In Partnership with
Is your cyber
gap exposed?
Average knowledge among SMEs of the cyber threat environment, and solutions available, remains remarkably low for an area that's evolving much faster than other branches of insurance
Richard Smith
Blue Zebra Insurance
Industry experts
Lindsey Nelson
CFC Underwriting
Michael Ussher
DUAL Australia
Trevor Baldwin
Baldwin Risk Partners
Richard Smith has nearly 30 years of commercial insurance experience in both the London and Australian markets. During that time his roles have included founder and director of a specialist cyber insurance provider and chief executive of a commercial insurance broking business. He is now head of cyber at Blue Zebra, underwriting on behalf of certain underwriters at Lloyd’s.
Blue Zebra Insurance
Richard Smith
As cyber development leader, Lindsey Nelson oversees the global business development strategy across CFC’s cyber portfolio, with responsibility for key account management, underwriting strategy and providing in-depth education within the business line. She has nearly a decade of experience underwriting cyber and technology risks. Nelson is a vocal champion of women and young brokers in insurance, was recently awarded Underwriter of the Year at the Insurance Insider awards in the UK, and was named on the Insurance Business Global 100 2022 list.
CFC Underwriting
Lindsey Nelson
Michael Ussher joined DUAL in 2006 as an underwriter in Melbourne. After holding this and a senior underwriter role, he took on the position of WA manager in Perth in 2012. His role was extended in 2012 to include responsibility for the authorised representative networks across Australia, and in 2017 to include responsibility for brokers in New Zealand and the southern region of Australia. In 2018, Ussher became commercial manager – Asia Pacific and oversaw DUAL’s SME platform business, portfolio analytics and marketing/events. In September 2022, he was promoted to deputy chief executive.
DUAL Australia
Michael Ussher
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Tellus in penatibus condimentum malesuada ante vulputate nisi, arcu leo. Amet urna sapien purus vestibulum fermentum a. Cursus metus massa donec sed varius. Nunc enim sit morbi lacus, molestie et nunc. Nullam sed facilisi id malesuada. Ante purus velit, quam scelerisque ultrices scelerisque donec.
Velit egestas vel ornare pellentesque ridiculus. Mauris tempor augue quis mattis suspendisse feugiat commodo posuere. Faucibus massa adipiscing nullam elit, ac vel accumsan. Phasellus eget ac dignissim fermentum ac placerat elit, metus. Nulla porttitor ante egestas molestie quis quam. Pharetra magna sit mauris tellus gravida rutrum libero sit. Justo orci cras euismod proin massa lorem ut. In non tellus phasellus faucibus ullamcorper nullam odio dui et.
Baldwin Risk Partners
Trevor Baldwin
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Tellus in penatibus condimentum malesuada ante vulputate nisi, arcu leo. Amet urna sapien purus vestibulum fermentum a. Cursus metus massa donec sed varius. Nunc enim sit morbi lacus, molestie et nunc. Nullam sed facilisi id malesuada. Ante purus velit, quam scelerisque ultrices scelerisque donec.
Velit egestas vel ornare pellentesque ridiculus. Mauris tempor augue quis mattis suspendisse feugiat commodo posuere. Faucibus massa adipiscing nullam elit, ac vel accumsan. Phasellus eget ac dignissim fermentum ac placerat elit, metus. Nulla porttitor ante egestas molestie quis quam. Pharetra magna sit mauris tellus gravida rutrum libero sit. Justo orci cras euismod proin massa lorem ut. In non tellus phasellus faucibus ullamcorper nullam odio dui et.
Vault Plus Mortgage and Finance Consultancy
David Merison
“Cyber insurance, certainly in Australia, is still a bit of an immature product”
Richard Smith,
Blue Zebra Insurance
CYBERATTACKS ON small businesses have increased dramatically over the last few years, but related insurance is still playing catch-up as clients and brokers underestimate the threat.
This has resulted in a gap in how cyber insurance is perceived by SMEs, in terms of what it can do for businesses even before any attack takes place, and the degree of risk involved.
At a recent Executive Insights panel on Insurance Business TV, industry experts set out their concerns and where they see the market heading in one of the fastest-evolving areas of insurance.
On the one hand, the digital evolution of both the economy and society due to the pandemic has resulted in an increasing awareness of the dangers posed by cyber, and more organisations taking up related policies. On the other, many SMEs still underestimate the amount of damage that can occur and continue to consider the cyber threat as one that can be mitigated after an attack occurs.
“I think there's a miscalculation from a lot of SMEs about what it actually takes to recover from an event,” said Richard Smith, head of cyber at Blue Zebra Insurance. “The cost to recover from an event can be significant; you know, the legal costs, the forensic costs, the ransomware negotiation costs.”
