Cybercrime is on the rise – and appearing in myriad new guises. Despite improved cybersecurity, tighter regulations, security awareness training and other measures, the digital bad guys continue to wreak havoc. The global cost of cybercrime is expected to exceed $10trn annually by 2025, according to research firm Cybersecurity Ventures. Here at home, the Australian Cyber Security Centre (ACSC) recorded nearly 60,000 cyber incident reports between July 2019 and June 2020 – approximately one every 10 minutes.
The scams cybercriminals are relying on today might look slightly different, but in the experience of some insurers, they’re essen-tially the same old tactics.
“Cybercrime gets a huge amount of media attention, but the message doesn’t seem to be getting through to SMEs. There’s a lot of uninsured exposure among small businesses”
Jaydon Burke-Douglas, ProRisk
“Over the past year, we’ve seen phishing emails purporting to be from the World Health Organisation, offering important safety information on COVID-19 with mali-cious attachments that ultimately led to ransomware being installed on a victim’s systems,” says Philippa Davis, international cyber team leader at CFC Underwriting. She adds that while ransomware remains a significant threat, it’s important for brokers to remind clients that cybercrime such as theft of funds and business email compro-mise has not gone away.
Davis believes COVID-19 has done a lot to raise awareness of cyber exposures, as businesses have been forced to look critically at their internal practices and transform their IT security (or lack thereof ) overnight. As a result, she says, CFC Underwriting has seen a surge in demand for cyber policies.
Heightened awareness notwithstanding, small businesses still lag behind in terms of cyber insurance uptake, says Jaydon Burke-Douglas, general counsel and product and technical manager at ProRisk.
“Cybercrime gets a huge amount of media attention, but the message doesn’t seem to be getting through to SMEs,” he says. “The bigger ASX companies are buying cyber insurance, but there’s a lot of uninsured exposure among small businesses.”
“Small businesses are the low-hanging fruit due to their lack of security resources and vulnerability. They may not even be the target – rather collateral damage in larger attacks”
Philippa Davis, CFC Underwriting
More than a third of Australian busi-nesses with fewer than 100 employees don’t take proactive measures to protect them-selves from cyber breaches, according to data from the Australian Small Business and Family Enterprise Ombudsman (ASBFEO). The ACSC reports that almost half of Australian small businesses are spending less than $500 on cybersecurity per year. Yet 43% of all cybercrimes are targeted at small business, according to the ASBFEO.
“Small businesses are the low-hanging fruit due to their lack of security resources and vulnerability, falling victim to first-party losses that are only financially detrimental to themselves,” Davis says. “They may not even be the target – rather collateral damage in larger attacks aimed at MSPs or cloud service providers.”
Davis points to the latest statistics, which show that more than 70% of ransomware incidents impacted companies with fewer than 1,000 people and less than $50m in revenue. “This resonates with CFC’s experi-ence from the 2,000 cyber incidents we’ve managed in the past year,” she says.
In addition to the fallout from the cyber incident itself, regulations in Australia mean additional unsavoury consequences for businesses that fail to protect themselves adequately. The Notifiable Data Breaches Scheme, which came into force in 2018, has been something of a game-changer for the cyber insurance industry. Any company with revenue over $3m that suffers a data breach is obligated to report it to the privacy commissioner and to notify every single person caught up in the breach. This makes a cyberattack very expensive for businesses and can damage a company’s reputation in customers’ minds.
In addition, ASIC has started to sue AFS licence holders – including banks, mortgage brokers, finance brokers and financial plan-ners – if their security controls are not of the standard expected by the regulator. Last year, in a landmark action, ASIC commenced legal proceedings against RI Advice Group over alleged failure to take proper action to prevent cyberattacks.
With so much to lose, why do so many SMEs remain reluctant to sign up to a policy? This year’s 5-Star Cyber Insurers identified several factors. First, it’s a complex topic to understand. Most SMEs know cybersecurity is important, according to the ACSC’s 2019 Small Businesses Survey, but they face significant barriers when attempting to implement good cybersecurity practices, including a lack of dedicated IT staff and challenges in understanding and enacting security measures.
There’s also a prevalent ‘it won’t happen to me’ mindset – and the overwhelming majority of SMEs are operating on the false assumption that they’re already protected. According to the ASBFEO, 87% of SMEs believe their business is safe from cyberattacks simply because they have anti-virus software. Last but not least, cyber insur-ance is an extra cost that SMEs – which have already been hit hard by the pandemic – feel they can eliminate to save money.
On that note, Burke-Douglas says insurers need to make cyber insurance pricing sustainable and reasonable for SMEs or perhaps offer incentives for signing up – but he also advises brokers to raise the topic, even if they don’t think it will lead to an immediate deal.
“Discussing cyber terms when you are going in for another account, while they might not buy a policy there and then, will start the conversation,” he says.
This year’s 5-Star Cyber Insurers believe education – for both brokers and clients – is key to overcoming some of these obstacles. Some called for more training from insurers so brokers can be more confident explaining to clients why they are vulnerable. Davis says the single most important piece of advice she would give to brokers is to explain the value of a cyber policy in a way that’s specific to each client’s business.
“Clients need to understand why they have an exposure in the first place, especially for those less obvious industries such as construction,” she says.
The easiest way for brokers to do this is to provide industry-specific claims examples and to demystify the topic by avoiding jargon. “I think the best way to explain it to our business customers is to describe it as a ‘digital fire’,” said one broker surveyed by IB. “Then businesses realise the seriousness and the need for cyber insurance.”
So how can insurers and brokers help protect clients when cybercrime is getting more sophisticated, and more and more business is being done online? While the market is hardening, with a number of insurers globally pulling out of cyber altogether, Davis points out that the well-established cyber markets are proactively seeking to prevent claims – and this signals the way forward.
“They’re using scanning tools to determine the security posture of a company as part of the underwriting process, informing clients of any potential vulnerabilities – for example, open RDP ports that may lead to a potential ransomware event or credentials being sold over the dark web – and working with their clients to remediate the problem,” she says. “In our view, the future of the class rests on cyber insurance becoming a proactive service, giving clients access to in-house cyber claims expertise and tailored risk management services.”
‘Market-leading’ is a phrase many insurance companies like to use when describing their products. Now five companies can claim that title on the back of hard market research from the people who matter most: insurance brokers.
To select the best cyber insurers for 2021, Insurance Business enlisted some of the industry’s top experts. During a 15-week process, our research team conducted one-on-one interviews with specialist brokers and surveyed thousands more within IB’snetwork to gain a keen understanding of what insurance professionals think of current market offerings. Brokers were first quizzed on what features they thought were most important in a cyber insurance policy and then asked how the insurers they dealt with rated on those attributes.
Insurers were measured on the strength of their relationships with brokers, ability to handle claims, underwriting expertise and, most importantly, the strength of the individual products they provide.