Product Family


RedSeal,VP Business Development and Elissa Doroff,Product Manager,XL Catlin,Cyber & Technology

A salesperson, working from a café while on the road, sends proprietary client information over an unsecured Wi-Fi connection. A project manager for a management consulting firm loses a computer tablet, which had no password protection or encryption. An online company collecting email addresses of its customers is hit with a breach that compromises over 300 records.

Many small and mid-sized businesses, even those without a heavy online presence, are not adequately protected against a cyber breach or attack. In many cases, businesses are going without, assuming they don’t need it or their errors & omissions policy will cover whatever issue may occur.

Such thinking could prove devastating, particularly for small businesses. Of all the cyber-attacks in 2017, according to a recent study by Verizon, 61 percent targeted small businesses..  Even companies that store a minimum amount of customer data – emails, phone numbers, or addresses – still have a vulnerability that can cost both money and reputation. Data show that 60 percent of small companies go out of business within six months following a cyberattack.. The cost to recover for small businesses – an estimated $690,000; for mid-sized companies, the price tag for a cyber event jumps to over $1 million.

An Evolving Risk

Fifteen years ago, cyber liability was not a concern for every business. Many companies were operating without an online presence, and cyber thieves were not yet a common occurrence. Even after the 1988 Morris worm -- the first recognized denial-of-service attack (DDoS) – and the increase in denial of service attacks, small and mid-sized businesses were not quite on the radar of cyber thieves. While attacks occurred, typically they were perpetrated by lesser-experienced hackers, and most often did not target smaller businesses.

Today, cyber attacks have morphed from such attacks as MafiaBoy (unleashed by a 15 year-old Canadian high school student, the DDoS attack hit the likes of Amazon, eBay, and CNN, costing an estimated $12 billion in damages) to sophisticated attacks intent of bringing down specific targets, such as global banks or foreign governments. One such attack – the Petya attack in June 2017 – held for ransom the websites of banks, newspapers, electricity providers, foreign ministries in Ukraine, with similar attacks taking place in Australia, France, Germany, Italy, Poland, Russia, United Kingdom, and the US.

While most small to mid-sized businesses are not targeted in these large-scale attacks, there are plenty of cyber thieves who see the value in targeting smaller entities for faster payoff. That’s because many smaller companies do not have the sophisticated level of security and response that larger companies put in place.

Cybersecurity: Not in the Budget

The reason for the lack of adequate security is simple: cybersecurity, particularly at the level many companies should have, is expensive. While larger corporations with arguably more significant exposures cannot afford to go without top-level security, many smaller entities cannot afford to pay for a comprehensive cybersecurity program.

Also, there is often a disconnect between need and perceived need. Smaller companies may not be taking cyber risk seriously, or may believe that their protocols for handling customer data are straightforward enough to allow them to avoid exposure.

Another reason many smaller companies opt out of cybersecurity protection: they believe their industry is not appealing to cyber thieves. However, nearly every industry has been targeted – financial, insurance, real estate, retail, legal, and more. A survey of small and mid-sized businesses revealed that an estimated 22 percent of those companies were cyberattack victims in just a two-year period: in one case, a construction firm in Maine lost $600,000 in a cyberattack.

There is another risk that comes with cyberattack – how the public will respond to the breach. The adverse publicity that surrounds such breaches morphs the cyberattack into a privacy issue, a reputation issue, and a public perception issue. Add to that the cost to notify customers that their information may have been compromised, remediate the damage, and launch a forensics investigation and cybersecurity becomes too much for some companies to afford.

Cyber endorsements are an affordable option that allows businesses to protect themselves against the cost of cyberattacks.

Affordable Cyber Protection

It often does come down to cost. No matter what the risk, if cybersecurity is not in the budget, few companies will be convinced of its efficacy. Traditional cyber insurance products, which tend to cover the scope and breadth of a large-scale cyberattack, may often be too expensive to make sense to a smaller business.

Yet going without coverage, is a serious gamble. The average cost to smaller businesses due to damage or theft of IT assets and infrastructure registered at $1,027,053 in 2017 – the average cost to these same businesses due to business interruption: $1,207,965.

