to provide small businesses and private clients (with or without cyber insurance policies) with access to relevant information and tools for before and after a cyber incident occurs.
He described the low-cost membership platform as being “like roadside assistance, but for cyber”. Members are guaranteed emergency response to a cyberattack or data breach through a team of high-quality providers, on a pay-as-you-go basis and at substantially discounted rates.
“Just like cyber insurers, we have a panel of companies, including 20 law firms, 16 cyber security firms, all three credit bureaus, and crisis management firms, and our members receive 35-50% off the street rate for their services,” explained Suhs. “We also provide a ransom hostage manual [which shows users] what to do pre-, during-, and post-ransomware attack. Members get access to 12 security policy templates, and they receive two hours of priority access with an on-call chief security officer.”
While Concierge Cyber is heavily focused on incident response, the firm also offers pre-loss services, including security awareness training to prevent common attacks like business email compromise (BEC), social engineering, and phishing.
This is particularly important, Suhs said, as carriers have introduced minimum security requirements – such as enabling multi-factor authentication for email and remote access, and possibly even using end-point detection and response (EDR) technology – before they’ll even consider writing a policy.
Read more: Closing the disconnect between cyber risk awareness and action
“People get the analogy of roadside assistance for cyber,” Suhs told Insurance Business. “With cyberattacks, it’s not a matter of if, it’s not a matter of when, it’s how big? There’s a 100% chance you will have an attack; I don’t know the frequency or severity, but I can tell you it’s going to happen.”
Concierge Cyber has gone to market directly to customers and through various re-seller partners, including agents and brokers, trade groups and associations, and more recently through insurance carriers. There are three pricing tiers for companies with annual revenues up to $10 million, from $10 million to $50 million, and over $50 million, with annual membership fees of $250, $490, and $995, respectively.
Suhs said agents and brokers are a critical cog in the chain because small businesses and private clients often look to them as their “outsourced risk manager”.
“Initially, we were working with brokers and MGUs, but now we’re opening it up to carriers, not to be on their cyber panel, but to offer Concierge Cyber to maybe professional liability [policyholders], where their policy may exclude cyber, or directors’ and officers’ (D&O), or property,” explained Suhs.
“Think of it like the employment practices liability (EPL) hotline for D&O. That’s how we market it. It’s a value-added service, which provides dedicated incident response, because again, the majority of small businesses don’t have cyber insurance or access to professional resources in the event that they suffer an attack.”