Cyber Risk and Insurance
Last week, I attended a cyber seminar focused on equipping brokers and organisations with the knowledge and tools to navigate the challenges of cyber risk management and insurance. Not the normal conference I would attend, but with so many of Morrisec’s clients struggling with their cyber-insurance journey, the conference occurred at an opportune time. Did the conference answer all my questions and client questions, no… but the discussions did shed light on accountability, the rising costs of cyber insurance, and emerging solutions for SMBs, while emphasising resilience in the face of evolving threats.
ASIC’s Role in Director Accountability for Cyber Risk
One of the key themes was ASIC’s increasing scrutiny of directors in the context of cyber security. Under its regulatory spotlight, ASIC is reinforcing the message that directors have a responsibility to manage cyber risk as part of their corporate governance duties. Neglecting this could result in significant legal and financial consequences. This shift aims to drive a cultural change in organisations, ensuring that cyber security is prioritised at the board level rather than being relegated to IT departments.
Directors must ensure their organisations have adequate cyber resilience strategies, including risk assessments, incident response plans, and employee awareness programs. This increased accountability could lead to better preparedness across industries.
Challenges with Cyber Insurance: Accessibility and Costs
A major point that would have hit home for many SMBs is the prohibitive cost of cyber insurance. With limited competition in the market, premiums remain out of reach for many smaller organisations. This is equating to a growing number of companies forgoing insurance altogether, exposing themselves to significant risks.
The Australian Actuaries Institute’s Cyber Risk Green Paper, a paper recommended by one of the speakers and author, explores this issue in depth, noting that the high premiums reflect the difficulty insurers face in accurately pricing cyber risks due to evolving threat landscapes. The paper also identifies systemic risks, such as widespread ransomware attacks, that can lead to significant losses across multiple organisations, further driving up costs.
A second paper that was recommended and referenced was the Cyber Protection Gap Widens for SMEs report which identifies a stark disparity in cyber insurance uptake. While larger businesses often have the resources to invest in insurance and security measures, SMEs struggle to justify the expense. This gap leaves smaller organisations particularly vulnerable, as they are often prime targets for threat actors due to their limited defences.
If you have time, I recommend reading both!
Emerging Solutions for SMBs
Despite these challenges, the seminar showcased emerging insurance options tailored to SMBs. Insurers like Ocean Underwriting, Cylo, and Arch Insurance are developing solutions designed to address the unique needs of smaller businesses. These offerings aim to strike a balance between affordability and comprehensive coverage, making cyber insurance more accessible to a broader audience.
Coalition, a key sponsor of the event, presented their innovative approach, combining traditional insurance with proactive cyber risk management tools. Their platform offers real-time threat monitoring and actionable insights to help businesses prevent incidents before they occur. This proactive model represents a shift in the industry, blending insurance with prevention to minimise claims and enhance customer value. Coalition, from what I understand from their presentation, scans your company externally for issues and reports back to you anything that may need fixing. You can also subscribe to internal scans, but these are at an additional cost. Someone in the audience did ask the presenters if the product was like UpGuard, and they were quick to answer ‘no’. I did ask a plethora of questions via the online question app regarding the technology and how it worked, however, the responses were very vague and did not go into any detail. I do know however, that you can sign up for a free scan to check your overall hygiene, so to speak – so if anyone does do this, please let me know what you get back, as I am curious to learn more.
Cyber Insurance Uptake: A Stark Divide
One of the most striking statistics shared during the seminar was the disparity in cyber insurance adoption. While 70% of large organisations have cyber insurance, fewer than 20% of SMBs have coverage. This highlights a significant protection gap, leaving smaller businesses exposed to potentially devastating financial and reputational losses. Having said this, before you run off and purchase insurance, you need to work out what you are trying to protect, and it’s value to you as a business.
Building Resilience in the Cyber Protection Gap
The seminar concluded with a critical discussion on resilience and the urgent need to address the widening cyber protection gap. Building resilience requires collaboration across businesses, insurers, and government to create a unified front against escalating cyber threats.
Resilience in this context extends beyond response and recovery; it involves fostering a proactive, comprehensive approach to reducing risks, minimising impacts, and ensuring continuity. Expanding affordable and practical insurance options for SMEs is essential. Insurers must develop innovative products that meet the unique needs of smaller businesses while balancing cost and coverage. This can be supported by government incentives or partnerships to reduce financial barriers for vulnerable organisations.
Collaboration between businesses and government is critical to closing the cyber protection gap. Governments must play a role in fostering resilience by providing resources, frameworks, and incentives for organisations to adopt robust security measures. Public-private partnerships can help share intelligence, improve threat detection, and ensure a coordinated response to cyber incidents.
Resilience begins with awareness and preparedness at all levels. Organisations need to invest in employee training to build cyber awareness, establish robust incident response plans, and conduct regular security assessments. Governments can support these efforts by developing national awareness campaigns and funding initiatives to help smaller businesses strengthen their defences. I am hesitant to say, but the government needs also to provide investigative assistance, as I know there is a fine line between government help and government over-step, but this may be a necessity going forward for businesses that need it, especially with incident response costing so much.
The last thing I will say on resilience is it is not a one-size-fits-all solution but a multi-faceted framework that must be tailored to the unique needs of each organisation and industry. By fostering collaboration between businesses and government, enhancing insurance accessibility, and driving innovation, we can begin to close the cyber protection gap and build a more secure and resilient future for organisations of all sizes.
Conclusion
So, what did I learn – an excellent question and one that I cannot answer easily. Cyber insurance is a must for any business that has any form of PII, however, it is not always affordable. This issue will continue to be a problem until there is more competition in the market. There are a few new insurance companies popping up in the market which seem to be more competitive for smaller businesses. However, I am not qualified in this area, and you need to do your research to decide which one is right for you. I guess the best advice I can give you, shop around, compare the market and try and reduce costs by implementing basic security controls, like Multi-factor Authentication (MFA).
Sales pitch here: If you need help on where to begin with your cyber security journey, give me a shout. This also goes out to anyone in the insurance industry looking for experts to speak to their customers – we are always happy to talk cyber and what the first steps are in helping to implement a strategy, that just may, reduce your premiums 😉
0 Comments