Fortunately, there are options for small to mid-sized businesses. Small to mid-sized businesses do not need to forgo cyber liability coverage entirely. Cyber endorsements are an affordable option that allows businesses to protect themselves against the cost of cyberattacks. XL Catlin’s cyber liability endorsement is an add-on to many other coverage forms such as errors and omissions, architects and engineers and others.   Or maybe just other specialty lines of coverage, and offers up to $1 million as a sublimit to the E&O policy limits.

Such coverage is not as broad as a standalone cyber liability policy, but it is designed for smaller entities that may have an incidental cyber liability need rather than a primary one. For instance, a company that collects emails only will not have a large cyber exposure as a company collecting Social Security numbers would. The endorsement gives the company some protection and the ability to remediate.

When looking for a cyber liability endorsement, of paramount importance is coverage  for third party liability, loss of business income and extra expenses, costs to conduct a forensics investigation, notification and credit monitoring, cyber-extortion and ransomware coverage as well as data recovery. Also, look for an endorsement that provides some form of mitigation preparation.

Prevention Strategies

Even small entities can put cybersecurity measures in place that can reduce the risks of cyberattack. Some easy, effective steps include:

  • Create data handling policies: Limit how many employees are allowed to handle customer data, and limit who can access the data repository. Educate employees on how they should handle any sensitive data and how to dispose of data safely.
  • Use the latest antivirus software: make sure all devices, including cell phones (whether company-owned or not), have the latest antivirus and antispyware programs, and regularly update the software.
  • Use firewalls: Make it harder for thieves to reach your networks. Put password protections on all Wi-Fi networks. Encrypt all data.
  • Train staff to identify potential threats: And require strong passwords that are changed frequently. Data show that 60 percent of employees use the same password for multiple sites and accounts, and 63 percent of data breaches occur because of weak, default or stolen passwords.

Small to mid-sized businesses with insufficient cyber liability protection do have options. Even those companies without a large online exposure have a level of cyber risk that could be devastating to the business. Doing without any coverage is unsafe. Simple and consistent cybersecurity measures, along with a cyber liability endorsement to an E&O (or other) policy, can give these businesses peace of mind, and make doing business online much less risky.


About the author

Kevin Kiernan is a senior underwriter in XL Catlin’s Cyber and Miscellaneous Professional Liability businesses.  He can be reached at

To contact the author of this story, please complete the below form

Invalid First Name
Invalid Last Name
Country is required
Invalid email
Invalid Captcha

Global Asset Protection Services, LLC, and its affiliates (“AXA XL Risk Consulting”) provides risk assessment reports and other loss prevention services, as requested. This document shall not be construed as indicating the existence or availability under any policy of coverage for any particular type of loss or damage. AXA XL Risk. We specifically disclaim any warranty or representation that compliance with any advice or recommendation in any publication will make a facility or operation safe or healthful, or put it in compliance with any standard, code, law, rule or regulation. Save where expressly agreed in writing, AXA XL Risk Consulting and its related and affiliated companies disclaim all liability for loss or damage suffered by any party arising out of or in connection with this publication, including indirect or consequential loss or damage, howsoever arising. Any party who chooses to rely in any way on the contents of this document does so at their own risk.

US- and Canada-Issued Insurance Policies

In the US, the AXA XL insurance companies are: AXA Insurance Company, Catlin Insurance Company, Inc., Greenwich Insurance Company, Indian Harbor Insurance Company, XL Insurance America, Inc., XL Specialty Insurance Company and T.H.E. Insurance Company. In Canada, coverages are underwritten by XL Specialty Insurance Company - Canadian Branch and AXA Insurance Company - Canadian branch. Coverages may also be underwritten by Lloyd’s Syndicate #2003. Coverages underwritten by Lloyd’s Syndicate #2003 are placed on behalf of the member of Syndicate #2003 by Catlin Canada Inc. Lloyd’s ratings are independent of AXA XL.
US domiciled insurance policies can be written by the following AXA XL surplus lines insurers: XL Catlin Insurance Company UK Limited, Syndicates managed by Catlin Underwriting Agencies Limited and Indian Harbor Insurance Company. Enquires from US residents should be directed to a local insurance agent or broker permitted to write business in the relevant state.