Brought to you by:

'Uneducated' SMEs exposed to cyber threat

Despite attacks on giant firms such as Optus grabbing the headlines, SMEs are increasingly the victims of cyber crime, the Actuaries Insitute warns.

The Institute’s new green paper – Cyber Risk and the Role of Insurance – analyses the vulnerability of organisations and the role of insurance in setting best practice standards for cyber resilience.

“Australians are more dependent than ever on technology and cyber crime has the potential to disrupt our lives and really harm us, as we’ve seen in the news recently,” lead author Win-Li Toh told insuranceNEWS.com.au

“Despite government and increasing business spend, the losses are mounting. We have $33 billion reported in cyber crime losses in the past financial year, up 13% on the year prior.

“No organisation is immune and government, business and insurers can no longer combat this issue in silos.”

Ms Toh says many SMEs are not aware of the risks and as a result are increasingly exposed.

“Education is not reaching SMEs on cyber risks,” she told insuranceNEWS.com.au

“It is quite an issue. We are seeing SMEs increasingly fall prey to cyber crime, purely because their defences are weaker.

“About half of SMEs spend less than $500 on cyber security and only 20% of them actually have cyber insurance. So that’s quite shocking.

“The government puts out some really useful information but a lot of SMEs we spoke to don’t even know about it.”

Insurers are increasingly cautious about underwriting cyber risks as the number and scale of attacks soars.

Ms Toh notes government entities are “a long way off” baseline standards of cyber security and many businesses are also behind in resilience against rapidly shifting risks.

“Importantly, good cyber hygiene and security – not insurance – are the first line of defence,” she says.

“Mitigation comes first, and then a vibrant cyber insurance market will provide recompense if risks break through these first lines of defence.

“What insurance can [also] do is really boost these first lines of defence by sending the right signals and incentives.

“Insurers won’t insure you if your defences are poor, they will charge premiums that will reflect the defences that you have in place, and the best insurers and brokers will tell you where you fall short.

“Capacity is returning to the market for the better risks. If companies are willing to build up their own defences in the first place then the insurance will be there for them.”

The report flags a “severe shortage” of qualified cyber security personnel.

“The global workforce needs to grow by 65% (from 4.2 million to 7 million cyber security professionals) to effectively defend organisations’ critical assets, with 8 in 10 breaches attributed to a skills gap,” it says.

In Australia, a five-fold increase in the number of students in cyber security courses is required.

Other gaps that need to be addressed include a limited understanding of cyber insurance among boards, achieving sufficient capacity and profitability in the cyber insurance market, and managing accumulation risks.

Ms Toh says cyber risk is growing at unprecedented levels, with ransomware attacks more than tripling in two years.

“The accessibility of Ransomware as a Service (malware products), combined with the development of crypto currencies enabling untraceable payments has super-charged the growth of cyber attacks.

“This has brought more organisations of different types and sizes under the widening net of cyber criminals to the point where it is now clear that no firm is immune.

“This is why a vibrant and resilient risk management framework and infrastructure for cyber risk is crucial, of which insurance is one part,” she said.

Click here to read the full Actuaries Institute report.