For brokers, the challenge is familiar: how do you convince small businesses to buy cyber insurance? According to CFC Underwriting, a specialist cyber insurer, only about 10% of SMEs in Australia buy this coverage. That low number – less than some industry estimates – hasn’t budged for years.
At a webinar for Aussie brokers this week, Philippa Davis (pictured above), CFC’s international cyber team leader, responsible for Australia, contrasted this statistic with another well-known industry mantra: cyber is the top threat facing businesses today.
According to some brokers, the expense of cyber coverage and the mistaken perception that the chances of being attacked are relatively low, convince many SMEs not to bother with it.
Davis suggested that brokers need to continue their efforts to educate SME customers about the reality.
One important fact, she said, is SMEs often don’t fully realize how devastatingly expensive a cyber attack can be.
“They [SMEs] only tend to think about cyber risk and exposure after an incident actually happened,” said Davis. “If we think about the cost of a cyber attack, it goes far beyond the initial incident.”
The costs, she said, can include ransom payments, legal fees, system repairs and business interruption.
“Those financial burdens can cripple a business and drain resources,” said Davis.
She said industry figures show that 60% of SMEs without a cyber policy shut down their business within six months of suffering an incident.
Another important corrective a broker could offer SME customers:
“They think that they're too small to be targeted, which is definitely not true,” said Davis.
She quoted Verizon data that showed nearly two thirds of SMEs have experienced a cyber attack.
“They tend to be seen as low-hanging fruit by threat actors,” said Davis. “They've got varying cybersecurity levels, they tend to be less prepared and they have fewer resources.”
Another cyber challenge for many generalist brokers in the SME space is knowledge. During the webinar, Davis provided a useful shortlist of questions that brokers should ask their cyber insurance providers.
Davis said some insurers in Australia, rather than provide 24/7 protection, simply run a vulnerability scan prior to binding and then again at renewal.
She said asking whether the cyber service is in-house or outsourced is “a really critical question.”
“There's still a large number of carriers in Australia that use outsource providers and it's very hard, really, to have any oversight on SLAs [service level agreements] and ensuring that the expectations do align with reality.”
The size and experience of the insurer’s cyber team is also important, she said.
“How long have they been negotiating ransom lands? Do they have access to Bitcoin? What does the panel of providers look like and are they experts in the space?” Davis said.
Checking the policy wording is also essential. Big variations in policy language across the cyber market, she said, can make or break a claim when an event strikes.
CFC has written cyber insurance in Australia for 20 years and has about 80,000 cyber insureds globally. The result is a detailed set of claims data (see CFC claims data slide immediately below) that can show exactly what threats businesses Down Under are facing.
“You'll see that theft of funds and data breaches are our most frequent types of claims in Australia,” said Davis. “Interestingly, ransomware is only 14% of our claims by frequency.”
However, in terms of severity, she said ransomware attacks are responsible for nearly 90% of CFC’s incurred losses.
“That's a result of multiple things including the business interruption loss, the forensic work and the extortion demand,” said Davis.
Davis said cyber claims data hasn’t changed much for several years. However, there are emerging threats like the use of artificial intelligence (AI) and more sophisticated phishing attacks.
“But ransomware has always been a problem and it's not going away,” she said.
Davis presented the webinar with Jason Hart, the firm’s head of proactive cyber. According to his CFC bio, Hart founded one of the UK’s first ethical hacking companies, WhiteHat Security.
Are you an insurance broker? What do you see as the biggest challenge selling cyber coverages? Please tell us below.
