Third-party risks—the notion that a contractor or a supplier could inadvertently expose the first-party organization to a network breach—may not be the sexiest cybersecurity issue out there. But at RSA 2017—the weeklong cybersecurity conference that drew 43,000 attendees to San Francisco’s Moscone Center last month—there was much talk that third-party risks are destined to ascend as a bellwether phenomenon.
I mean that in this sense: Actually addressing third-party risks is something companies of all sizes—from enterprise-class first-party organizations to SMB-size third-party suppliers—must come to grips with, probably sooner than later. What’s more, as the journey to mitigate third-party risk unfolds, trustworthiness of internet-centric commerce naturally will rise, perhaps dramatically.
New market emerges
One marker is that tech research firm Gartner has begun monitoring a dozen or so technology vendors marketing third-party risk solutions to large enterprises. Gartner refers to this fledgling cottage industry as the “IT vendor risk management” market. In a report last fall, Gartner predicted that the IT VRM market would expand 30% by 2019.
Case in point: New York state’s freshly minted Cybersecurity Requirements for Financial Services Companies, which took effect March 1, includes provisions that require financial services companies to ensure the security of the systems used by their third-party suppliers.
Meanwhile, Europe has begun to roll out a comprehensive set of data-handling rules that also call out the need to address third-party risk. These include the new framework for commercial data exchange between the U.S. and the European Union, referred to as the EU-U.S. Privacy Shield, as well as the new EU privacy rules known as General Data Protection Regulation or GDPR.
SMBs in hackers’ cross-hairs
To be clear, the burden does not solely rest with large enterprises to mitigate third-party risks. This issue profoundly affects small and medium-size organizations. SMBs no doubt will face increasing requirements to prove their cybersecurity fitness to win contracts from first-party business customers.
“Third-party issues are driven by the fact that outsourcing trends are continuing unabated,” says Jonathan Dambrot, CEO and co-founder of Prevalent, one of the leading IT VRM vendors tracked by Gartner. He says third-party suppliers, in fact, are believed to be the source of as much as 70% of the network breaches that occur today,
Professional cyber criminals are fully aware of capabilities of the multimillion-dollar security systems that large companies have in place. So they wisely target “the small provider who’s providing some service and who doesn’t have their security controls,” Dambrot says.
Vendors lack knowledge
Meanwhile, all too many third-party suppliers continue to operate either ignorant of, or in denial of, the exposures they’re creating by failing to adhere to security best practices.
“A lot of smaller firms are still struggling with even understanding what they need to do, from a policies standpoint all the way down to the technical controls,” Dambrot says. “Do they have appropriate controls for encryption, identity management and multifactor authentication?”
It’s very early in the ballgame. A Ponemon Institute survey conducted last May found that the majority of the 600-plus respondents agreed that third-party risk was both serious and has been significantly growing in their organizations.
However, Ponemon found that only a third of those organizations had formal programs in place to manage third-party risks, and only about a quarter of them purchased cyber insurance to reduce the economic impact of third-party risks.
But the potential for elevating internet security, in the longer run, is palpable.
Small- and mid-sized businesses (SMBs) are increasingly at risk for data breach class-action lawsuits that typically have targeted large corporations.
Large companies are learning to address cyber threats. Hackers are responding by setting their sights on SMBs. So it’s simply more productive and efficient to attack poorly protected companies that could take weeks or even months to notice they’ve been breached.
As the risk of exposure moves downstream, the associated class-action lawsuits surely will follow. Statistics from the Identity Theft Resource Center show that the number of data breaches reported in 2016 exceeded 2015 levels by 40%, a worrying trend for those in the small business sector that likely will bear a greater percentage of those breaches going forward. The data stores held by SMBs may be smaller, but they’re no less rich in value to hackers. They contain financial data, healthcare information and other tantalizing personal details.
Security falls short
Unfortunately, because SMBs often lag behind larger companies in the sophistication and scope of their defensive measures, they’re much more susceptible to litigation centered on charges of negligence or a lack of due diligence. Exposures in the SMB sector also could go undetected for long periods, leaving more records vulnerable and increasing the size of the victim pool that may be interested in suing.
Smaller firms’ responses to the risk of cyber attack and litigation depend largely on their industry. Even the smallest healthcare entities are typically well-adapted to address potential data breaches and cyber risks. Long-standing mandates such as HIPAA — as well as a robust, centralized breach-reporting mechanism — have made companies in the medical space a little paranoid about their heavily regulated environment.
Behind the curve
Other small business sectors aren’t as prepared for the risk of a breach. Outside healthcare, the professional services industry, including legal and accounting, is much less aware of where threats exist or how to mitigate them. Many small firms don’t understand their responsibilities regarding data privacy or how data breach notification laws apply to them. Without a good awareness of data privacy concerns, obligations and solutions, these businesses are easy targets for any hacker who happens upon them.
