In late 2020, a small New Jersey medical practice experienced a data breach that exposed health info and social security numbers of 1,600 patients. The breach was caused by a server misconfiguration during a software update by the practice owner. The error allowed public access to sensitive patient information on a file transfer site without a password. This exposed data was automatically made searchable by Google and accessible online. The New Jersey Attorney General assessed a $200,000 fine for the misconfiguration and data loss. The firm’s primary clients canceled their contracts. The company closed its doors shortly after.
Traditional assessment criteria have long been the bedrock of decision-making for banks and financial institutions when considering small- and medium-sized business (SMB) lending. These criteria typically revolve around credit history, financial stability, cash flow and market conditions. However, a new factor is emerging as a crucial element in evaluating loan risks for SMBs: cybersecurity.
Currently, when a bank assesses an SMB for a potential loan, the focus predominantly lies on the business’s financial health. This includes scrutinizing balance sheets, profit and loss statements, and the business owner’s personal credit history. The aim is to gauge the business’s ability to repay the loan. However, this traditional approach often overlooks a growing threat that can significantly impact an SMB’s financial stability: cyber threats and the security measures (or lack thereof) that the business has in place.
The cyber threat landscape continues to change, with SMBs increasingly becoming targets. According to a report by Verizon, nearly half of cyberattacks target small businesses — virtually any business with a bank account. Yet, many SMBs lack robust cybersecurity measures. A recent report by the cyber insurance firm Hiscox highlights that businesses with novice or immature security practices have breach costs 2.5x higher than those with mature practices.
Such incidents can have a dire impact on an SMB’s operations and finances. A cyberattack can lead to substantial direct costs such as ransom payments, data recovery expenses and downtime. Indirect costs include reputational damage and loss of customer trust, which can have long-term financial implications. Other industry data shows real-world costs to businesses ranging from $8,000 on the low end to nearly $300,000 on average per data breach and into the multi-millions for organizations under regulatory compliance regimes.
A cyber incident can disrupt business operations, leading to loss of revenue and potential legal liabilities. For example, Adversis recently worked with a midsized company recovering from the compromise of an administrative Microsoft 365 account, losing access to all data stored in its Sharepoint repositories and sending thousands of malicious emails to its business partners. On top of the response costs, the company spent many hours and several sleepless nights concerned about the impact on future contracts.
This directly affects an SMB’s ability to service debt. If a substantial portion of their revenue is diverted to addressing cyber incident repercussions, their capacity to make regular loan payments may be compromised.
Recognizing this risk, it’s prudent for banks to integrate cybersecurity assessments into their loan evaluation process. This doesn’t mean becoming cybersecurity experts but rather ensuring there is a basic cybersecurity strategy or information security program in place.
For example, banks can start by inquiring whether the SMB has a formal cybersecurity strategy, utilizes regular data backups and has employee training on cybersecurity best practices.
Also consider that cybersecurity is much more than IT. For example, ensuring that multi-factor authentication is configured for all online employee accounts, verifying that software-as-a-service platforms are securely configured and not inadvertently exposing information, and ensuring technical risk is appropriately prioritized. As technology touches every aspect of a business and its processes, it is prudent to have a risk-informed view of cybersecurity as a system affecting business operations.
Moreover, underwriters may want to consider industry-specific cybersecurity risks. A retail business with an online store, for instance, faces different cyber threats compared to a manufacturing company.
Incorporating cybersecurity assessments in loan processes is more than just a compliance issue; it’s a strategic business decision. This approach can lead to reduced default rates and foster a portfolio of financially stable and resilient SMB clients. By emphasizing cybersecurity, banks not only protect their interests but also encourage safer business practices in the SMB sector, contributing to a more secure and financially sound business ecosystem.
As we continue to embrace technical solutions in business operations, the importance of cybersecurity in determining the financial stability of SMBs becomes increasingly apparent. Banks and financial institutions have an opportunity to revise their loan assessment processes to include this critical element. By doing so, they can make more informed lending decisions, reduce risk and support the development of a more secure and resilient SMB sector.
This evolution in lending practices is not just a response to the growing technical threats but a proactive step towards a safer and more stable business environment.