Many SMEs also significantly underestimate the time it takes to recover from a cyberattack.
It is often thought that the cyber threat is only limited to certain sectors such as retail or healthcare.
“But every single business that uses a computer and has an employee has an exposure,” said Lindsey Nelson, cyber development leader at CFC Underwriting.
“The amount of change in [policy] wordings has been much greater than for any other product in the local market”
Michael Ussher, DUAL Australia
“[Small businesses] still don’t appreciate that level of risk that they face, and many are still surprised when they see the price … even though it’s their top business risk”
Lindsey Nelson,
CFC Underwriting
“Australian businesses are being attacked because they're vulnerable rather than valuable,” said Nelson.
Some businesses make it incredibly easy for criminals to take advantage and infiltrate systems, so even without high-value opportunities on offer, targets are difficult to resist due to the minimal effort required.
The main cyber threats for SMEs continue to be ransomware attacks, malware and financial crime via social engineering
CFC then monitors clients for vulnerabilities and provides them access to a security team of experts. Cyber insurance thus acts as an upfront service to stop attacks and reduce risk before anything in the policy wording is triggered. Basic training can also help reduce risk.
“The mitigation factor is significantly enhanced with staff training and manuals, which adds an extra layer [of protection] to the MFA and the email filtering programs,” said Ussher.
More importantly, not having basic mitigation in place can lead to exclusions. SME clients that purchased cyber insurance through online platforms three years ago would not have seen ransomware restrictions on their policy wordings.
may continue at a low level rather than increase over the next few years.
Discouragingly, some insurers have become reluctant to provide cover or have narrowed it in the face of the larger and more unpredictable risks. Premiums have increased, but this is simply a reflection of the realities of exposure that the market faces in 2022.
“The threat landscape has changed from $300 per victim to multimillions of dollars,” said Nelson.
Now that the cyber market has shifted to much more of a proactive product that involves helping policyholders to identify potential claims and vulnerabilities, problems can be fixed before they actually happen.
Continuous monitoring services are enabled by the purchase of cyber insurance preferably at one point in time at the beginning of the policy. CFC internal auditing shows that as a result of such monitoring, the company has potentially prevented 12,000 cyberattacks on policyholders around the world. Over the same time frame, it handled only 3,000 that actually became claims.
The great SME cyber turkey shoot
Many SMEs are blissfully unaware that the risk terrain has changed dramatically in the last three or four years. It's as if a Sunday stroller enjoying a botanical garden didn’t realise they had stumbled into the Amazonian jungle.
The latest data threat report from Thales Group showed that four in 10 Australian businesses fell victim to a cyberattack last year.
“[Small businesses] still don't appreciate that level of risk that they face, and many are still surprised when they see the price … even though it's their top business risk,” said Nelson.
SMEs sometimes don’t want to pay for a product that only brings benefit at some unforeseen point in the future. But cyber insurance today actually starts
“But now, if they don't have those security measures and appropriate systems in place, then they simply won't get the cover,” said Ussher.
Insurance policies for other types of threat periodically get updated to reflect changes in circumstances, but the pace of change in cyber-related policies far outstrips that in more traditional types of insurance such as house or contents.
“The amount of change in wordings has been much greater than for any other product in the local market.”
Cyber is for everyone
A wholesale change of attitude is needed to make risk
Frequency of cyberattacks
in Australia
working for businesses from the first day they bind the policy by proactively using threat intelligence to look for signs of vulnerability or compromise, Nelson explained.
Remote working is one factor behind the higher risk.
“It has led to a greater chance of infiltration from the threat actors,” said Michael Ussher, commercial manager – Asia Pacific at DUAL Australia. Using home Wi-Fi networks or public Wi-Fi in places like cafes or hotels creates vulnerabilities.
“The amount of surface area that can happen for this infiltration has been obviously significantly greater over the last few years,” he said.
SMEs often feel that they aren’t a target due to their small size. But size is beside the point when criminals are engaging in a volumes-based attack strategy.
where businesses are tricked into paying a fraudster.
Many insurance firms now ask for mitigation steps to be put in place known as minimum security controls. These consist of multifactor authentication (MFA), endpoint protection tools, and offsite and onsite backups.
“Before, we saw companies looking at insurance as their full risk-transfer solution, and now we're just getting them to meet us partway to get that bare minimum in place,” said Nelson.
Read on
mitigation more consistent due to the increasing frequency of attacks and the exponential levels of damage that can be done compared to a just a few years ago.
