“There are a myriad of reasons why people aren't taking out the coverage but I think the big one comes back to education of clients,” said Matthew Bates (pictured above), managing director of Bell Partners Insurance and one of the Best Insurance Brokers in Australia.
Industry data demonstrates that in Australia, many businesses, particularly SMEs, are reluctant to pay for cyber insurance and many don’t have any coverage. This is despite ongoing cyber attacks on all types of business and concerted government efforts to improve Australia’s cyber defences.
Bates, who runs a 10-person Sydney brokerage, suggested to Insurance Business that education could be the best way to turn this trend around.
“It’s about making them aware of what cover is available under a cyber liability or cyber event insurance policy and, just as much, making them aware of the risk mitigation that they could put in place,” he said.
Bates said when clients choose not to take out a cyber policy, he still likes to educate them about mitigation and prevention.
“Things like multifactor authentication on their devices and dual verification of any payment made to vendors, suppliers, or employees, are two examples of education that we're providing to our clients should they choose not to take out a policy,” he said. “But every year we inform our clients of changes or case studies around claims as reasons why they should consider it [cyber coverage] in their programs.”
As a result of these cyber education efforts, Bates said many of his SME clients have listened and now have some form of cyber coverage.
“Our penetration rates are sound, I'm not going to say great, probably not even good, because I think there's still a lot of work to be done as an industry around educating clients,” he said.
IB asked the Sydney broker what reasons customers give him when they turn down cyber cover.
“We're hearing cost is certainly a barrier to entry, especially as cyber premiums have certainly moved north, year in year out,” he said. “We're also hearing from businesses that they’ve got an IT vendor that looks after their IT and a ‘She'll be right’ sort of attitude.”
Other clients say a cyber incident that impacted their laptop wouldn’t interrupt or cause losses to the business.
“In their eyes, they might not be sitting on a lot of data and don't have any e-commerce side to the business,” Bates said. “So they're not seeing the loss as badly as a 90% online ecommerce business that has systems that could be crippled by a cyber attack.”
The broker said these views underline the importance of education.
Despite the cost of cover, Bates suggested that it is possible for many SMEs to find affordable cyber coverage, especially smaller businesses in a relatively generic industry. He said cafes, restaurants, real estate businesses and the hospitality industry generally should be able to find relatively cost effective cyber insurance.
However, for certain businesses, affordable cyber covers can be harder to find.
“Where it gets tricky is around high data firms such as accounts, legal practices, healthcare – it generally all depends on the value of the data,” Bates said.
Despite the cost challenges, he said among his brokerage’s clients, from micro-SMEs up to mid-market clients, there are a number of different offerings out there and with a “big spread of premiums costs.”
“I'd like to summarize my answer by saying, if we've given good advice to the client around what the policy is covering, a number of our clients are taking that advice and accepting a cyber policy in their programs,” he said.
In a recent interview with IB, Anthony Di Fiore, a broker with Adroit Insurance and Risk, said the best cyber protections come from the “broadest coverage possible.”
However, the Victorian cyber specialist said even the best prevention-focused cyber insurance may not stop all attacks. Di Fiore shared useful broker tips to help clients navigate the situation when a threat actor makes it through the defences.
“Some clients make the mistake of having their incident response plan saved on their computer - which they then can't access when a breach occurs,” he said. “Also, check your response plan to make sure that when an event occurs, that you actually are prepared, the right people are being contacted and that you can actually access the response plan itself.
Are you a broker? What challenges do you face in the cyber insurance market? Please tell us below