Litigation bills add up
Data-breach class-action lawsuits can result in million-dollar judgments, but devastating costs may be incurred even if a settlement never materializes. A breached small business still needs to defend itself against litigation, and that takes money. Between legal counsel, forensic investigations, data recovery and any other steps the company may be required to take, the company is likely to incur significant financial penalties no matter which way the lawsuit goes.
Some SMBs are realizing they aren’t prepared for a cyber attack. The truly savvy ones are waking up to the prospect that, just as with the professional and employment liability insurance they already have, it would be wise to pursue coverage to defer defensive and recovery costs around their cyber liabilities. With the specter of more breaches — and more class-action lawsuits — coming down the pipeline, SMBs must find a way to minimize the threat of exposures while also putting protective measures in place should they find themselves facing litigation.
This article was originally posted on ThirdCertainty. It was written by Eduard Goodman.
American entrepreneurship is alive and well and growing! There are countless rags-to-riches stories of how people with a good idea, boundless energy and infectious optimism have made it big, or simply made a rewarding livelihood and legacy for themselves and their families. Today’s fintech and insurtech movements are testament to this in spades! And while most national news stories focus on big business, and national cultural events like Black Friday tend to overshadow small businesses, there’s a growing movement embracing these vital contributors to our communities and economy.
The Rise of Small Businesses and the Shop Small Movement
On Nov. 26, 2016, the 7th annual Small Business Saturday event sponsored by American Express and the National Federation of Independent Businesses (NFIB) was held to encourage shopping and patronage of local small business merchants – in the wake of the preceding day’s big box store Black Friday shopping hysteria. According to research done by these organizations after last year’s Small Business Saturday, more than 95 million consumers shopped at small retailer businesses, spending $16.2 billion, up 8% from 2014. Interestingly, the event garnered support from many corporate sponsors – many of which count small businesses as their customers.
Millennials show strong support for local small businesses, indicating they want to be “connected” to the products and businesses they buy from. A study by Edelman Digital showed that 40% of millennials preferred to buy goods and services from local small business retailers, even if doing so cost more.
While Small Business Saturday and Buy Local have a decidedly retail focus to them, the importance of all types of small businesses cannot be overlooked. U.S. Census Bureau figures from 2014 showed that businesses with fewer than 10 employees make up nearly 80% of all firms in the U.S. This is a huge market with enormous needs for products and services, including insurance to keep them running, protected and competitive.
Where’s the Love?
The Rise of the Small-Medium Business Customer research sought to understand small-medium business decision makers’ perceptions and views of those who support and supply them, including insurance. Four hundred business owners were surveyed using the Census Bureau’s definitions of very small to medium-sized businesses (SMBs), which we grouped into three segments (1-9 employees, 10-99 employees and 100-499 employees). The survey provided insights to evaluate perceptions on SMB customer views of insurance as compared with other businesses
The results were enlightening. Interestingly, fair price was more important than lowest price across all of the business segments. However, the ability to create a custom product from a range of options is more important than both lowest price and the ability to pick from a set of “pre-packaged” options. This finding reflects the increasing demand for personalization rather than price-driven mass production of insurance products.
Even more revealing were the results among the smallest (1-9 employees) businesses. The survey highlights that the traditional insurance business model has not been built with the capability to adequately meet the unique needs and expectations of SMBs. The industry has, instead, pursued a “one size fits all” approach. The consequences are that this segment of smallest SMBs (though with the largest number of such businesses) is uninterested in insurance, sees little value in insurance and considers insurance a necessary commodity or “necessary evil” required for their businesses.
All three segments of SMBs, regardless of size, did not rate insurance as being particularly easy to do business with, in terms of researching, buying and servicing products, compared with the other types of businesses we asked about in the survey. Among the 1-9-employee segment, P&C, life and employee benefits ranked in the bottom half on all three of these aspects.
Much more telling, however, this segment gave the lowest Net Promoter Scores (NPS) to insurance, showing a gap of as much as 60 points between insurance and the top business. (Net Promoter Scores measure the likelihood that a customer will make a recommendation to a prospective customer.)
Adding fuel to the fire, these small businesses were the least likely to say insurance was responsive, innovative, had easy to understand products and provided good value for the money. This is not a pretty picture for traditional insurance — but a great opportunity for innovative “greenfields” and startups.
Going Small Requires Big Thinking
Increasingly, small business customers are demanding a personalized and digital experience, representing the shift from mass standardization of insurance to the micro-personalization of insurance, requiring broader data and sophisticated analytics to truly understand and respond to small businesses as well as a digital experience via a multi-channel approach.
The rapid emergence of digital direct-to-SMB insurers and MGAs such as Assurestart (now part of Homesite/American Family), Cover Your Business.Com (a Berkshire Hathaway company), Hiscox, Insureon, Bolt, Slice and others are leveraging these ideas to reach the small business market. They are providing innovative products, streamlined and simple processes and digitally engaging capabilities that are extending the direct business model to SMB customers. In addition, aggregators, comparison sites or new distribution channels like Ask Kodiak help small businesses find the insurance products they need more easily.
