There is nothing more important than protecting data.
We are constantly seeing companies of all sizes being hacked all around the world.
The Australian Cyber Security Centre (ACSC) annual report (July 2021 to June 2022) stated that the ACSC received in excess of 76,000 cybercrime reports in the reported year above, which represents a 13% increase on the previous financial year.
This equates to one report every 7 minutes, compared to every 8 minutes last financial year.
Business email compromise (BEC) amounted to $227 million in losses, while the average cost in crime is more than $39,000 for small businesses, $88,000 for medium businesses, and in excess of $62,000 for large businesses.
In 2003, the Australian Reinsurance Pool Corporation (ARPC) was established by the Terrorism and Cyclone Insurance Act 2003. It was designed to defend the security and infrastructure of this nation from potential terrorist attacks in the context of 9/11. The government operated re-insurance pool brought stability to the commercial property market, which threatened to collapse.
But the world has expanded into online attacks that are proving equally terrifying.
So, how can we address the issues of cyber security issues? What if we could take out the risk? And what if companies pulled together to solve this ongoing problem?
Cyber poses a unique challenge to insurers as the cost of a cyber war is unknown and it can aggregate across countries all at the same time. War is a general exclusion in most insurance policies, cyber included. The peril associated with cyber is not just limited to aggregate claims, it is also due to cyber becoming increasingly more aggressive threat. There is limited scope of data and hence it is hard for insurers, insureds, and governments to make informed decisions. So, the question is, how do we protect our most sensitive data with our resources being insufficient?
Cyber insurance can help address the lack of cyber hygiene in Small Medium Enterprise (SMEs) but unfortunately the cyber re-insurance market is underdeveloped and cannot support the insurers to provide adequate products to SMEs.
SMEs are particularly vulnerable from cyber threats and underequipped to deal with this challenge. More than 50% of SMEs are deemed to have poor cyber security practices (ACSC 2021-2022 report) and 43% of cyber-attacks target SMEs (Kaine Mathrick Tech, 2023).
SME turnover accounts for more than 50% of the Australian economy (CSIRO 2022). So, an attack not only damages Australia’s economy in terms of hampering business operations, but also the theft of intellectual property from Australian companies to overseas businesses.
Economic espionage is an invisible but persistent risk to prosperity; $33 billion was self-reported losses in 2020-21 and an increase of 13% from previous years (ACSC, 2021).
The insurance solution
At a base level, insurers aim to minimize their risk. Insurers have numerous levers to pull to accomplish this whilst being profitable, one of which is to conduct research on what factors drive insureds to claim and mitigate such risks.
Insurers ultimately have an incentive to maintain expertise in cyber risk as it minimizes their exposure to their portfolio and will ultimately increase profits doing so.
If an SME chooses (or it is made compulsory) to have a form of cyber insurance, the broker will advise their client to adopt good data practices, including the use of VPNs, antivirus systems, DNS strategies and more - to minimize the price of insurance.
In this scenario, the client would not only be covered for cyber insurance but also receive a de-facto form of cyber consulting. Of which, SMEs do not have access to traditional cyber consultants, as they are priced out of the market for advice.
Brokers such as Marsh in Australia now provide a cyber security self-assessment tool which compares the insureds answers to the best practice standards (Actuaries Institute, 2022).
Similarly, Gallagher RE’s research has found that when an insurer scans for remote desktop protocol, it can reduce the insured’s ransomware claims by 65% (Gallagher RE, 2022).
The private market can provide a cost-effective solution via insurance acting as a primitive cyber consulting body to SMEs and other businesses. However, for this practice to be widely adopted, cyber insurance must be taken up and the ARPC should assist in the accessibility of the insurance.
Cyber SME insurance can be likened to vaccines. Individually they can help protect the individual user from a virus however when used collectively, the greatest protection for society can be achieved. If cyber insurers can reach a critical size for their portfolio, they will absorb social costs and prevent accumulative losses.
For example, if all SMEs had cyber insurance, and the SMEs attempted to be more cyber hygienic because of pricing, they would be collectively harder to penetrate from would be attackers. The typical profit for an attacker would be greatly reduced, as they would require a more sophisticated attack on a relatively small target with a small payoff. If the total profit is smaller and probability of success is smaller, then this will de-incentivise some attackers all together, lowering total attacks on SMEs.
The execution of this idea requires both private general insurers and the ARPC to be actively engaged. The power of cyber insurance does not lie in the assurance itself, but rather through its support desks and its ability to influence the behaviour of SMEs through pricing and eligibility.
Cyber risk is a growing concern and Australia is behind other OECD nations in cyber hygiene. The nature of insurance is to protect assets and minimize risk within society. Cyber risk is no exception. The creation of a separate cyber risk pool within the ARPC will bring much needed stability to the reinsurance market.
FINSIA's welcomes members' thought leadership contributions to our online newsletters and podcasts. Submit your ideas and content here