“Cyber insurance, certainly in Australia, is still a bit of an immature product,” said Smith.
While ransomware is extremely common, some other types of cyber threat are still new here. These include supply chain attacks, where a service provider, often overseas, is attacked, causing a cascade of outages among client firms down the supply chain of managed service providers for such things as data storage or CRM systems.
“[In terms of] transparency for clients, this is where the brokers really need to take a strong role,” said Smith. “Clients need to be able to be educated about the cyber risk by their broker.”
This would help push the number of SMEs who hold cyber insurance over the currently low 20% mark estimated by the Insurance Council of Australia.
Future opportunities
The market for cyber insurance has been extremely competitive over the last two decades, but growth in the volume and gravity of cyberattacks is making insurance premiums significantly higher.
“We've had a significant correction here in Australia with pricing, so obviously everybody's hopeful that profitable portfolios can be underwritten,” said Smith.
The main challenges for the future are reducing the inherent volatility of cyber as a class of business and countering the perception gap in terms of value offered so that more SMEs prioritise cyber coverage.
Blue Zebra Insurance (BZI) is an insurtech underwriting agency catering exclusively to brokers and their clients. BZI also offers its technology platform as a service (PaaS) to selected insurance partners. The company wrote its first policy in April 2018 and offers a full suite of personal lines products, SME, commercial motor, personal accident and cyber insurance. With over 100,000 customers, Blue Zebra leverages ‘big data’ sources to assist the quote process and enhance its understanding of the underlying risk. Its small and highly empowered team deploys technology tools to streamline and automate back-end processes while delivering great service and efficiency.
Find out more
DUAL Australia is a true SME insurance business with over 100,000 policies transacted annually and over 8,500 individual insurance brokers spread across the country. It has offices in Sydney, Melbourne, Perth and Brisbane, and employs more than 120 people. DUAL underwrites on behalf of a number of APRA-regulated insurers, including certain underwriters at the prestigious Lloyd’s of London established in the late 17th century. It is Lloyd’s largest intermediated coverholder in Australia. The wider group has offices in Singapore, Hong Kong, Auckland, Wellington and Christchurch.
Find out more
With over 20 years’ experience, CFC Underwriting was one of the first companies to offer cyber insurance and has one of the largest cyber underwriting and in-house incident response teams in the world, bolstered by a 24/7 around-the-world claims service. CFC’s cyber insurance products and incident response services protect over 60,000 businesses in more than 60 countries.
Find out more
“Cyber insurance, certainly in Australia, is still a bit of an immature product”
Richard Smith,
Blue Zebra Insurance
“The amount of change in [policy] wordings has been much greater than for any other product in the local market”
Michael Ussher, DUAL Australia
“[Small businesses] still don’t appreciate that level of risk that they face, and many are still surprised when they see the price … even though it’s their top business risk”
Lindsey Nelson,
CFC Underwriting
In Partnership with
Is your cyber gap exposed?
Average knowledge among SMEs of the cyber threat environment, and solutions available, remains remarkably low – for an area that's evolving much faster than other branches of insurance
Read on
Trevor Baldwin
Baldwin Risk Partners
Michael Ussher
DUAL Australia
Lindsey Nelson
CFC Underwriting
Richard Smith
Blue Zebra Insurance
Industry experts
CYBERATTACKS ON small businesses have increased dramatically over the last few years, but related insurance is still playing catch-up as clients and brokers underestimate the threat.
This has resulted in a gap in how cyber insurance is perceived by SMEs, in terms of what it can do for businesses even before any attack takes place, and the degree of risk involved.
At a recent Executive Insights panel on Insurance Business TV, industry experts set out their concerns and where they see the market heading in one of the fastest-evolving areas of insurance.
On the one hand, the digital evolution of both the economy and society due to the pandemic has resulted in an increasing awareness of the dangers posed by cyber and more organisations taking up related policies. On the other, many SMEs still underestimate the amount of damage that can occur and continue to consider the cyber threat as one that can be mitigated after an attack occurs.
“[Small businesses] still don't appreciate that level of risk that they face, and many are still surprised when they see the price … even though it's their top business risk,” said Nelson.
SMEs sometimes don’t want to pay for a product that only brings benefit at some unforeseen point in the future.
But cyber insurance today actually starts working for businesses from the first day they bind the policy by proactively using threat intelligence to look for signs of vulnerability or compromise, Nelson explained.
Remote working is one factor behind the higher risk.
“It has led to a greater chance of infiltration from the threat actors,” said Michael Ussher, commercial manager – Asia Pacific at DUAL Australia. Using home Wi-Fi networks or public Wi-Fi in places like cafes or hotels creates vulnerabilities.