Our research identified gaps between many industry-held perceptions and customer-defined realities, which expose an insurance industry steeped in tradition — its business models, business processes, channels and products that are difficult to find, buy and service — and opens the door to new competitors. We have seen this play out before with personal lines over the last 10 to 15 years. The difference is that the pace of change and adoption of a digital play is unfolding more rapidly this time in commercial insurance, demanding that insurers respond, because the window of opportunity is smaller.
Each company serving the SMB market must itself strategic questions, such as: “How do we bridge between the past, today and the future? How do we keep current customers loyal and engaged as we redefine our business to meet the needs of the vastly underserved and growing small business market? How do we get on par with other digital businesses that are setting new expectations for the SMB market?” If traditional insurers don’t ask these questions and respond, others will – taking current and future market share.
Small businesses today are at the forefront of building new, technology-enabled, digitally first, innovative businesses that operate in a multi-channel world … like what we are seeing in insurtech. These businesses are increasingly led by millennials who have “grown up” digital and, as a result, seek fresh alternatives to age-old formulas … especially for insurance needs and offerings, helping them effectively meet their unique needs and expectations. It’s time for the insurance industry to translate the good will from the Buy Local and Shop Small movements into big thinking and innovative solutions.
A new generation of small business insurance buyers with new needs and expectations create both a challenge and an opportunity. There is no clear path or destination. The time for plans, preparation, and execution is now — recognizing that the SMB customer is in control. Those who recognize and rapidly respond to this shift will thrive in an increasingly competitive industry to become the new leaders of a re-imagined insurance business that aligns to a rapidly growing, millennial-owned, innovative SMB marketplace. Insurance companies must stop talking about the opportunities and being digital, and start doing something about it by using the disruption and change as a catalyst for “real change.”
There are some large anomalies in the business insurance market, including:
Small to medium-sized (SME) business spend billions of dollars on premiums globally, yet a detailed risk profile is rarely developed to ensure that insurance producers and carriers are seen as trusted risk advisers rather than just sellers of product.
The absence of risk profiling, and risk control information, makes it very difficult for insurance carriers to recognize and reward businesses that commit to improving their risk management and lowering loss ratios.
There are very few cost-effective risk management services that can assist the millions of SMEs around the world to reduce their costs of risk.
Underinsurance continues to hurt the reputation of the insurance industry.
The capture of client- and industry-specific risk exposures and controls in a risk profile could be the key to correcting these anomalies, resulting in a decrease in claims, improved insurance industry returns and enhanced industry reputation.
Until now, risk profiling through consulting has generally been unaffordable and inefficient for most SMEs, but RiskAdvisor now provides a pre-populated, online risk platform that enables affordable, client-specific, industry risk profiles to be produced in a matter of minutes. The platform library currently contains more than 160,000 risk exposures, controls and treatments, 6,000 benchmarks across more than 600 industries and 60 risk areas.
The automated capture of risk exposure and control information by insurance carriers, producers and brokers has numerous positive effects:
If insurance buyers, producers and carriers capture a client’s industry-specific risk profile, more intelligent and efficient buying, selling and underwriting would occur.
The strategic aggregation and analysis of risk data is important in helping carriers and producers maintain relevance in the marketplace.
Data-driven product development helps carriers and producers bring new risk products to market faster and with greater chance of success.
Data holds the key to improvements in risk management, which is integral to pricing risk.
Sharing risk data with all stakeholders will make everyone involved in the insurance value chain more customer-centric.
There can be a greater focus on more comprehensive customer services and specialty products.
Through digital risk profiling, insurance buyers, producers and carriers can easily understand a business’s industry-specific risk profile and controls to enable more intelligent buying, selling and underwriting of insurance globally.
Advantages to carriers of accessing a digital risk platform include:
A competitive advantage through superior risk selection, enhanced granular underwriting assessment and more accurate pricing of risk in a highly efficient and cost-effective manner.
Having risk information in a timelier manner, before binding acceptance.
Obtaining risk control information and data on a far greater proportion of a carrier’s books at much lower cost.
Interrogation of risk control data by individual risk or at portfolio level. This allows the carrier to obtain valuable insights on the performance of the portfolio, including developing trends and mitigation strategies.
Enhanced portfolio management through the ability to analyze risk controls at an individual and portfolio level.
The strategic aggregation and analysis of risk data promises to alter every part of the industry value chain. A customer-centric view powered by new forms of data, analytics and automation offers the ability to better price risks. Digital risk profiling can deliver benefits to insurance buyers as follows:
Risk profiling helps support better decision making when managing risk.
The risk of being underinsured, or not insured, is reduced through improved risk assessment.
Resilience greatly increases for insureds to recover from loss events.
Governance and compliance outcomes improve.
Security and confidence are enhanced for key stakeholders such as financiers and equity providers.
Digital risk profiling can transform the insurance industry’s value proposition from insurance product sellers to trusted risk and insurance advisers. Capturing risk information at the point of client engagement can have a profoundly positive effect through the entire insurance value chain.