Just 20% of SMEs have cyber insurance – despite being a high risk for attack
With more than two million businesses across the nation, small to medium enterprises (SMEs) account for the vast majority of Australian businesses. The Australian Cyber Security Centre (ACSC) notes that 97% of businesses have fewer than 20 staff, and the prevalence of small businesses makes this sector a prime target for cyber criminals. In fact, the ACSC’s Small Business Survey found a staggering 62% of small businesses had been victims of cybercrime.
Growing risk
Australia is among the top countries in the world when it comes to cybercrime – ranking fourth highest in terms of cybercrime victims per capita in 2021, according to research from privacy protection company Surfshark. Trend Micro notes Australia is one of the top 10 countries for ransomware victims – ranking seventh – with Australia and New Zealand making up 76% of all ransomware attacks in the Oceanic region.
The Australian Bureau of Statistics (ABS), notes that the number of cyberattacks doubled in just two years – more than two in 10 businesses (22%) experienced a cyber security attack during FY22, compared to almost one in 10 (8%) in FY20. ACSC data showed there had been a 13% increase in the number of cybercrimes reported in FY22 – with a cybercrime being reported every seven minutes, up from every eight minutes in FY21.
This year, cyberattacks and extortion claims have resurged – with ransomware victim numbers up 143% globally during the first quarter, according to Allianz Commercial. January and February saw the highest number of hack and leak cases in three years. The insurer says ransomware is the single largest cause of cyber insurance claims, with ransomware and extortion-based attacks accounting for more than 80% of claims from standalone cyber policies, while business interruption makes up 50% of all cyber-related losses by value. Allianz expects the number of annual cyber claims to increase by 25% by the end of 2023.
Big impact
According to the Council of Small Business Organisations Australia’s (COSBOA) Small Business Perspective Report 2023, 44% of small businesses have experienced a cyberattack.
For a small business, even a minor cyber security incident can have devastating impacts. In FY22, the average cost per cybercrime reported to the ACSC rose to over $39,000 for small businesses and to $88,000 for medium-sized businesses. In addition to the direct costs, there are numerous indirect or hidden costs of a cyberattack. These include, but are not limited to:
- business interruption or destruction
- reputational damage
- loss of customer trust
- insurance premium increases
- lost contract revenue
- lost sales
- reduction in profits
- loss of intellectual property
- credit rating downgrade
- business devaluing, and
- damage to share price.
Research from Chubb found that key concerns for SMEs after a cyber incident were relationships with customers (51%), profits (51%), cost of incident (51%) and public reputation (47%).
According to the ABS, 34% of businesses reported loss of time in managing cyber security attacks, 18% reported downtime of service, while 17% reported a loss of staff productivity in the 2021-22 financial year.
Insurance giant Swiss Re estimates that the total costs of handling a cyber incident for SMEs are three times more than for large corporations, in relative terms.
The Australian Small Business and Family Enterprise Ombudsman notes that more than 60% of Australian SMEs don’t survive a cyberattack or data breach.
Rising concern
Law firm Maddock’s Risk, Regulation & Resilience survey found 68% of Australian organisations think cybersecurity is a key risk to their business.
Research by online small business lender OnDeck showed that 50% of small businesses were concerned about cybersecurity threats, but the majority of SMEs were not prepared.
The concern is warranted.
According to Business Australia, almost half of Australia’s small businesses are vulnerable to cyberattacks and 44% of small business owners are not confident they’re protected against cyber threat. The report also found that 38% of small businesses were not spending any money on cybersecurity and that 51% were worried they would suffer a cyberattack in the next six months – while 21% had already fallen victim to an attack.
Three-quarters of small business owners are concerned about the risks of a cyberattack, according to the COSBOA report. And around half of all small businesses feel that a breach is inevitable. Despite this, around half of all small businesses in the survey had low confidence in their ability to fight a cyberattack or recover from one.
Defences lacking
SMEs are especially vulnerable to cyberattacks thanks to their low defence capacity, notes Swiss Re. SMEs are less likely to have the technology and security defences that a large business would, making them prime targets for cybercrime.
Cybercriminals target small businesses mainly because of their limited resources and, oftentimes, lack of advanced cybersecurity measures, notes an article in Forbes. These attacks can result in significant financial losses, damage to their reputation and even the closure of the business.
The majority of SMEs believe they are too small to be targeted by cybercriminals or that any internal issues would have minimal impact on their business. Chubb’s Too Small to Fail? survey found almost two-thirds (60%) of SMEs believed they were less vulnerable to cyber incidents than their larger competitors, yet the majority (60%) had experienced a cyber incident in the preceding 12 months.
