95% of cyber incidents at SMBs cost between $826 and $653,587

Cyber

By Emily Douglas

Dec 01, 2025Share

This article was created in partnership with Tokio Marine HCC – Cyber & Professional Lines Group.  

According to The Federal Bureau of Investigation’s Internet Crime Complaint Center, in 2024 the FBI received 859,532 complaints of suspected internet crime and reported losses exceeding $16 billion - a 33% increase in losses from 2023 - detailed in their annual Internet Crime Report.  

As the number of incidents continue to rise, and attacks become more and more sophisticated, a solid defense is the best chance of survival. These defenses, however, can’t be simple or isolated. Instead, they should be multidimensional and collaborative - a perfect blend of preventative and curative approaches in alignment.  

Tokio Marine HCC – Cyber & Professional Lines Group, a member of the Tokio Marine HCC group of companies based in Houston, Texas, (CPLG) embodies that partnership in the interplay between the Cyber Threat Intelligence (CTI) and Cyber Incident Management (CIM) teams. Speaking to Insurance, Alex Bovicelli, Senior Director of Cyber Threat Intelligence, and Richard Savage, Senior Director of Cyber Incident Management, revealed how real-time information sharing, pattern recognition and a white-glove approach are keeping their insureds safer and smarter about cyber threats. 

“In the Cyber Incident Management team, we have the opportunity to interact with our insureds in real-time and help them navigate their way through active cyber incidents. We take the initial call, receive the initial information and then provide guidance throughout the length of an incident. [As such], we get firsthand technical understanding about what's going on, and we can share that information in real-time with the Cyber Threat Intelligence team.” 

‘Real-time interaction is our biggest advantage’ 

Because of that instant exchange of data, often facilitated through a secure and persistent communication channel, there’s no need to wait three months for an IT report or the results of some kind of extensive investigation - making it a seamless process for everyone involved.  

“The real-time interaction is probably [our] best advantage,” added Bovicelli. “When Savage’s team meets with a customer who just experienced an event, his team can ask us in real time, ‘Hey, what did you alert the insured of in the last year and a half?’ Or, ‘Did you see any vulnerabilities or exposures that you alerted the insured on or something that perhaps we should be aware of right now?’ That gives his team the advantage of meeting with the insured and coordinating with the forensics team, already informed about the potential attack vector used by the threat actor.” 

Imagine a cyberattack as a medieval siege. The walls of the castle are lined with archers with arrows, each ready to ward off any forthcoming attacks from the enemy - that’s the CTI team. However, if those walls are breached and the enemy makes it inside the castle it’s then up to the soldiers on the ground to either defeat them or negotiate a truce - and that’s down to the CIM team.  

One notable example of how this expert collaboration works occurred during a surge of attacks by the Akira ransomware group in 2023. Here, Savage’s team saw commonality between ransomware events - they were all Cisco ASA WebVPN, a secure and seamless way for teams to connect to their company’s network from anywhere - and they were able to act quickly.  

“No one knew how they were being compromised - not in the public, not in the wider cybersecurity news cycle,” revealed Bovicelli.  

However, CPLG’s firsthand approach allowed both teams to quickly realize that there was a pattern there, meaning, they could alert their insureds weeks in advance. It’s that real-time collection of information, being able to put those patterns together, that ultimately helped countless customers. What’s more, their pattern-spotting abilities continued as Akira shifted tactics to targeting SonicWall VPNs.  

“The Akira group targeted Cisco for a year, and now they've done SonicWall for a year,” said Bovicelli. “[At CPLG, we] can see certain patterns that maybe the industry can't.” 

This proactive, pattern-based approach to detection differentiates CPLG from more traditional insurance models.  

“The direct connection that we have to the client is a differentiator,” said Savage. “We’re involved in risk management discussions, pre-breach conversations and active incident response.” 

Human-first, customer-centric approach  

Bovicelli is particularly proud of their involvement at the human level. As he told IB, they don’t just automate an alert and tell the insured to patch it – an action required to renew their policy -  they also focus on specific technical and high-risk exposures.  

“We provide assistance to ensure that the patch is applied correctly, eliminating exposure and allowing us to monitor more effectively. [At CPLG], we’re really [offering] a white glove service for all of our customers - and in that sense we’re different from other carriers.” 

This customer-centric mindset is mirrored throughout the entire process. All first-party incidents are handled internally too - meaning that if an insured has a claim at 3am they’re put through to a person not a chatbot. And beyond immediate service, both teams also scan the horizon for broader ransomware trends where a common misconception prevails time and time again.   

 “A lot of insureds say, ‘Why would they want to attack me? I’m just a small business.’ But it's not about targeting a name - it’s about targeting technology at scale,” added Savage.  

And it’s a costly mistake for small businesses to make. According to data collected by StrongDM, 95% of cybersecurity incidents at SMBs cost between $826 and $653,587, with 50% of SMBs adding that it took 24 hours or longer to recover from said attack. For Bovicelli it’s a topic he’s been obsessively talking about for two years. As he told IB, large portion of attacks are on smaller companies - those with cyber insurance but less robust controls. And attackers know this.  

“There’s this dynamic where smaller businesses just aren’t aware that these attacks make up the vast majority of events. They’re more worried about social engineering or heavy reconnaissance needed for targeting when in reality [criminals] might be brute forcing an SSL VPN login page because they know no one's paying attention to it.” 

Another growing concern here is backup targeting. As Savage warned, backups are being deleted, overwritten and encrypted.  

The difference between a catastrophic event and a non-catastrophic event 

“It’s surprising to see in 2025 that companies still don’t have adequately segregated backups to ensure a smooth recovery. A message to any insured - it is essential to have MFA on remote access and limit the external footprint, but should someone get in and affect your data, you have to make sure you have those backups in place.” 

As Bovicelli aptly put it: “That can be the difference between a catastrophic event and a non-catastrophic event for a company.” 

Another underreported risk lies in unmanaged personal devices. Say, for instance, a personal laptop without EDR (Endpoint Detection and Response) used for gaming then downloads a bundled PC game pack with malware. If the user logs into their work VPN the credentials are exfiltrated. And the IT team doesn't know because they don't see any traffic coming from a VPN network or from a device that they manage.” 

What’s more, attackers also use search engine optimization poisoning to plant malware.  

“They create Trojanized versions of free resources - like a journalist contract template. A user downloads it and it compromises all their browser logins. That’s where people access SaaS or work apps,” Bovicelli added. 

It seems as if cybercriminals are looking for any small window of opportunity to crawl through, any crack in your organization’s defense to manipulate and breach. For businesses, it’s about investing in cyber insurance as one preventive measure rather than taking the dangerous gamble that you will never be impacted. Looking ahead in this space, both Bovicelli and Savage emphasized the need to stay connected to each other to help customers as best they can.  

“We meet regularly in addition to our incident collaboration,” said Savage. “We have to keep feeding the machine to get better at prevention and detection.” 

Bovicelli also pointed to the evolving sophistication of their joint efforts, adding that it’s about knowing how to work with each partner onboarded during an incident to make sure CTI gets what it needs - the raw data. 

 “There’s a ton of threat intelligence out there,” added Savage. “Not all of it is relevant. [It’s about] sorting through it and focusing on the what’s important to us internally - what’s important to our client base - through continued involvement and collaboration.”