A matter of when, not if: Brokers need to highlight cybercrime dangers to clients

A matter of when, not if: Brokers need to highlight cybercrime dangers to clients | Insurance Business

A matter of when, not if: Brokers need to highlight cybercrime dangers to clients

The rise in cybercrime may have failed to make Australian businesses realise the importance of having the right cover for such risks, but brokers are playing a key part in ensuring commercial clients do.

Australian businesses are underestimating the risk of cybercrime to their business, according to Allianz.

The insurer’s global survey found that Australian business is most concerned about the risk of natural catastrophes such as storms and flood. However, the threat posed by more modern risks such as cybercrime is often underestimated.

Of the risk managers surveyed in Australia, 46% identified natural catastrophes as the number-one risk for corporate clients and 33% said it was business interruption.

The threat of cybercrime should not be underestimated. “Even businesses with unlimited resources such as state entities and governments are still vulnerable and are increasingly losing the battle with cyber gangs,” warns Paul Ducat, placement services national manager of Marsh’s financial and professional liability practice FINPRO.

Ducat says businesses are becoming increasingly aware of the escalating cost of cybercrime, but that this realisation had taken some time. “In the increasing network security race against the criminal cyber gangs, many businesses are now only realising, despite increased spending in risk management and IT resources, that it is not a question of ‘if’ but ‘when’ a data incident is likely to occur,” he says, “and that is changing views towards cyber risk.”

He believes the downfall of vulnerable companies is relying on third parties to provide services and feeling that, having done so, they dealt with their exposure to cybercrime threats.

Marsh works with specialist insurers to ensure that businesses have access to a suite of risk minimisation and risk-transfer options to help clients. “Insurers’ response can be tailored across the full range of business sectors to include coverage which provides an incident response team,”says Ducat.

Other industry observers agree that many businesses are not adequately protected. Robert Cooper, director of Cooper Professional Risks, believes businesses do not prioritise cybercrime risks nearly enough. “Most businesses are not necessarily ignoring it but are not giving this a huge priority at present,” he says. “Other areas such as workplace health and safety and employment practices have more focus at the moment as they have to comply with government regulations and other requirements. However cybercrime is one that they should be giving more focus to.”

Cooper says the danger is that some companies rely too heavily on their IT consultants to detect and monitor attacks or breaches, set up firewalls and update anti-virus software. “IT consultants themselves recognise there is only so much they can do. Many IT consultants are forced to issue disclaimers that they cannot prevent all breaches on their clients IT systems,” he says.

Cooper says it is the broker’s duty to inform the client of cybercrime risks and work out strategies to deal with them. He sees the cyber risk market as growing, and his brokerage is developing a product to source to an underwriter. “This area is likely to develop and probably through the underwriting agents as they respond quicker to market needs and the development of niche markets,” he says.

Many people tend to associate cybercrime with young hackers, but the reality is that it can be committed by employees who have access to systems, competitors, criminals, and activists who disagree with an organisation’s actions or policies.

“Information breaches can easily be caused by someone unintentionally,” North Sydney OAMPS account manager Lynette Britton, a cybercrime specialist, pictured, explains. “An employee, for example, could inadvertently send an e-mail, or a mass e-mail with the wrong data. There have also been examples where employees have lost files, smart phones and laptops that contain sensitive information about their business or their clients,” she says. “Risk management is about being aware of potential risks and working to minimise them.”