According to the COSBOA report, 47% believe cybersecurity is too complicated for small businesses to set up and maintain. In a survey by Mastercard, 47% of small businesses named cost as the main hurdle to securing digital systems, while 30% said knowledge of the solutions available was a barrier and the time taken to explore their cyber security options was nominated by 31%. And the ACSC small business survey found almost half of all SMEs spend less than $500 on cybersecurity each year.
Insurance ignored
Many SME owners are ignoring a key strategy in protecting their businesses – cyber insurance.
Cyber insurance is designed to cover certain financial losses a business incurs as a result of a cyber incident. A policy can cover a business for expenses related to:
- hiring negotiators and paying a ransom (where permitted by law)
- interrupted business
- recovering or replacing records or data
- liability and loss of third-party data
- defence of legal claims
- copyright infringement
- misuse of intellectual property online
- crisis management and monitoring
- prevention of further attacks, and
- regulatory and legal compliance.
Cyber insurance can not only compensate the business for loss of funds and the costs of recovering from attacks, but can provide the business with the support it needs when a loss happens. This should include access to an expert incident response panel, who will provide technical resources should an incident occur: IT security experts, forensic investigators, lawyers, and crisis communication specialists who will work together to help you manage the situation and get back online as quickly as possible.
Insurers are taking different approaches in terms of what they offer and how they respond, however they can offer a variety of options including preventative services, costs to repair and recover your IT systems and data, cover for financial loss arising from a cyber event, cover for liability actions resulting from an attack and response and resumption services to help businesses get back on their feet.
According to the Insurance Council of Australia, only about 20% of SMEs and 35-70% of larger businesses have standalone cyber insurance.
Some SMEs also mistakenly think that other business insurance covers (such as public liability, management liability or other business liability policies) will cover cyber whereas, in reality, most of these policies specifically exclude cyber.
A business needs a separate cyber insurance policy that covers the business’ risk exposures and includes cover for costs such as business interruption, legal expenses and data recovery.
However, comprehensive cyber insurance is viewed as too expensive for most small businesses, according to the COSBOA report.
Cyber insurance costs improve
For a number of years, cyber insurance has been faced with a hard market. These market conditions led to:
- capacity contracting
- cyber security standards tightening
- premiums rising
- reducing limits of cover
- deductibles increasing
- cover inclusions changing
- ransomware sub-limits being applied
- co-insurance requirements being implemented
- more robust underwriting controls being mandated, and
- coverage taking longer to secure.
Against this backdrop, cyber insurance had been cost prohibitive for many businesses, particularly SMEs. Recently, the premium costs have begun to stabilise, and market conditions turn more favourable for clients – opening up cyber insurance to more businesses, including SMEs. (See our Market Summary for details).
With the stabilising market, it is possible for many SMEs to find affordable cyber coverage. In particular, smaller businesses in relatively low data industries (such as hospitality, retail, real estate) can often obtain cost-effective cyber insurance with a number of different offerings available in the market with varying premium costs. For certain businesses – namely high data businesses such as accountants, legal practices and health services – affordable cyber covers can be harder to find (depending on the value of the data). This is where working with your EBM Account Manager to present a strong case to insurers is invaluable.
Work with your broker
Clients with strong cybersecurity controls experience more favourable outcomes from insurers – with better coverage, and lower premiums. The opposite is the case for clients who lack basic cyber hygiene practices – with premium and retention increases, coverage restrictions, and/or overall insurability challenges.
To achieve the most favourable outcome, you need to work with your EBM Account Manager to present a solid risk profile to cyber insurers.
Qualifying for cyber insurance within the SME space will depend on you demonstrating that certain cyber security controls are place, such as multi-factor authentication, file encryption, endpoint protection software, privilege access management, network security and monitoring solution, staff cyber training, and procedures to update systems and apply security patches.
You will need to demonstrate that you have a systematic approach in place for best practice governance, processes, resilience and security controls to reduce overall cyber risk and potential claims activity.
To achieve a favourable outcome, your insurer will need to be assured that you have a thorough understanding of your risk, have appropriate plans in place to respond to a cyberattack, and have a strategy to recover from an attack.
By working with your EBM Account Manager, securing cyber insurance which is both cost-effective and appropriate for your business and the cyber risks you face will be far less challenging. Your broker knows the cyber insurance market and can provide proactive strategies to help reduce your risks and present a compelling narrative for insurers.