Cybersecurity Threat Level Remains High: Expert Insights on NIS-2 & Cyber Insurance
If you run a small or medium-sized enterprise (SME), you might think cyber threats primarily target large corporations. However, Gerrit Knichwitz of Perseus Technologies warns that this is a dangerous misconception. In a recent interview, he highlighted "significant gaps in IT security" within the SME sector, emphasizing that the threat landscape remains tense. With the EU's NIS-2 directive expanding cybersecurity requirements and attacks on service providers increasing, understanding your risks and protections is no longer optional—it's critical for business survival. This guide will help you navigate the evolving world of cyber risk management and cyber liability insurance.
The Expanding Reach of NIS-2: Who Needs to Comply?
The original NIS directive focused on critical infrastructure like healthcare and energy. NIS-2 significantly broadens this scope. Now, essential entities include sectors like postal services, food supply, and waste management. But crucially, the criteria also consider company size. While micro-enterprises with under 50 employees are exempt, medium-sized businesses are now in scope. Given that SMEs constitute 99.4% of Germany's economy, this represents a major shift. The directive aims to ensure a high common level of cybersecurity across the EU, addressing the vulnerabilities often found in companies without dedicated IT departments.
Key Implications for Your Business:
- Compliance is Mandatory: Affected companies must implement specific security measures and report incidents.
- Prevention is Prioritized: The directive emphasizes risk management and resilience.
- Broader Liability: Non-compliance can lead to significant fines, making robust cybersecurity for businesses a legal and financial imperative.
Assessing the Current Threat Landscape: Ransomware, Phishing, and Beyond
Knichwitz confirms the threat level is "tense" and unlikely to change soon. Conflicts are increasingly fought in cyberspace, with motivations ranging from financial gain to political destabilization. Key threats include:
- Ransomware Attacks: Encrypting data and demanding payment for its release.
- Phishing & Business Email Compromise (BEC): Tricking employees into revealing credentials or authorizing fraudulent transfers. Perseus notes a rise in email account takeovers targeting small businesses.
- Supply Chain Attacks: As warned by Germany's Federal Office for the Protection of the Constitution, targeting a single vendor can compromise entire networks of clients.
This dynamic environment makes prioritizing IT security not just wise but essential for business continuity.
Beyond the Payout: Choosing the Right Cyber Insurance Policy
Financial coverage after an attack is just one piece of the puzzle. When selecting a cyber insurance policy, you should insist on comprehensive preventive and responsive services. Knichwitz stresses that "prevention is the be-all and end-all." A robust policy should include or provide access to:
| Service Category | What It Should Include | Why It Matters |
|---|---|---|
| Risk Assessment & Prevention | Cybersecurity audits, vulnerability scans, employee training (e.g., phishing simulations). | Identifies and closes security gaps before attackers exploit them. Meets NIS-2 principles. |
| Incident Response Planning | Help creating a detailed emergency response plan, not just a hotline number. | Defines processes for assessing incidents, recovering data, and resuming operations swiftly. Studies show prepared companies incur lower costs. |
| 24/7 Emergency Support | Direct access to forensic experts, legal counsel, and PR crisis management. | Minimizes downtime, regulatory fines, and reputational damage during a crisis. |
| Post-Incident Recovery | Data restoration services, ransom negotiation support (if offered), system repair. | Helps you return to normal business operations as quickly as possible. |
As Knichwitz points out, companies like Perseus offer standardized security checks tailored for SMEs, providing a clear overview of necessary actions. Investing in these preventative measures, often supported or mandated by a good insurer, directly reduces potential incident costs.
Actionable Steps for SME Leaders:
- Conduct a Cybersecurity Audit: Use a standardized check to identify your most critical vulnerabilities.
- Develop an Incident Response Plan: Don't wait for a breach to figure out your response. Define roles, communication chains, and recovery steps now.
- Evaluate Your Insurance: Scrutinize potential cyber insurance policies for the service suite, not just the coverage limit. Does it help you prevent and manage a crisis?
- Train Your Team: Regular training on phishing and security best practices is your first line of defense.
In conclusion, the combination of regulatory pressure from NIS-2 and a persistently high threat level makes cybersecurity a board-level issue for SMEs. A strategic approach combining internal safeguards, employee awareness, and a service-rich cyber liability insurance policy is the most effective way to build resilience. As Knichwitz advises, prioritize IT security today—it's the best investment you can make for your company's tomorrow.
Insurers and brokers struggle with high backlogs in claims management, increasing claim frequencies, a shortage of skilled workers, and growing customer expectations. Manual processes are expensive and slow.