Clearer Cyber Risk Benchmarks Urged for Australian SMEs
Australian analysts are calling for tighter cybersecurity rules to mitigate the devastating financial impact of cyberattacks on small and medium enterprises (SMEs), many of which lack adequate insurance coverage.
“The financial fallout from a single cyber event can be devastating,” warned Susie Amos, principal and head of commercial lines at Finity Consulting Pty Ltd. “For an SME, even a fraction of this cost could lead to insolvency.”
A consistent and affordable certification system would provide SMEs with a clear path to improvement and inform the market about their level of preparedness, Amos explained via Zoom. According to the Australian Cyber Security Centre, six out of ten Australian SMEs reported experiencing a cybersecurity incident, resulting in average costs of $32,000 for small businesses and $40,320 for medium enterprises.
SMEs are burdened by cyber insurance premiums ranging from $448 to $32,000 annually, Amos added. Kristine Salgado, cyber broker leader at Marsh & McLennan Companies, Inc., noted that many SMEs mistakenly believe their cyber risk is low because they don’t handle large volumes of personal or health data.
“The misconception is that [cyber risk] only applies to data,” Salgado told Insurance Asia in a separate Zoom interview. “But it actually applies to system availability, the ability to conduct business using technology, and reputation.”
Lindsey Nelson, head of cyber development at CFC Underwriting Ltd., revealed that 89% of business costs in Australia in the past 12 months were due to ransomware attacks, compared to 71% globally and 65% in the US. “That figure for Australian businesses is quite shocking. Australia is a heavy SME economy, and SMEs are often downstream victims of larger-scale attacks.”
With 2.6 million Aussie SMEs as of June 2024, representing 97.2% of all businesses, the issue is significant. Nelson noted that SMEs are more likely to pay ransoms to restore operations. Systemic risks due to shared reliance on major service providers present another challenge, Salgado warned.
The CrowdStrike incident highlighted the potential for widespread disruption, but companies with strong business continuity plans mitigated the fallout. “That’s probably the bigger challenge for insurers — how to model those systemic losses,” Salgado said.
Australia’s Cyber Security Act 2024 mandates businesses with an annual turnover of $1.92 million to report ransomware attacks, excluding 98% of Australian businesses, Nelson pointed out. While insurance rates more than doubled in 2020, causing pain for companies with limited cybersecurity funds, conditions have improved. However, sustainability depends on underwriting discipline, Nelson added.
“Clients want confidence that the market knows what it’s doing when it comes to cyber insurance,” she said. “They want predictability and consistency in terms, year on year, so they can budget accordingly without surprises.”
Amos estimated that the broader economic impact of underinsurance amongst Australian SMEs could be in the tens of billions of dollars long-term. “The government needs to invest substantially in strengthening Australia’s national cybersecurity defenses,” she emphasized.
