The biggest priority for businesses is to lock down their infrastructures, which could be more of a challenge with the development of new technologies, as well as the introduction of such workforce-accommodation policies as “bring your own device,” which itself can usher in a “huge risk” to a business, Gersh said. In fact, the growing use of mobile devices – along with cloud services – is seen as the second biggest impediment to improving IT’s ability to respond to a data breach, behind insufficient visibility into end-user access of sensitive and confidential information, according to the results of the Experian-Ponemon survey.

“All the insurance underwriters are going to want to know what your best practices are … before they even consider giving you coverage,” said Mark Greisiger, president of NetDiligence, based in Gladwyne, Pa. “What we typically find is the more forward-leaning clients are actually going out ahead of time and getting a cyber-risk assessment done.”

Gersh says Forthright is seeing that with some of its clients.

And for Forthright and other MSPs, notably those that store data in the cloud, cyberinsurance and data protection are indeed high priorities, Greisiger told IT Best of Breed.

“Some of the issues that are of concern to the leading … underwriters are the aggregation of risk,” he said. “A lot of these (MSPs) have hundreds of thousands of clients (whose data live on their servers). And one loss, one impact (to) that cloud operation could create thousands of claims overnight.”

But on the plus side, many cloud service providers have better security practices in place than most of the companies that use them, Greisiger said.

The average cost of a data breach last year to a company was $3.79 million, said Experian’s Bruemmer, who added that a hit of that magnitude to a small businesses that might have “a million pieces” of personally identifiable information “really is damaging.” Further, 80 percent of small businesses with less than 100 employees that are hit with cybersecurity breaches end up going out of business within 18 months after they’re hit.

“That, in fact, supports that there’s a lot more pressure on small and (mid-sized) businesses than there is on larger organizations,” Bruemmer said.

Can cyberinsurance fix everything? Not really, according to Forthright’s Gersh.

Even if a business buys cyberinsurance, it doesn’t necessarily make the business whole again, because of the potential erosion of customer trust and brand reputation, said Gersh, who likens the purchase of cyberinsurance to that for loss of an arm or leg. It may “lessen the sting,” he said, but “it’s not going to make you whole.”