Viewpoint: Insurers must do more to protect SMEs against cybercrime

Today’s cyber criminals are entrepreneurial, organised and ruthless, and they increasingly seek to attack the most vulnerable. 

The rise of ransomware is a particularly big issue. Between 2019 and 2020, more than 600 US towns, cities, and counties suffered ransomware attacks that forced the closure of hospitals, police departments, and other public services.

Even a large global insurer such as Mapfre is not immune to this threat. We suffered a cyber attack on the night of August 14, 2020. The timing was no coincidence, since August 15 is the day with the highest number of vehicle transactions in the year. But it all started a year earlier.

It was August 2019 when the attackers began to take their first steps against us, investing significant amounts of time and money developing the attacking and testing strategies they finally used to break into Mapfre’s systems.

Our security measures and contingency plans for this type of incident worked as expected, and allowed us to achieve our main objective: to guarantee uninterrupted service to our clients and the privacy of their data. But this does show how all of us are potentially vulnerable to this wave of cyber crime, no matter how big we are or how much we prepare against it.

The weakest link

Small and medium-sized enterprises (SMEs) are the most vulnerable businesses of all. Statistics show 53% of SMEs suffered some form of cyber attack in 2021. SMEs represent a huge part of the global economy and are vital to our economic future, employing more than two billion people worldwide.

Yet they are vulnerable precisely because of a lack of awareness of the danger. In Spain alone, 99.8% of SMEs do not consider themselves a target for cyber attacks. Partly as a result of this misplaced confidence, 60% of SMEs go bust within six months of suffering a cyber attack.

SMEs are now even more at risk after the pandemic. This is because the rise of remote and hybrid working and use of devices to access company systems and data remotely increases the number of vulnerable access points. Any SME can be accessed from just one employee laptop with out-of-date cyber protection,  or from just one person clicking a link on an email.

At the same time, because they are now so connected, larger organisations can be targeted through the under-protected SMEs in their supply chains. Protecting SMEs is therefore not only the right thing to do – and essential for our future global prosperity – it is also vital to keeping all of us protected. In short, we must all work together to help solve this problem.

Insurers can be more proactive in offering SMEs advice and support to understand why they need cyber insurance and what they need to cover. Mapfre’s SME cyber insurance product costs an average of just €400 ($412) but only around 3% of our SME clients have bought the product so far, proving it is not enough for insurers simply to offer SME cyber insurance and leave it at that.

Because of this, Mapfre now offers a range of SME cyber support services to analyse companies’ current and potential risks and recommend appropriate mitigation and protection strategies.

Shaping public policy

However important is it to protect SMEs, the overall trend in cyber crime is towards more sophisticated and targeted attacks with greater disruptive potential. Just as insurers must become more proactive to educate and protect SMEs, so must society also band together to help protect society against large-scale cyber attacks.

The scale of the threat is significant, on a par with the global climate crisis, or even the pandemic. In those instances, we saw governments and pharmaceutical companies collaborate to develop effective vaccines to help bring us out of lockdowns.

For a while we have also seen government agencies partner with insurers to share the costs of mitigating and protecting against extreme weather events caused by climate change. Following this same example, we now need an effective public-private partnership to combat the potentially catastrophic cyber threat.

This will involve transnational legislation targeting cyber criminals and pooling the costs of responding to large-scale cyber terrorism. Insurers can help to lead the way, educate the public, and shape public policy with governments. Indeed, if we are serious about combatting this threat, it is a moral imperative for us to act, and sooner rather than later.

Antonio Huertas is chairman of Mapfre