A new report calls out gaps in cyber insurance, particularly in coverage for SMEs, and calls on government and business groups to work more collaboratively to reduce the soaring costs of cybercrime.
A new report commissioned by the Actuaries Institute Cyber Risk and the Role of Insurance calls on government, business and insurer groups to address insurance gaps in protection against cyberattacks. Such attacks cost the Australian economy a staggering $33 billion during the last financial year — an increase of 13 per cent on the previous year. This amounts to a cyberattack being reported every eight minutes to the Australian Cyber Security Centre (ACSC).
To put this figure into perspective, the 2019–20 bushfires cost the insurance industry more than $6 billion, and the general insurance market in Australia was worth $53 billion in the past financial year, according to the June 2022 Australian Prudential Regulation Authority quarterly general insurance performance statistics.
At the same time, cyber premiums in Australia currently stand at only $200 million. This figure is less than one per cent of the total premium collected by insurers and less than one per cent of the cost of reported cyberattacks. Reducing the sum of total losses from cybercrime is essential, yet to date it has proven elusive. The skyrocketing cost of cybercrime is fuelled by cryptocurrencies and untraceable payments, as it is easier to avoid disclosing the transacting party’s identity.
Big and small at risk
The Green Paper analyses the vulnerability of organisations of all sizes to cyberattacks and the gaps that exist in the cyber insurance market. Actuaries Institute president and non-executive chair Annette King FAICD says the research identifies pathways for key stakeholders to prevent further significant damage from cyberattacks. “Sitting back and doing nothing shouldn’t be an option when cyberattacks cost the Australian economy $33 billion in the past financial year,” she says.
In Australia, only 20 per cent of small to medium enterprises (SMEs) have cyber insurance, compared with 35–70 per cent of larger organisations. And yet SMEs are in no way less vulnerable than larger businesses: in 2021, 75 per cent of ransomware attacks were on companies with less than 1000 staff.
“Our research has shown that SMEs are increasingly falling prey to cybercrime,” says the report’s author Win-Li Toh MAICD, a principal at actuarial consulting firm Taylor Fry. “Cybercriminals are not discriminatory: they just go around looking for the weakest point. It is worrying that an estimated 50 per cent of SMEs are spending less than $500 per year on cybersecurity protections.”
The institute recommends scenario planning and a collaborative approach towards training and skills development. Toh notes that good cyber hygiene and security — not insurance — are the first lines of defence. Many government entities fall short of baseline standards of cybersecurity and many businesses are also behind in their resilience against rapidly shifting risks. Insurance will only serve its purpose if these first lines of defence are adequate.
“Australians are more dependent than ever on technology, and as a consequence, cybercrime has the potential to really disrupt our lives,” says Toh. “Despite increasing government and business spend, the losses are mounting.”
The existing approach of government, businesses and insurers trying to tackle the issue in silos is ineffective. Collaboration is needed to uplift Australia’s cyber resilience and to create a vibrant cyber insurance market, which is an important part of the whole risk framework.
Plugging skills gaps
One of the most worrying gaps in boosting the nation’s cyber resilience is the severe shortage of qualified cybersecurity personnel. Australia will be short an estimated 30,000 cybersecurity professionals over the next four years to meet the increasingly sophisticated threats, according to the green paper. A fivefold increase is needed, says Toh. “The government could spend a whole lot of money shoring up their own resources, while the businesses accuse them of stealing their (human) resources. That's not the right narrative. We should be looking at how we can we work together collaboratively to build more of these skills through alternative pathways, rather than engaging in damaging competition.”
Toh cites a new partnership between the University of Southern Queensland, Soldier On Australia and DXC Technology as a successful example of boosting resilience through collaboration. It provides a cybersecurity internship program for military veterans and veteran spouses, which enables them to gain employment where their skills are much needed.
Insurance premiums reflect the defences already in place. Investing in areas such as technological firewalls, and awareness and training, will result in better premiums. At the moment, achieving profitability is an issue for many insurers, which makes them cautious about insuring in general, and makes it difficult for companies to obtain the kinds of policies they need. Toh urges companies to undertake thorough scenario analyses that put a dollar figure on the tangible items that could be lost, along with fines, forensic investigation costs, network repair and the intangible damage to brand reputation following a data breach.
“The cyber insurance market is not as mature as other insurance markets, such as property. Before we leave home, we lock the door and maybe put on an alarm and have video cameras — we see it as basic security measures,” she explains. “Yet many organisations practice poor cyber hygiene. They have staff who lack awareness about phishing scams and the like.”
The report also covers knowledge gaps about insurance among board members. One of the common misperceptions that can lead to cyber insurance hesitancy is a concern that insurers become shadow directors.
“Board members may worry about relinquishing control in a cyber event, with an insurer taking on all decision-making authority,” says Toh. “However, such fears are unfounded. The board will still make the key decisions around payment of ransoms, along with communications to stakeholders and disclosure. The board considers expert advice to inform themselves, but ultimately must use their own initiative in making their decisions.”
In a situation that can prove to be an existential threat to an organisation, it is critical that boards get on the front foot by developing adequate cybersecurity risk strategies and insurance policy protection. The larger problems facing the nation will require a major, long-term joint undertaking.
Download the Cyber Risk and the Role of Insurance report here.
Already a member?
Login to view this content