“The amount of surface area that can happen for this infiltration has been obviously significantly greater over the last few years,” he said.
SMEs often feel that they aren’t a target due to their small size. But size is beside the point when criminals are engaging in a volumes-based attack strategy.
“Australian businesses are being attacked because they're vulnerable rather than valuable,” said Nelson.
“I think there's a miscalculation from a lot of SMEs about what it actually takes to recover from an event,” said Richard Smith, head of cyber at Blue Zebra Insurance. “The cost to recover from an event can be significant; you know, the legal costs, the forensic costs, the ransomware negotiation costs.”
Many SMEs also significantly underestimate the time it takes to recover from a cyberattack.
It is often thought that the cyber threat is only limited to certain sectors such as retail or healthcare.
“But every single business that uses a computer and has an employee has an exposure,” said Lindsey Nelson, cyber development leader at CFC Underwriting.
The great SME cyber turkey shoot
Many SMEs are blissfully unaware that the risk terrain has changed dramatically in the last three or four years. It's as if a Sunday stroller enjoying a botanical garden didn’t realise they had stumbled into the Amazonian jungle.
The latest data threat report from Thales Group showed that four in 10 Australian businesses fell victim to a cyberattack last year.
Some businesses make it incredibly easy for criminals to take advantage and infiltrate systems, so even without high-value opportunities on offer, targets are difficult to resist due to the minimal effort required.
The main cyber threats for SMEs continue to be ransomware attacks, malware and financial crime via social engineering where businesses are tricked into paying a fraudster.
Many insurance firms now ask for mitigation steps to be put in place known as minimum security controls. These consist of multifactor authentication (MFA), endpoint protection tools, and offsite and onsite backups.
“Before, we saw companies looking at insurance as their full risk-transfer solution, and now we're just getting them to meet us partway to get that bare minimum in place,” said Nelson.
CFC then monitors clients for vulnerabilities and provides them access to a security team of experts. Cyber insurance thus acts as an upfront service to stop attacks and reduce risk before anything in the policy wording is triggered. Basic training can also help reduce risk.
“The mitigation factor is significantly enhanced with staff training and manuals, which adds an extra layer [of protection] to the MFA and the email filtering programs,” said Ussher.
More importantly, not having basic mitigation in place can lead to exclusions. SME clients that purchased cyber insurance through online platforms three years ago would not have seen ransomware restrictions on their policy wordings.
“But now, if they don't have those security measures and appropriate systems in place, then they simply won't get the cover,” said Ussher.
Insurance policies for other types of threat periodically get updated to reflect changes in circumstances, but the pace of change in cyber-related policies far outstrips that in more traditional types of insurance such as house or contents.
“The amount of change in wordings has been much greater than for any other product in the local market.”
Cyber is for everyone
A wholesale change of attitude is needed to make risk mitigation more consistent due to the increasing frequency of attacks and the exponential levels of damage that can be done compared to a just a few years ago.
“Cyber insurance, certainly in Australia, is still a bit of an immature product,” said Smith.
While ransomware is extremely common, some other types of cyber threat are still new here. These include supply chain attacks, where a service provider, often overseas, is attacked, causing a cascade of outages among client firms down the supply chain of managed service providers for such things as data storage or CRM systems.
“[In terms of] transparency for clients, this is where the brokers really need to take a strong role,” said Smith. “Clients need to be able to be educated about the cyber risk by their broker.”
This would help push the number of SMEs who hold cyber insurance over the currently low 20% mark estimated by the Insurance Council of Australia.
“A quote should be presented with every single client and explained as a proactive services-led approach that can actually work to help stop businesses from falling victim to a cyberattack in the first place,” said Nelson. “It's there to indemnify them should the worst happen after the fact, so it's working for them before, during and after an event.”
Explaining the content of a policy properly is also important.
“Making sure that [clients] understand the wording, they understand the exposures, they understand the coverage, they understand how breach response will work, so that we're providing the service that would be no different in regard to any other product ... that's the key thing that the market is facing at the moment,” said Ussher.
Without ensuring this understanding, uptake among SMEs may continue at a low level rather than increase over the next few years.
Discouragingly, some insurers have become reluctant to provide cover or have narrowed it in the face of the larger and more unpredictable risks. Premiums have increased, but this is simply a reflection of the realities of exposure that the market faces in 2022.
“The threat landscape has changed from $300 per victim to multimillions of dollars,” said Nelson.
Now that the cyber market has shifted to much more of a proactive product that involves helping policyholders to identify potential claims and vulnerabilities, problems can be fixed before they actually happen.
