By Scott Talbott
Technology has transformed our lives in myriad ways. We can send messages, post images, stream videos and effortlessly connect with each other instantaneously. We can take courses, obtain medical diagnoses, shop, read customer reviews and easily compare prices between items online. Entrepreneurs and business owners can now even “close the deal” on equipment financing agreements and other financial services completely online, helping them quickly grow their businesses.
The technology powering these transformative changes to the way we do business and live our lives have contributed to social, economic and political progress all over the world. Yet these remarkable technologies that have presented so many exciting new opportunities aren’t invulnerable. Bad actors can target these systems and make business owners and consumers victims of cybercrime. While almost every business insures themselves against risks like fire and theft — and invest in prevention measures — investment in cybersecurity lags well behind the risks.
The risks to small businesses
Small businesses, like the smaller equipment dealers and lenders, face tough enough challenges for survival. But cyberattacks can drive too many viable businesses into bankruptcy.
The 2017 Canadian Survey of Cyber Security and Cybercrime by Statistics Canada revealed that 19 per cent of small businesses had been affected by cybersecurity incidents, while five per cent of businesses had no cybersecurity measures in place at all. Studies have also found that over 70 per cent of data breaches in Canada involve attacks on small to mid-sized enterprises.
The steep recovery costs of a single cybersecurity incident — estimated at $200,000 per incident — can be an existential financial burden to many businesses. According to the U.S. National Cyber Security Alliance, a staggering 60 per cent of small businesses go bankrupt within six months of suffering a cyberattack, resulting in job losses and damaging economic ripples.
Cyberattacks, and their potential financial damages to small businesses, represent a growing risk for lenders serving these firms. For example, last year the asset-based lending market in Canada directed $300 billion towards retail vehicle lending. One can well imagine the potential losses there due to cybercrime, given the depth of personal and corporate financial information that are incorporated in these transactions.
Cyber insurance obstacles
Cyber insurance will help affected businesses continue to service their financial obligations. Cyber insurance policies reimburse businesses for various costs associated with a breach, like remediation and notification expenses, and losses caused by damage, theft, disruption or corruption of electronic data. Annual premiums for cyber insurance are typically a few dollars per thousand dollars of coverage.
Even though failing to act leaves them vulnerable, most small businesses struggle to find the funds to put mitigation measures in place and secure cyber insurance. A recent study by the Senate of Canada’s Committee on Banking, Trade and Commerce acknowledged that more support for businesses is needed. A recommendation in the Committee’s 2018 report on cyber threats noted “… businesses should be given incentives to invest in cyber security improvements, for example, by making these investments tax deductible.”
While the Government of Canada continues to emphasize the link between digital adoption and economic growth, it has also recognized that the lack of cyber-preparedness has the potential to hurt Canadians and damage the economy. Budget 2019 stated that “as rapid growth in the digital economy continues, safeguarding cyber security has become a priority for governments, businesses and individuals…”
Recognizing these alarming realities, some countries have taken steps to help small enterprises improve their cyber-resilience. In Australia, for example, small businesses can qualify for government grants of up to $2,100 for a certified cybersecurity check from an approved provider.
The Electronic Transactions Association (ETA) applauds the Government of Canada for working to develop a voluntary certification that would recognize small businesses that meet a baseline set of security practices. However, given that the need for businesses to protect themselves against cyberthreats has never been more important, the ETA calls on the Government to spur faster adoption of safe practices by providing a non-refundable tax credit for Canadian-based small businesses to purchase cyber insurance.
Taking the steps required to become adequately insured against cyberattacks and making sure that the insurance is incentivized and available to small businesses, can give these firms a tool to help ensure their survival.
Here are the payoffs from the cybersecurity, business, and ultimately customer perspectives. Providing a 15 per cent non-refundable tax credit for those small businesses that have met the requirements of the voluntary cybersecurity certification program to purchase cyber insurance would encourage the adoption of enhanced security practices.
The tax credit would also serve as a catalyst for businesses to improve their cyber-resilience. That’s because, to be eligible for a cyber insurance policy, firms must demonstrate certain requirements to insurers, including inventorying data, assessing steps to protect data, utilizing technology controls, implementing employee training and other key best practices.
Some insurers also focus on additional steps like encryption that helps promote businesses’ cyber awareness and frequently leads to additional measures. The results are tangible and incremental improvements to a firm’s cyber-resilience that strengthen our economy’s resilience to cyberattacks.
As the digital economy grows, so too will the risk of cyberattacks. It’s critical for small businesses to adopt strategies to fight these threats. The proposed tax credit would encourage business owners to take the steps necessary to protect their livelihoods, local jobs and, in the process, the Canadian economy.
Scott Talbott is senior vice president of Government Affairs for the Electronic Transactions Association (ETA)(www.electran.org).