Clearer cyber risk benchmarks for Australian SMEs pushed

The financial fallout from a single cyber event can be devastating.

Australia should tighten cybersecurity rules to ease the blowback from attacks especially on small and medium enterprises (SME), many of which are not insured, analysts said.

“The financial fallout from a single cyber event can be devastating,” Susie Amos, principal and head of commercial lines at Finity Consulting Pty Ltd., told Insurance Asia. “For an SME, in some cases, even a fraction of this cost could lead to insolvency.” 

A consistent and affordable certification system would give SMEs a clear path to improvement and inform the market about their level of preparedness, she said via Zoom.

Six of 10 Australian SMEs have reported having experienced a cybersecurity incident, leading to an average cost of $32,000 (AU$50,000) for small businesses and $40,320 (AU$63,000) for medium enterprises, according to the Australian Cyber Security Centre.

Amos said SMEs are burdened by cyber insurance premiums worth $448 (AU$700) to $32,000 (AU$50,000) yearly.

Kristine Salgado, cyber broker leader at Marsh & McLennan Companies, Inc., said many SMEs mistakenly think their cyber risk is low because they don’t handle large volumes of personal or health data.

“The misconception is that [cyber risk] only applies to data,” Salgado told Insurance Asia in a separate Zoom interview. “But it actually applies to system availability, the ability to conduct business using technology, and reputation.”

Lindsey Nelson, head of cyber development at CFC Underwriting Ltd., said 89% of business costs in Australia in the past 12 months were from ransomware attacks.

Globally, the figure is 71% and 65% for the US, she pointed out. “That figure for Australian businesses is quite shocking. Australia is a heavy SME economy, and SMEs are often downstream victims of larger-scale attacks.”

There were 2.6 million Aussie SMEs as of June 2024, or 97.2% of all businesses, according to data from the Australian Bureau of Statistics.

Nelson said SMEs are more likely to pay a ransom to get their business up and running.
Systemic risks due to shared reliance on major service providers present another challenge, Salgado said.

The CrowdStrike could have triggered widespread disruption, but many companies with strong business continuity plans eased the fallout. “That’s probably the bigger challenge for insurers — how to model those systemic losses,” Salgado said.

Australia’s Cyber Security Act 2024 mandates businesses with an annual turnover of $1.92m (AU$3m) to report ransomware attacks, excluding 98% of Australian businesses, Nelson pointed out.

In 2020, insurance rates more than doubled, which was painful for companies with limited cybersecurity funds, Nelson said. Whilst conditions have improved, sustainability depends on underwriting discipline, she added.

“Clients want confidence that the market knows what it’s doing when it comes to cyber insurance,” she said. “They want predictability and consistency in terms, year on year, so they can budget accordingly without surprises.”

Amos estimates that the broader economic impact of underinsurance amongst Australian SMEs could be in the tens of billions of dollars in the long term.

“The government needs to invest substantially in strengthening Australia’s national cybersecurity defences," she said.