Continuous monitoring services are enabled by the purchase of cyber insurance preferably at one point in time at the beginning of the policy. CFC internal auditing shows that as a result of such monitoring, the company has potentially prevented 12,000 cyberattacks on policyholders around the world. Over the same time frame, it handled only 3,000 that actually became claims.
Future opportunities
The market for cyber insurance has been extremely competitive over the last two decades, but growth in the volume and gravity of cyberattacks is making insurance premiums significantly higher.
“We've had a significant correction here in Australia with pricing, so obviously everybody's hopeful that profitable portfolios can be underwritten,” said Smith.
The main challenges for the future are reducing the inherent volatility of cyber as a class of business and countering the perception gap in terms of value offered so that more SMEs prioritise cyber coverage.
Another issue is accurate pricing with so many unknowns in the equation.
“How do we price risk in a class where the historic results and the data that we have haven't always been reliable indicators of what future performance is going to look like?” said Nelson.
“There is a huge amount of opportunity for brokers though – the market is finally starting to see signs of stabilisation. Barring no major changes to the threat landscape, we're through the worst of the storm.”
Blue Zebra Insurance (BZI) is an insurtech underwriting agency catering exclusively to brokers and their clients. BZI also offers its technology platform as a service (PaaS) to selected insurance partners. The company wrote its first policy in April 2018 and offers a full suite of personal lines products, SME, commercial motor, personal accident and cyber insurance. With over 100,000 customers, Blue Zebra leverages ‘big data’ sources to assist the quote process and enhance its understanding of the underlying risk. Its small and highly empowered team deploys technology tools to streamline and automate back-end processes while delivering great service and efficiency.
Find out more
DUAL Australia is a true SME insurance business with over 100,000 policies transacted annually and over 8,500 individual insurance brokers spread across the country. It has offices in Sydney, Melbourne, Perth and Brisbane, and employs more than 120 people. DUAL underwrites on behalf of a number of APRA-regulated insurers, including certain underwriters at the prestigious Lloyd’s of London established in the late 17th century. It is Lloyd’s largest intermediated coverholder in Australia. The wider group has offices in Singapore, Hong Kong, Auckland, Wellington and Christchurch.
Find out more
With over 20 years’ experience, CFC Underwriting was one of the first companies to offer cyber insurance and has one of the largest cyber underwriting and in-house incident response teams in the world, bolstered by a 24/7 around-the-world claims service. CFC’s cyber insurance products and incident response services protect over 60,000 businesses in more than 60 countries.
Find out more
Richard Smith has nearly 30 years of commercial insurance experience in both the London and Australian markets. During that time his roles have included founder and director of a specialist cyber insurance provider and chief executive of a commercial insurance broking business. He is now head of cyber at Blue Zebra, underwriting on behalf of certain underwriters at Lloyd’s.
Blue Zebra Insurance
Richard Smith
As cyber development leader, Lindsey Nelson oversees the global business development strategy across CFC’s cyber portfolio, with responsibility for key account management, underwriting strategy and providing in-depth education within the business line. She has nearly a decade of experience underwriting cyber and technology risks. Nelson is a vocal champion of women and young brokers in insurance, was recently awarded Underwriter of the Year at the Insurance Insider awards in the UK, and was named on the Insurance Business Global 100 2022 list.
CFC Underwriting
Lindsey Nelson
Michael Ussher joined DUAL in 2006 as an underwriter in Melbourne. After holding this and a senior underwriter role, he took on the position of WA manager in Perth in 2012. His role was extended in 2012 to include responsibility for the authorised representative networks across Australia, and in 2017 to include responsibility for brokers in New Zealand and the southern region of Australia. In 2018, Ussher became commercial manager – Asia Pacific and oversaw DUAL’s SME platform business, portfolio analytics and marketing/events. In September 2022, he was promoted to deputy chief executive.
DUAL Australia
Michael Ussher
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Tellus in penatibus condimentum malesuada ante vulputate nisi, arcu leo. Amet urna sapien purus vestibulum fermentum a. Cursus metus massa donec sed varius. Nunc enim sit morbi lacus, molestie et nunc. Nullam sed facilisi id malesuada. Ante purus velit, quam scelerisque ultrices scelerisque donec.
Velit egestas vel ornare pellentesque ridiculus. Mauris tempor augue quis mattis suspendisse feugiat commodo posuere. Faucibus massa adipiscing nullam elit, ac vel accumsan. Phasellus eget ac dignissim fermentum ac placerat elit, metus. Nulla porttitor ante egestas molestie quis quam. Pharetra magna sit mauris tellus gravida rutrum libero sit. Justo orci cras euismod proin massa lorem ut. In non tellus phasellus faucibus ullamcorper nullam odio dui et.
