Cyber insurance not ideal for small businesses

Getting cyber insurance is more beneficial to larger companies than smaller ones.

Cyber insurance is not suitable for small businesses where there is little to no risk of cyber security occurring, according to Jay Jeong, Senior Research Fellow at Deakin University.

Jeong pointed out that cyber insurance should serve as a safety net for residual risks unaddressed by a company's cybersecurity measures, suggesting that larger organisations in sectors like health, defence, and finance could benefit most from what cyber insurance has to offer.

“The industries and the businesses that cyber insurance would be more beneficial for are those with higher levels of risk that they cannot foresee or control using their own cybersecurity policies or mechanisms that they have in house or through third party service providers,” he said.

He explained that smaller entities might over-rely on insurance to mitigate all cyber risks. In contrast, industries with higher unpredictability and risk would find cyber insurance more beneficial due to the sheer scale and complexity of their digital environments.

Jeong stressed the importance of evaluating and assessing relevant cyber risks, and ensuring robust internal cybersecurity initiatives are in place. He clarified a common misconception about spending less on cybersecurity just because there is cyber insurance in place.

“I reemphasize that you must have your own initiatives in place. Because cyber insurance is only picking up the resident you'll risk. One of the misperceptions and misconceptions that a lot of businesses have is that because we have cyber insurance, we can spend less on our cybersecurity incidents and policies,” he said.

In terms of staying up-to-date with cyber insurance strategies to combat emerging risks, Jeong emphasised the global shortage of skilled cybersecurity professionals. He recommended partnerships with governmental and non-profit organisations for access to resources and guidelines on emerging cyber threats. 

“There's a real lack of skill shortage in the cybersecurity sector, not just in Australia, but globally, as well,” he said, “To stay on top of emerging risks and vulnerabilities, there are a couple of things that organisations can do, who are struggling with resource constraints. One is to work alongside any government or any non for profit organisations that are out there.”

Additionally, he highlighted the significance of individual responsibility, noting that "around 80% of all cyber incidents have occurred due to human error."

Before approaching cyber insurance providers, Jeong suggested organisations should evaluate potential financial impacts of cyber threats, predict future incidents, understand risk management efficacy, and have a comprehensive assessment of digital asset values, including data.

He said that the interplay between broader cybersecurity strategies and cyber insurance is delicate, stressing that investing in cybersecurity measures and relying on insurance to manage cyber risks must be balanced.