Several high-profile attacks have compromised systems across the globe, and targeted organisations have incurred multimillion- dollar losses. It seems impossible now for businesses to hide from the reality of cybersecurity threats.
But despite an apparently growing general awareness of such threats, are Australian businesses responding appropriately? Are companies proactively pursuing measures to minimise the impact of a cyberattack on their operations?
Talking about awareness specifically among SME business owners, Andrew Faber, branch manager of Arthur J.
Gallagher Parramatta, refers to a recent study by the New South Wales Government’s Small Business Commissioner. That study revealed that 80% of business owners felt their businesses could adequately respond in the wake of an attack.
But there’s more to the story.
“When 40% of the same respondents listed Google as their ‘go to’ for seeking help, the awareness of what actually can go wrong is very limited,” Faber tells
Insurance Business.
“Whilst the vast majority of business owners wanted a tool to assist in combating the risk of cybercrime, more than three quarters were wanting that tool at no cost, or would be unwilling to pay more than $1 per day to assist in that risk management strategy. This demonstrates that whilst the understanding of the risk is there, the lack of awareness of the damage to the business is exceptionally low.”
Cybersecurity Ventures’
2016 Cybercrime Report estimated that cybercrime could cost the world more than US$6trn (A$7.53trn) a year by 2021. Regardless of organisation type or industry, everyone is a potential target.
“Business owners will see large, global brands such as Amazon and Facebook as those with the real risk whilst seeing their own business as ‘too small’ to be of value to a hacker, and thus not worth the effort of a cyberattack,” Faber says.
“There is also a strong belief that either engaging off-the-shelf anti-virus software or using third party IT consultants to manage their risk is sufficient to ward off any attack.”
The brokers’ knowledge gap
And it’s not just businesses themselves failing to appreciate the extent of the cyber threat.
“As cyberattacks are a relatively new insurable risk, without the years of claims data and the personal experience of having clients suffer cyberattack losses, the level of awareness within the broking community is still low,” Faber says.
“Much like when the market saw the introduction of management liability programs into the SME space, take-up of cyber protection policies is low as brokers are not able to talk with the same knowledge and authority to their clients about cyber exposure as they can with fire, theft and liability matters.
“To be able to advise clients on their risk, brokers need to develop their knowledge of IT systems and how vulnerable they are to outside attack.”
Faber adds that brokers must also understand the actual costs to a business of responding to a cyberattack. “In the example of a ransomware attack, it is not simply the cost of the ransomware but also the cost in IT support, rewriting of records, crisis management and potential notification of a breach under the Privacy Act, not to mention the actual loss of business revenue,” he explains. “These costs will often run into the tens of thousands of dollars for the smallest of SMEs.”
Reid Sawyer, senior vice president of credit, political and security risks at
JLT Specialty USA, emphasises the need for brokers to sit with their clients and apprise them of their unique cyber risk and how they can minimise their liabilities. He says the most important way in which organisations can understand their risk is by first identifying the assets at risk.
“Often, identifying assets at risk is not as straightforward as some organisations would
think,” Sawyer says. “It is a bit of a discovery exercise through the organisation to understand where the critical systems are [and] where the loss of those systems or information poses a material risk to the organisation.”
He also emphasises the need to move the conversation beyond data privacy and for the risk to be understood from a business and strategic level.
“How do you calculate that risk in business terms? What is the impact to your organisation if you lose contracts or market value because of a breach? That then lets you set limits and retentions and design your optimal program.”
Discussing how brokers can ensure their clients have up-to-date knowledge of the biggest types of cyber threat they face, Sawyer recommends continued dialogue between broker and client about the risk itself, as well as not treating cyber risk in linear fashion.
“It is not just a cyber broker talking to the risk manager, and then the property broker talking to the risk manager or D&O and financial lines manager. It is really about how we help our clients think about integrated cover and what the implications are across the entirety of the enterprise,” Sawyer says.
Bridging the knowledge gap
So, how can brokers ensure they can assist clients in obtaining proper cyber protection?
Dougal Hawkes is the founder and CEO of insurtech provider Augmentor, which focuses on simplifying cyber risk advice and assessment for its clients. He too says general awareness of cyber risk among Australian insurance brokers is poor, specifically highlighting a failure to appreciate the critical impacts. He illustrates the point by making a comparison to home and contents insurance.
“A simple question of ‘Do you have a deadlock?’ or ‘Do you have an intrusion alarm?’ is relatively easily answered,” Hawkes says. “In the cyber risk environment, asking questions such as ‘How well do you understand the cyber threats to your business?’ or ‘How prepared are you for the next cyber breach?’ will often be met with confusion or overly optimistic assumptions, due to lack of information at the executive level.”
Hawkes talks about Augmentor’s work to raise awareness of the cyber threat.
“Augmentor provides a resilience maturity rating to both the broker and the insurer, which enables them to better understand their risks and book quality,” he explains. “In addition to providing a rating, Augmentor also provides the business a cost-effective means to educate themselves on the related issues, as well as recommendations and templated plans to assist the business in reaching cyber risk resilience. Augmentor also introduces the business to services and products that can help.”
Hawkes outlines the key benefits of working with such an organisation.
“Brokers can become far more proactive and create a relationship-driven business if they partner with a cyber risk assessment and education company such as Augmentor,” he says. “By sharing clients, working together and educating them on the impacts of cybercrime, we can establish how best to mitigate and transfer risks. This is an important aspect of combating cybercrime.”
Cyber risk is continuously increasing, and the need to take steps to properly respond is evergrowing. Andrew Faber says the volume of cyberattacks increased by 300% between 2015 and 2016.
“It is a growing risk faced by each and every business, regardless of size, that needs to be addressed and understood better by both SME business owners and brokers alike.”
