DALLAS — Small and medium-size businesses' lack of knowledge and resources to address their cyber risks can not only threaten their own existence, but also pose significant risks to the larger companies with which they deal, say experts.
“One of the big challenges we have when we think about” the cyber risks faced by small and medium-size businesses is they have limited resources, which they direct toward making money, and information security “in a lot of cases is what gets put on the back burner,” said Sarah Stephens, a London-based partner with JLT Specialty Ltd.'s financial lines group.
Ms. Stephens moderated a session on small companies' role in data breaches at the Professional Liability Underwriting Society's 2015 conference in Dallas Thursday.
Speakers said during the session that small and medium-size enterprises, or SMEs, are often defined as companies with less than $100 million in revenue.
Another issue is that smaller firms often incorrectly assume they will not be targets of cyber attacks because of their size, said Ms. Stephens.
Besides, she said, in many cases “it's the smaller guy who has a weaker security” that creates challenges for much larger companies with which they do business.
When dealing with SMEs “you are also dealing with different levels of sophistication,” and there may be a “false sense of security,” said Jeffrey Norton, Chicago-based underwriter, specialty lines, at the Beazley Group. In addition, “People don't generally know” where their data are, he said.
David Navetta, a partner with law firm Norton Rose Fulbright US L.L.P. in Denver, said that while big dollars often are associated with large companies' cyber breaches, they usually can absorb the associated losses. With smaller companies, though, it may be a question “of whether the company can survive.”
“The first objective is to get them to recognize they have a risk, which a lot of them don't want to do,” said Chris Christian, vice president and senior broker at U.S. Risk Brokers Inc. in Dallas.
Also during the session Patricia Sunar, Basking Ridge, New Jersey-based assistant general counsel, public policy, law and security, with Verizon Communications Inc., discussed the new privacy and data security component of the company's vendor contracting process.
Step one is the vendor's general agreement that it complies with breach notification and privacy laws, she said.
Ms. Sunar said it is a good practice, especially for smaller enterprises, “to look at their indemnification obligations.”
“You have to be careful about what you're agreeing to do,” she said. “Don't just sign anything.”