Almost half of Australian SMEs don't understand their obligations under the Notifiable Data Breaches scheme, a Chubb report has found.

Some 47% are unaware of the requirements, introduced more than a year ago, leaving them open to significant financial penalties if they fail to report a breach.

Chubb’s second annual SME Cyber Preparedness Report, entitled Ignorance is Risk, also reveals disturbing levels of overconfidence among SMEs.

One in three (32%) senior leaders assume their business will never experience a cyber incident, while 49% of SMEs don’t have a data breach response plan.

A worrying 79% are confident they can overcome a breach by sophisticated hackers within 24 hours – highlighting a significant gap between expectation and reality.

Only 43% of SMEs invest in cyber risk training for their employees, and just 27% have cyber risk insurance.

Chubb’s Cyber Underwriting Manager Asia Pacific Andrew Taylor says the lack of understanding on notification is “a huge cause for concern”.

“While larger companies seem to understand their obligations, SMEs are less clear,” he said.

“A cyber incident can be catastrophic for a smaller organisation, and this lack of understanding around reporting obligations raises the stakes further.

“While the NDB scheme is receiving more notifications, it is highly likely that many more breaches have gone – and continue to go – unreported.”

John DePeters, Cyber and Technology Industry Practice Manager Australia and New Zealand, says the overconfidence issue appears to have worsened since the last survey.

“In all of these important control areas there are weaknesses,” he told insuranceNEWS.com.au.

“The reality is it takes a really strong incident response, and we have seen many cases where the recovery runs into weeks and months.”

Mr DePeters says there may be a case of “breach fatigue”, where SME leaders read almost constant reports of large business breaches but think it won’t happen to them.

“There is a perception that this is a large business exposure, but actually small to mid-sized businesses are the low-hanging fruit and more vulnerable.”

Mr DePeters believes the relatively low take-up of cyber insurance is also a concern.

“There is a collective opportunity for the insurance industry to help clients tackle this,” he said.

Click here to read the full report.