Baldwin Risk Partner
Trevor Baldwin
“Cyber insurance, certainly in Australia, is still a bit of an immature product”
Richard Smith,
Blue Zebra Insurance
“The amount of change in [policy] wordings has been much greater than for any other product in the local market”
Michael Ussher, DUAL Australia
“[Small businesses] still don’t appreciate that level of risk that they face, and many are still surprised when they see the price … even though it’s their top business risk”
Lindsey Nelson,
CFC Underwriting
In Partnership with
Is your cyber gap exposed?
Average knowledge among SMEs of the cyber threat environment, and solutions available, remains remarkably low for an area that's evolving much faster than other branches of insurance
Read on
Michael Ussher
DUAL Australia
Lindsey Nelson
CFC Underwriting
Richard Smith
Blue Zebra Insurance
Industry experts
CYBERATTACKS ON small businesses have increased dramatically over the last few years, but related insurance is still playing catch-up as clients and brokers underestimate the threat.
This has resulted in a gap in how cyber insurance is perceived by SMEs, in terms of what it can do for businesses even before any attack takes place, and the degree of risk involved.
At a recent Executive Insights panel on Insurance Business TV, industry experts set out their concerns and where they see the market heading for one of the fastest-evolving areas of insurance.
On the one hand, the digital evolution of both the economy and society due to the pandemic has resulted in an increasing awareness of the dangers posed by cyber and more organisations taking up related policies. On the other, many SMEs still underestimate the amount of damage that can occur and continue to consider the cyber threat as one that can be mitigated after an attack occurs.
“I think there's a miscalculation from a lot of SMEs about what it actually takes to recover from an event,” said Richard Smith, head of cyber at Blue Zebra Insurance.
“The cost to recover from an event can be significant; you know, the legal costs, the forensic costs, the ransomware negotiation costs.”
“[Small businesses] still don't appreciate that level of risk that they face, and many are still surprised when they see the price … even though it's their top business risk,”
said Nelson.
SMEs sometimes don’t want to pay for a product that only brings benefit at some unforeseen point in the future. But cyber insurance today actually starts working for businesses from the first day they bind the policy by proactively using threat intelligence to look for signs of vulnerability or compromise, Nelson explained.
Remote working is one factor behind the higher risk.
“It has led to a greater chance of infiltration from the threat actors,” said Michael Ussher, commercial manager – Asia Pacific at DUAL Australia. Using home Wi-Fi networks or public Wi-Fi in places like cafes or hotels creates vulnerabilities.
Many SMEs also significantly underestimate the time it takes to recover from a cyberattack.
It is often thought that the cyber threat is only limited to certain sectors such as retail or healthcare.
“But every single business that uses a computer and has an employee has an exposure,” said Lindsey Nelson, cyber development leader at CFC Underwriting.
The great SME cyber turkey shoot
Many SMEs are blissfully unaware that the risk terrain has changed dramatically in the last three or four years. It's as if a Sunday stroller enjoying a botanical garden didn’t realise they had stumbled into the Amazonian jungle.
The latest data threat report from Thales Group showed that four in 10 Australian businesses fell victim to a cyberattack last year.
“The amount of surface area that can happen for this infiltration has been obviously significantly greater over the last few years,” he said.
SMEs often feel that they aren’t a target due to their small size. But size is beside the point when criminals are engaging in a volumes-based attack strategy.
“Australian businesses are being attacked because they're vulnerable rather than valuable,” said Nelson.
Some businesses make it incredibly easy for criminals to take advantage and infiltrate systems, so even without high-value opportunities on offer, targets are difficult to resist due to the minimal effort required.
The main cyber threats for SMEs continue to be ransomware attacks, malware and financial crime via social engineering where businesses are tricked into paying a fraudster.
Many insurance firms now ask for mitigation steps to be put in place known as minimum security controls. These consist of multifactor authentication (MFA), endpoint protection tools, and offsite and onsite backups.
“Before, we saw companies looking at insurance as their full risk-transfer solution, and now we're just getting them to meet us partway to get that bare minimum in place,” said Nelson.
CFC then monitors clients for vulnerabilities and provides them access to a security team of experts. Cyber insurance thus acts as an upfront service to stop attacks and reduce risk before anything in the policy wording is triggered. Basic training can also help reduce risk.
“The mitigation factor is significantly enhanced with staff training and manuals, which adds an extra layer [of protection] to the MFA and the email filtering programs,” said Ussher.
