The Actuaries Institute warns that even as attacks on giant companies like Optus make the headlines, SMEs are increasingly falling victim to cybercrime.
The institute’s new green paper – Cyber Risk and the Role of Insurance – analyzes the vulnerability of organizations and the role of insurance companies in setting best practice standards for cyber resilience.
“Australians are more dependent on technology than ever before, and cybercrime has the potential to disrupt our lives and really harm us, as we’ve seen on the news recently,” lead author Win-Li Toh told InsuranceMESSAGES.com.au
“Despite government and rising corporate spending, losses are mounting. We reported $33 billion in cybercrime losses last fiscal year, up 13% from the prior year.
“No organization is immune, and governments, businesses and insurers can no longer fight this problem in silos.”
Ms Toh says many SMEs are unaware of the risks and are therefore increasingly exposed.
“The information about cyber risks does not reach SMEs,” she told insurance companiesMESSAGES.com.au
“It’s quite a problem. We see that SMEs are increasingly becoming victims of cybercrime simply because their defenses are weaker.
“About half of SMBs spend less than $500 on cybersecurity and only 20% of them actually have cyber insurance. So this is pretty shocking.
“The government releases some really useful information, but many SMEs we spoke to don’t even know about it.”
With the increasing number and scale of attacks, insurers are becoming increasingly cautious about insuring cyber risks.
Ms Toh notes that government agencies are “a long way” from basic cybersecurity standards and many companies are also lagging behind in terms of resilience to rapidly evolving risks.
“What’s important is that good cyber hygiene and security — not insurance — is the first line of defense,” she says.
“Mitigation comes first and then a dynamic cyber insurance market will provide compensation if risks breach this first line of defence.
“What insurance companies can do [also] really do strengthen that first line of defense by sending the right signals and incentives.
“Insurers won’t cover you if your defense is poor, they charge premiums that reflect your defense and the best insurers and brokers will tell you where you’re falling short.
“Capacity returns to the market for the better risks. If companies are willing to put up their own defenses at all, insurance will be there for them.”
The report points to a “serious shortage” of skilled cybersecurity personnel.
“The global workforce needs to grow by 65% (from 4.2 million to 7 million cybersecurity professionals) to effectively protect organizations’ critical assets, with 8 out of 10 security breaches attributed to a lack of skills,” it says.
A fivefold increase in the number of students enrolled in cybersecurity courses is needed in Australia.
Other gaps that need to be addressed are limited boardroom understanding of cyber insurance, achieving sufficient capacity and profitability in the cyber insurance market, and managing accumulation risks.
Ms Toh says cyber risk is increasing at an unprecedented rate, with ransomware attacks more than tripling in two years.
“The accessibility of ransomware as a service (malware products) combined with the development of cryptocurrencies that enable untraceable payments has accelerated the growth of cyberattacks.
“This has brought more organizations of different types and sizes into the ever-expanding web of cybercriminals, to the point where it is now clear that no company is immune.
“Therefore, a dynamic and resilient risk management framework and infrastructure for cyber risks, of which insurance is a part, is crucial,” she said.
Click here to read the Actuaries Institute’s full report.