How the middle market is building business continuity and resilience strategies

A company’s most valuable asset is its data, and that asset must be secured against persistent cybersecurity threats. In a difficult risk environment, companies have multiple options to protect their data and establish effective business continuity processes. However, companies need to carefully determine the right mix of solutions to align with business processes and successfully protect their environment.

Cyber insurance is one of the most utilized tools to protect data and quickly recover if a cyberattack occurs. However, policies have undergone significant changes in recent years. Rising costs have required adjustments from insurers, with increased premiums in some cases and confirmation of certain conditions and controls before issuance of policies. Despite these changes, though, companies still understand the importance of cyber insurance and the peace of mind it can provide.

Once again, the use of cyber insurance is trending up in the middle market, according to MMBI data. In fact, 82% of survey respondents indicated that they carry a cyber insurance policy, up from 76% the previous year and marking the highest percentage in the history of the report.

“It has gotten harder to get the same coverage levels, and you definitely cannot get them for the same price as you used to,” says Alden Hutchison, a principal at RSM US. “There are a lot more requirements, and they make the client prove a lot more security controls are in place to get coverage. But companies are purchasing the policies because they care, and they see the risk.”

Both smaller and larger middle market firms increased their use of cyber insurance in the past year, with smaller middle market companies reporting a rise to 75% from 72% the previous year and larger counterparts jumping to 88% from 83%.

“I’m encouraged,” says Antalik. “There have been a lot of changes in the industry, but organizations are moving in the right direction, and cyber insurance is moving from a ‘nice to have’ to a ‘need to have’ thing. It just goes to show the state of cyberthreats—it’s harder to deal with new threats, so companies need to protect themselves from an insurance standpoint.”

Despite the increase in cyber insurance usage, though, fewer companies understand what their cyber insurance policies cover. In the MMBI survey, 69% of respondents indicated they are familiar with their policy coverages, down from 75% in last year’s data. Familiarity with policy coverages dropped significantly among smaller middle market respondents (from 66% to 51%) while larger middle market companies reported a drop from 86% to 82%. 

With the changes to cyber insurance coverage in recent years, Antalik believes that in many cases the parties directly involved with negotiations may be the only people who truly understand policy details.

“With a lot of new policies being established, only those that negotiated them know them in depth,” he says. “That’s a little scary; what kinds of things are organizations agreeing to and how protected are they?”

In addition to carrying cyber insurance, middle market companies can implement several strategies to limit business disruptions. In this year’s MMBI survey, the leading processes respondents reported having in place to address disruption and ensure continuity are developing communication plans for crises or disruptions (52%), developing and maintaining a business continuity plan (51%), and implementing disaster recovery plans for critical systems (50%). 

Interestingly, those strategies were also the top three among smaller middle market companies, with each strategy cited by 58% of respondents. Responses from larger middle market companies differed slightly, with leveraging technology to hunt for threats and respond to cyber events ranking as the top continuity strategy (47%), likely driven by more funding availability.

However, in the MMBI survey, only 46% of larger middle market companies and 37% of their smaller counterparts reported collaborating with external partners (e.g. suppliers or regulators) for coordinated resilience planning. These figures represent a potential gap and an improvement opportunity for all middle market companies.

Many businesses are deeply interconnected with external parties and third-party service providers, and recent incidents have clearly demonstrated the potential risks when security controls and business practices fall out of alignment.

“Given how dependent organizations have become on one another, stronger collaboration is essential” says Rich Servillas, a director at RSM US. “To address skills gaps effectively, companies would benefit from being more aligned with the partners and third-party providers that support them.”

Hutchison also emphasizes the potential risks involved with not being effectively connected with third-party vendors.

“We have seen so many of these large third-party incidents occur that have disrupted entire industries,” he says. “The automotive industry and the health care industry were both hit really hard, and they weren’t prepared for how they were going to work with their suppliers to recover from it.”

A plan to protect data and recover from a potential cybersecurity incident is not one-size-fits-all. Middle market companies need to have a customized plan in place and adjust it as necessary to align with evolving risks and business processes.

“If you don’t have a business continuity and crisis plan of some sort in place, you’re at risk of not recovering from a breach quickly enough,” says Hutchison. “That plan can keep you from losing your customers, losing the trust of your partners and even potentially losing the business.”