Cyber Insurance for Small Businesses: BOP vs. Standalone Cyber

Picture this: A fruit basket full of strawberries, cantaloupe, and flower-shaped honeydew. Yes, you probably have more melon than you want or need, and you wish you had a few more strawberries — but it is packed with various flavors, textures, and bite-sized goodness. 

Now, scratch the produce and fill your basket with property and liability insurance products. This roughly translates to a Business Owners Policy (BOP), a bundle of coverages that address common risks facing small and medium-sized businesses. It’s a convenient, cost-effective, one-stop solution for SMBs. 

A bundle approach may work for fruit, but when it comes to cyber risk, bite-sized coverage may not always be enough to keep small businesses protected. In this blog, we’ll explore the differences between a standalone cyber policy and a typical BOP with a cyber extension. 

Small businesses, big threats

When ransomware makes headlines, it’s usually the story of a large organization with significant supply-chain risk, like the recent Change Healthcare hack. But out of the limelight, small businesses are facing a bleak threat landscape. According to Veeam’s 2023 Data Protection Trends Report, 85% of ransomware attacks target small businesses, and many of them report paying a ransom demand as a last-ditch effort to regain their data.

Understandably, many SMBs are unaware of the prevalence of attacks against their cohort and downplay the risk of cybercrime. For one, attacks on their peers aren’t making national news. Secondly, with modest annual revenues compared to large corporations, they may not feel like they are a cybercriminals’ ideal target. But threat actors have proven time and time again they don’t discriminate. They are after anyone who will pay. 

As the economy of cybercrime has matured, threat actors have mastered tailoring ransom demands to scale with the annual revenue of their victims, increasing their chances of getting paid (and getting paid as much as they can). 

The increasing popularity of ransomware-as-a-service — a business model where ransomware gangs sell or rent existing ransomware tools to (often inexperienced) affiliates that execute attacks — allows for streamlined cybercrime. So, even if the ransom payments are smaller, cybercriminals can target more and more victims in a short period of time. 

By parsing through Corvus’s own claims data, we found that while the average cost of a cyber claim rose along with the revenue of the victim, the smallest tier businesses ($50M and under in revenue) have the most severe claims on a relative basis (as a percentage of revenue). 

In short, small businesses win the unfortunate superlative of “Most Severely Impacted by Cybercrime.” 

Standalone cyber vs. BOP offerings

In a 2022 case between a policyholder and their insurer, the Ohio Supreme Court ruled that the policyholder was not entitled to coverage for a ransomware attack because the electronic-equipment endorsement within their BOP only applied to “direct physical loss” and not damage as a result of encryption. 

The computer software sustained no physical damage, leaving the policyholder with the cost of the ransom and replacing an automated phone system that couldn’t be successfully decrypted.

We share this to highlight how every word matters when it comes to coverage, especially in the rapidly evolving world of cyber. In the case cited above, the court ruled that software is an “intangible item” that cannot experience physical loss. But any organization that has experienced a significant cyber incident knows that the financial and reputational repercussions against their business are as tangible as most “real-life” liability claims. 

It’s unlikely that standard BOP offerings can keep up with the pace of cyber risk. But as digital threats permeate the mainstream, many insurers are looking to meet the demand by offering cyber extensions to their BOP offering. While this can be adequate for some organizations, the reality is that most of these offerings aren’t providing the financial security that standalone cyber coverage does.

How coverages stack up

Misconception: You’ve invested in a standard cyber extension to your BOP, so now your business is safeguarded from cyber losses. 

Reality: Your business is protected from some losses, but in the event of a cyber incident, you’ll likely be left paying for a substantial amount out-of-pocket. 

Below, we’ll explore the coverage differences between a typical cyber extension to a BOP and standalone cyber coverage with Corvus:

First-party coverages

A standard cyber extension to a BOP typically excludes all first-party coverages. This means you’ll have either limited or no protection for costs your organization incurs from a cyberattack or data breach. For example, first-party coverage will apply to ransom negotiations, forensics (to restore systems and data loss), legal expenses (to review any state or legal liabilities), and business interruption (lost revenue when systems were down).

Some first-party coverages included in a Corvus standalone cyber policy:

• Business interruption

  • Coverage that pays the loss of income and extra expenses resulting from a network security event.

• Contingent business interruption

  • Coverage for losses stemming from business interruption caused by interrupted or degraded service from a third-party service provider

• Cyber extortion and ransomware

  • Coverage for costs associated with a ransomware event, including payment of ransom demand

• Breach response and remediation

  • Coverage for costs associated with responding and recovering from a data breach, such as incident response, customer notification, and legal fees

Third-party coverages

Third-party liability covers costs that arise when your cyber incident impacts others, and your clients, customers, or partners are looking to hold you at least partially responsible for damages they’ve incurred from the cyber incident. This includes the costs of legal representation, settlements, regulatory fines, and any court-ordered damages caused by the security incident. 

Most BOPs with a cyber extension will handle third-party costs like regulatory fines and penalties, as well as customer notification and credit monitoring expenses. 

Coverages for additional cyber risks

Cyber risk is evolving at a rapid rate. Threat actors are financially motivated humans, which means they are often finding new, innovative, and creative ways to profit from their victims.

There’s no guarantee that a BOP with a cyber extension has the resources dedicated specifically to cyber risk. But with a standalone cyber policy, you’re more likely to find support from cyber-specific underwriters who are knowledgeable about trends in the market and pivot quickly to address them. 

Here’s a preview of some additional coverages included in a standalone cyber policy:

• Social engineering

  • Coverage for a range of social engineering fraud losses, such as phishing, Business Email Compromise (BEC), invoice manipulation, cryptojacking, telecom fraud, and funds transfer fraud

• Bricking

  • Coverage for the cost of replacement technology if equipment is rendered useless following a malware attack

• Reputational loss

  • Coverage for lost profits or net loss resulting from brand reputation damage following a cybersecurity incident

Social engineering hits a small business

Revenue: Under $30M

Industry: B2B / Wholesale Trade / Distributors

Cause of Loss: Social Engineering, BEC (Business Email Compromise)

Coverage: Breach Response and Remediation Expenses

In the fall of 2023, one of the insured's team members became aware of an email that was sent to one of its customers. This email requested a complete payment, which was irregular as the customer is compliant and within their payment terms. The team member who supposedly "sent" this email confirmed they had not actually sent it. The insured swiftly got in touch with its IT department regarding this anomaly.

Upon thorough examination, the insured's managed service provider (MSP) discovered that an unauthorized party had gained access to the email accounts of several employees via the authenticator. One had been vulnerable for several weeks. The bad actor likely added their own phone number to the single sign-on after an employee’s email was phished.

After this discovery, immediate measures were taken. All employee passwords were changed, and the insured's IT team implemented preventive measures to prevent such incidents in the future.  Luckily, the insured caught on to red flags fast, preventing significant losses. Without proactive intervention, the median incurred loss for businesses under $30M due to business email compromise is $8M USD.

Compare standalone cyber insurance and a BOP with a cyber extension: Download our highlight sheet to share with SMBs

This material does not amend, or otherwise affect, the provisions or coverages of any insurance policy or bond issued through Corvus. It is not a representation that coverage does or does not exist for any particular claim or loss under any such policy or bond. Coverage depends on the facts and circumstances involved in the claim or loss, all applicable policy or bond provisions, and any applicable law. Availability of coverage referenced in this document can depend on underwriting qualifications and state regulations.

This material and its contents are intended for general guidance and informational purposes only. This material is under no circumstances intended to be used or considered as specific insurance or information security advice.