Why SMEs need to take cyber liability insurance more seriously

Do you have the budget to recover from a cyber attack? That could mean paying experts to guide you through your response to ransomware or phishing incidents, coughing up for fines to third parties, or even covering losses while data theft effectively shuts down your operations. And after all that, will you have the funds needed to sail your reputation out of the doldrums?

If the answer is yes, congratulations, but even then you probably still need cyber liability insurance. 

Hackers have been picking up their game with a cybercrime incident taking place every seven minutes on average in Australia during FY22. This is one minute faster than the year prior, and that was before the advent of ChatGPT which may herald in a new era in a shady field where the goal posts are already always changing.

"AI-generated content has become incredibly convincing, making the tell-tale signs of bad grammar and strange sentences in phishing emails a thing of the past," says Jane Mason (pictured), head of product, channels and risk at insurance brokerage and consultancy BizCover.

"Online black markets are abuzz with activity looking for ways around the program’s ethical guidelines to create malware code, according to recent research. This drives home the point that it’s become even more crucial for small businesses to consider ways to implement best practice cybersecurity and response plans."

Methods don't need to be that sophisticated either with 95 per cent of cyber incidents happening due to human error. Mason says while people make mistakes, that number is too high.

"The topic of cybersecurity conjures images of hooded people in Guy Fawkes masks feverishly punching the keyboard while Matrix-style ones and zeros fill the screen," she explains.

"In reality, many attacks occur due to simple mistakes. From losing your laptop at a café or leaving it unlocked to conducting work from public Wi-Fi, there are many simple ways hackers can access your device."

Small businesses don't usually make the news headlines when they suffer from cyber incidents, but large companies certainly do such as Optus, Vodafone and Medibank (ASX: MPL). This could give many the false impression that it is primarily major corporates that are the most at risk.

"There is still a mentality with a lot of SMEs that ‘it won’t happen to me, because hackers aren’t interested in the small guys’, and it’s just not the case," says Mason.

"We’re seeing a huge influx of claims, and SMEs are often easier targets because they don’t have the in-house cyber teams, IT teams and IT security budgets that the larger companies have.

"I think there’s still a lot of awareness and education that needs to be done particularly in the SME space before we'll see the dial really shift."

She reiterates that SMEs face the same threats as large businesses but often lack the means to implement comprehensive protection, let alone the ability to handle the fallout of a cyber attack.

"Large companies employ entire IT support teams to solve the problem and hire a crisis communication team to assist with the fallout. They can employ lawyers on retainer to deal with the legal repercussions," she explains.

"For small businesses and especially sole traders it’s often just you and you alone to deal with these problems. Without a safeguard in place, it’s your time and resources.  

"It can be your money and data at stake and your reputation on the line - and this can be an extremely emotional and isolating time for a small business owner to go through."

With two decades of experience in business insurance, Mason is at the forefront of the push for greater education about cyber security, although she faces an uphill battle with the Actuaries Institute estimating only one in five SMEs are covered for cyber liability insurance. In its green paper published in September 2022, that same institute described cyber risk as omnipresent and unpredictably dynamic, with its root causes entangled with other problems.

"For example, there are many motivators for cyber attacks, and the economics or expected payoff for cyber attackers is constantly improving," the Actuaries Institute report stated.

The report also drew reference to estimates from Austcyber which forecasted a need for 7,000 new cyber security professionals across all industries by 2024 to counter the growing threat; a skills drive that would require a five-fold increase in the number of students in cyber security courses.

Against this backdrop, the insurance industry more broadly has been known for presenting prospective clients with long and complicated documentation that is difficult to understand. Part of Mason's remit at BizCover has been to collaborate with three leading insurers to provide "access and simplification to SMEs" so they can be protected in this volatile landscape; a fourth will be brought into the picture later this year. 

"Almost every business is at risk of a cyber-attack. For example, a hairdresser that had a $30,000 claim because their telephone system was hacked, or a mining company that had their system shut down because a disgruntled employee embedded malware," she explains.

"Most cyber policies are designed to encompass a broad range of common cyber risks and should address the main risks that threaten small businesses.

"The offerings on the BizCover platform provide extensive cover for a cyber incident."

She says each insurer has varying benefits in their policies as well as optional extensions which clients should read to understand the cover they’re purchasing. These can include contingent business interruption, relating to incidents involving the operation or security of any external systems that cause a system outage.

Others are social engineering (phishing through impersonation) and cyber fraud, which are considered more like traditional forms of fraud because they involve tricking someone into releasing money, but because these techniques are conducted over email they can form part of a cyber policy. 

Cyber incidents can mean:

• Computer malicious acts; where malware invades a computer and invokes unauthorised actions within the computer.
• Privacy and network security wrongful act; a network breach which can cause a number of issues including a breach of a businesses or client’s private data.
• Power failure of an electrical system controlled by the insured or even simple human error such as a lost laptop.

All the above incidents have various costs and potential associated liabilities. Mason explains cyber liability insurance can assist in the recovery through:

• Incident response; This is particularly important as it assists a business that is often not cybersafe and not aware of what actions to take in the event of a cyber-attack and how best to minimise and recover from the event.
• Defence costs to help a business defend itself in the situation where the cyber event has resulted in a liability to a third party, for example loss of third-party data or breach of privacy. 
• Reimbursement for Business Interruption; A cyber event can cause a business to not be able to operate, for example rendering systems inaccessible and therefore causing loss of profits for the business.
• Cyber Extortion Damages and expenses; Increasingly hackers are attacking businesses with what is known as ‘Ransomware’ where they effectively block access to a system until a sum of money is paid. This is one of the most common risks that SMEs currently face.
• Data and system recovery costs; The costs of recovering lost data can be expensive after a cyber-attack.

The insurance expert adds that going through the process required to choose cyber liability cover has the added benefit of forcing a business to reassess its foundational risk management processes.

"For example, when an insurer answers a proposal form to get a cyber liability policy, they might ask the question: 'When receiving requests to change bank accounts, do you make sure that you verify that information?' It doesn't cost any money for a business to implement that process," Mason says.

"While we are primarily focused on small businesses getting cyber liability insurance at BizCover, we strongly encourage SMEs to adopt best practice cybersecurity practices."

The expert lists the following tips she hopes small businesses adopt:

1. Updates – Ensure software updates and patches are done as soon as possible.
2. Secure data encryption – Ensure that data is encrypted using an encryption code that authorised people can only access.
3. Upgrade devices if the manufacturer has discontinued support for the software.
4. Create a security policy that requires all devices to use a high-quality VPN and antivirus protection.
5. Encourage strong password habits – To promote better cybersecurity practices, enforce strong user credentials and multi-factor authentication.
6. Educate employees on security practices and how they can avoid data breaches.