The Next Major Pandemic: Cyber Attacks on Small Businesses

January 31, 2023
Industry Commentary

The year 2022 has been very difficult for small businesses and as we enter 2023, the surviving small businesses continue to be plagued with financial uncertainty. In addition to extremely difficult macro economic market conditions, there exists another major threat: cyber attacks. Research shows that small businesses are the #1 target for cyber criminals with attacks at all-time highs and an average ransom payout of $200,000+, which in many cases must be paid.  This puts small businesses in great jeopardy.

Today, the digital transformation of a small business also constitutes that they are carrying a significant amount of financial liability related to cybersecurity threats. 83% of small businesses don’t carry cyber liability insurance and 60% go out of business within six months after a cyber attack.


Because small businesses carry a tremendous amount of new financial liability as a result of doing business in a digital world. This liability falls into three categories: First Party, Third Party, and Regulatory.

First Party liability refers to the liability incurred when a small business is directly attacked. First-party financial damages include the ransom to be paid, data recovery expense, business downtime and associated loss of revenue, the cost of notifying affected customers and employees, hiring of legal and/or PR firms, and reputational damage among customers that lead to decreased revenue.Third Party liability refers to damage from connections to third parties (e.g. partners, customers, vendors). Third-party financial damages include legal fees to hire counsel, cost of settlements, civil awards or judgements resulting from a lawsuit, and large partners or customers severing ties.

Regulatory liability refers to breaches that lead to governmental compliance failure and the resulting fines. For example, new privacy laws in New York (Shield Act), California (CCPA), and other states impose harsh fines for consumer data breaches even if your company doesn’t reside there.

This basically means that if your small business has a customer that resides in any of these states, and your systems are breached and their private information is leaked or stolen, you are financially liable for the damage in the form of fines and penalties.

Regulatory liability also refers to compliance failures due to security breaches that result in harm to consumers (e.g. HIPAA compliance).
When you add up all these liabilities it’s painfully clear that small businesses carry significant financial risk when operating in our new digital world.Making matters worse, insurers are increasingly cautious with these small businesses and are requiring more sophisticated technologies and liability safeguards to protect against cyber criminals taking advantage of these new digital vulnerabilities.

Compounding the problems are recent work-from-home models that have made it easier for cyber criminals to attack small businesses for financial gain, and these small businesses typically don’t have the resources to purchase the latest technologies that large businesses use to protect themselves.Fortunately, savvy small businesses with security conscious operators are increasingly prioritizing cybersecurity and cyber liability coverage to mitigate their risks. And, cyber liability insurance policies have responded to these new challenges, providing coverage for attacks of all kinds. But not all cyber liability coverage is created equal – putting much of the onus back on the small business owner to educate themselves on seemingly foreign definitions and concepts.  

Additionally, navigating the appropriate technologies to defend against cyber attack, and ensuring that if breached the policy will pay out on the claim, is increasingly complex.The solution, and a major trend in the industry, is to work with companies that integrate both cybersecurity technologies and liability coverage into one solution.  This makes deployment easier and faster, but more importantly ensures that any breach that results in a claim is likely to be covered.In essence, cybersecurity is becoming more about insurance, and insurance is becoming more about cybersecurity.  This promising trend will help small businesses protect themselves in an increasingly hostile digital future.

Chase Norlin is the CEO
Transmosis, a nationally recognized cybersecurity training and services company that protects small businesses from cyber attack with integrated cyber liability coverage and 24/7 security operations.

About Uplevel Systems

Uplevel Systems, as a small business IT infrastructure managed service provider, enables any of these options. Uplevel’s subscription offering is the most popular with SMBs, but some prefer Uplevel’s new equipment purchase program and use a CapEx model.