Is Cybersecurity Worth the Cost for Small and Midsized Businesses?

Given the uncertainty of proactive measures and their associated costs, small and medium-sized businesses may be tempted to incur reactive costs if and when a data breach does occur. But that’s a bad call, says Brian Gillam of Cozen O’Connor.

In the long run, preparing for a cyber-attack is nearly always going to be less expensive than simply reacting to a breach, and it is a requirement for insurance. One/quarter of all cyber-insurance claims are partially or fully denied due to exclusions in the policy.

Many small to medium-sized businesses aren’t insurable because they can’t demonstrate a reasonable level of cyber readiness. The most important task is determining which risks to address proactively in the form of assessments, workforce training, policy preparation, and insurance, versus which to address by remediation.

To calculate the appropriate amount to spend on cyber-attack prevention, compare the annualized loss expectancy to the annual cost of cyber readiness. In year one, a small to medium business can expect to pay $20,000 to $60,000 for an initial assessment. Then add $7,500 to $12,500 for regular phishing tests and an additional $10,000 to $25,000 for the formulation of a response plan and related exercises.