More importantly, not having basic mitigation in place can lead to exclusions. SME clients that purchased cyber insurance through online platforms three years ago would not have seen ransomware restrictions on their policy wordings.
“But now, if they don't have those security measures and appropriate systems in place, then they simply won't get the cover,” said Ussher.
Insurance policies for other types of threat periodically get updated to reflect changes in circumstances, but the pace of change in cyber-related policies far outstrips that in more traditional types of insurance such as house or contents.
“The amount of change in wordings has been much greater than for any other product in the local market.”
Cyber is for everyone
A wholesale change of attitude is needed to make risk mitigation more consistent due to the increasing frequency of attacks and the exponential levels of damage that can be done compared to a just a few years ago.
“Cyber insurance, certainly in Australia, is still a bit of an immature product,” said Smith.
While ransomware is extremely common, some other types of cyber threat are still new here. These include supply chain attacks, where a service provider, often overseas, is attacked, causing a cascade of outages among client firms down the supply chain of managed service providers for such things as data storage or CRM systems.
“[In terms of] transparency for clients, this is where the brokers really need to take a strong role,” said Smith. “Clients need to be able to be educated about the cyber risk by their broker.”
This would help push the number of SMEs who hold cyber insurance over the currently low 20% mark estimated by the Insurance Council of Australia.
Discouragingly, some insurers have become reluctant to provide cover or have narrowed it in the face of the larger and more unpredictable risks. Premiums have increased, but this is simply a reflection of the realities of exposure that the market faces in 2022.
“The threat landscape has changed from $300 per victim to multimillions of dollars,” said Nelson.
Now that the cyber market has shifted to much more of a proactive product that involves helping policyholders to identify potential claims and vulnerabilities, problems can be fixed before they actually happen.
Continuous monitoring services are enabled by the purchase of cyber insurance preferably at one point in time at the beginning of the policy. CFC internal auditing shows that as a result of such monitoring, the company has potentially prevented 12,000 cyberattacks on policyholders around the world. Over the same time frame, it handled only 3,000 that actually became claims.
Another issue is accurate pricing with so many unknowns in the equation.
“How do we price risk in a class where the historic results and the data that we have haven't always been reliable indicators of what future performance is going to look like?” said Nelson.
“There is a huge amount of opportunity for brokers though – the market is finally starting to see signs of stabilisation. Barring no major changes to the threat landscape, we're through the worst of the storm.”
Blue Zebra Insurance (BZI) is an insurtech underwriting agency catering exclusively to brokers and their clients. BZI also offers its technology platform as a service (PaaS) to selected insurance partners. The company wrote its first policy in April 2018 and offers a full suite of personal lines products, SME, commercial motor, personal accident and cyber insurance. With over 100,000 customers, Blue Zebra leverages ‘big data’ sources to assist the quote process and enhance its understanding of the underlying risk. Its small and highly empowered team deploys technology tools to streamline and automate back-end processes while delivering great service and efficiency.
Find out more
DUAL Australia is a true SME insurance business with over 100,000 policies transacted annually and over 8,500 individual insurance brokers spread across the country. It has offices in Sydney, Melbourne, Perth and Brisbane, and employs more than 120 people. DUAL underwrites on behalf of a number of APRA-regulated insurers, including certain underwriters at the prestigious Lloyd’s of London established in the late 17th century. It is Lloyd’s largest intermediated coverholder in Australia. The wider group has offices in Singapore, Hong Kong, Auckland, Wellington and Christchurch.
Find out more
With over 20 years’ experience, CFC Underwriting was one of the first companies to offer cyber insurance and has one of the largest cyber underwriting and in-house incident response teams in the world, bolstered by a 24/7 around-the-world claims service. CFC’s cyber insurance products and incident response services protect over 60,000 businesses in more than 60 countries.
Find out more
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Tellus in penatibus condimentum malesuada ante vulputate nisi, arcu leo. Amet urna sapien purus vestibulum fermentum a. Cursus metus massa donec sed varius. Nunc enim sit morbi lacus, molestie et nunc. Nullam sed facilisi id malesuada. Ante purus velit, quam scelerisque ultrices scelerisque donec.
Velit egestas vel ornare pellentesque ridiculus. Mauris tempor augue quis mattis suspendisse feugiat commodo posuere. Faucibus massa adipiscing nullam elit, ac vel accumsan. Phasellus eget ac dignissim fermentum ac placerat elit, metus. Nulla porttitor ante egestas molestie quis quam. Pharetra magna sit mauris tellus gravida rutrum libero sit. Justo orci cras euismod proin massa lorem ut. In non tellus phasellus faucibus ullamcorper nullam odio dui et.
