Page 12 - Cyber Defense eMagazine September 2025
P. 12
Historically, SMBs have treated cybersecurity as a cost and have been reluctant to commit funds to the
various types of cyber risk management. There are several reasons for this stance. SMBs tend to
consider themselves too small for cyber criminals to attack. They ignore the fact that ransomware and
data breaches, among others, are easier for criminals to access and turn against businesses. They don’t
consider the existential risk of being unable to pay to restore services and resume normal operations.
The numbers are quite different, however. In the past couple of years, over 10 million SMBs have
suffered cyber attacks; about a half-million each year just go out of business entirely as a result. The risk
of such failures does not fall on the affected SMBs alone.
The rub comes where their customers and clients become unwilling to shoulder this risk of non-
performance. It has become more and more common for the customers, especially in the supply chains
of critical infrastructure, demand to have their SMB suppliers demonstrate that they have implemented
cyber risk management measures. In addition, they are increasingly requiring proof of cyber risk
insurance. Should the SMB supplier be unable to fulfill the terms of a contract, the purchaser needs
assurance that there is a deeper pocket available to help pay for delays and replacements.
Once this set of dynamics is recognized, it’s easy to see how the result is the shifting of risk from the
buyers and insurers to the SMBs. What has been an optional expense is moving in the direction of
becoming a requirement to stay in business.
This first column focuses on the relationships of SMBs with financial institutions. Of course, there are
SMBs providing products and services to banks and other financial institutions, including insurance
companies and securities firms. There is no question that the timeliness and accuracy of SMB suppliers
are paramount in fulfilling such contracts.
The broader and even more vulnerable aspect of their relationships tend to be on the customer side,
where the SMBs typically depend on banking services and working capital loans to stay in business. Any
cyber event which impairs the ability of the SMB-customer to comply with the terms of such a loan
becomes a problem for the bank.
It's not just the banks which must take a fresh look at the cyber vulnerabilities of their credit customers.
They are regulated heavily by both State and federal agencies. This regulation is carried out through
rigorous examinations. Weak borrowers discovered in regulatory examinations can result in both write-
offs and additions to loan loss reserves and even civil money penalties.
Notably, in a recent FDIC report on examinations, only 2 pages out of 80 pages are devoted to
cybersecurity. Similar factors are in play at the Small Business Administration, which is responsible for
guaranteeing SBA loans. However, there can be little doubt that as cyber attacks grow, and ransomware
becomes a greater threat to SMBs and their ability to service their loan obligations may be impaired, that
the regulators will impose more stringent requirements.
But it is certain that stricter standards will be observed as the ease of cyber attacks grows and the
vulnerabilities of SMBs continue. The only effective response must be for SMBs to undertake
cybersecurity measures. The other choice is to risk losing not only business opportunities but the entire
operation as a going concern.
Cyber Defense eMagazine – September 2025 Edition 12
Copyright © 2025, Cyber Defense Magazine. All rights reserved worldwide.