Baldwin Risk Partners
Trevor Baldwin
Michael Ussher joined DUAL in 2006 as an underwriter in Melbourne. After holding this and a senior underwriter role, he took on the position of WA manager in Perth in 2012. His role was extended in 2012 to include responsibility for the authorised representative networks across Australia, and in 2017 to include responsibility for brokers in New Zealand and the southern region of Australia. In 2018, Ussher became commercial manager – Asia Pacific and oversaw DUAL’s SME platform business, portfolio analytics and marketing/events. In September 2022, he was promoted to deputy chief executive.
DUAL Australia
Michael Ussher
As cyber development leader, Lindsey Nelson oversees the global business development strategy across CFC’s cyber portfolio, with responsibility for key account management, underwriting strategy and providing in-depth education within the business line. She has nearly a decade of experience underwriting cyber and technology risks. Nelson is a vocal champion of women and young brokers in insurance, was recently awarded Underwriter of the Year at the Insurance Insider awards in the UK, and was named on the Insurance Business Global 100 2022 list.
CFC Underwriting
Lindsey Nelson
Richard Smith has nearly 30 years of commercial insurance experience in both the London and Australian markets. During that time his roles have included founder and director of a specialist cyber insurance provider and chief executive of a commercial insurance broking business. He is now head of cyber at Blue Zebra, underwriting on behalf of certain underwriters at Lloyd’s.
Blue Zebra Insurance
Richard Smith
Share
Share
Share
Source: ACSC Annual Cyber Threat Report
2019–20 FY
One attack every 10 minutes
2020–21 FY
One attack every 8 minutes
Proportion of small businesses with cyber cover
Source: Insurance Council of Australia
20%
“A quote should be presented with every single client and explained as a proactive services-led approach that can actually work to help stop businesses from falling victim to a cyberattack in the first place,” said Nelson. “It's there to indemnify them should the worst happen after the fact, so it's working for them before, during and after an event.”
Explaining the content of a policy properly is also important.
“Making sure that [clients] understand the wording, they understand the exposures, they understand the coverage, they understand how breach response will work, so that we're providing the service that would be no different in regard to any other product ... that's the key thing that the market is facing at the moment,” said Ussher.
Without ensuring this understanding, uptake among SMEs
Another issue is accurate pricing with so many unknowns in the equation.
“How do we price risk in a class where the historic results and the data that we have haven't always been reliable indicators of what future performance is going to look like?” said Nelson.
“There is a huge amount of opportunity for brokers though – the market is finally starting to see signs of stabilisation. Barring no major changes to the threat landscape, we're through the worst of the storm.”
Copyright © 2022 Key Media
Key Media
Insurance Business America
Insurance Business Canada
Wealth Professional Canada
People
Terms & conditions
Privacy policy
Conditions of use
About us
Contact us
RSS
Asia
NZ
AU
CA
US
UK
CONTACT US
SPECIALTY
BEST INSURANCE
RESOURCES
RISK MANAGEMENT
FEATURES
TV
NEWS
Copyright © 2022 Key Media
People
Terms & conditions
Privacy policy
Conditions of use
About us
Contact us
RSS
Asia
NZ
AU
CA
US
UK
contact us
specialty
Best Insurance
Resources
RISK MANAGEMENT
FEATURES
TV
News
“A quote should be presented with every single client and explained as a proactive services-led approach that can actually work to help stop businesses from falling victim to a cyberattack in the first place,” said Nelson. “It's there to indemnify them should the worst happen after the fact, so it's working for them before, during and after an event.”
Explaining the content of a policy properly is also important.
“Making sure that [clients] understand the wording, they understand the exposures, they understand the coverage, they understand how breach response will work, so that we're providing the service that would be no different in regard to any other product ... that's the key thing that the market is facing at the moment,” said Ussher.
Without ensuring this understanding, uptake among SMEs may continue at a low level rather than increase over the next few years.
Future opportunities
The market for cyber insurance has been extremely competitive over the last two decades, but growth in the volume and gravity of cyberattacks is making insurance premiums significantly higher.
“We've had a significant correction here in Australia with pricing, so obviously everybody's hopeful that profitable portfolios can be underwritten,” said Smith.
The main challenges for the future are reducing the inherent volatility of cyber as a class of business and countering the perception gap in terms of value offered so that more SMEs prioritise cyber coverage.
Copyright © 2022 Key Media
People
Terms & conditions
Privacy policy
Conditions of use
About us
Contact us
RSS
Asia
NZ
AU
CA
US
UK
contact us
specialty
Best Insurance
Resources
RISK MANAGEMENT
FEATURES
TV
News