72 hours.

That’s how long you’ve just been given to pay a $10,000 ransom to Russian hackers who have stopped your business dead in its tracks.

Your customers’ privacy and accounts have been compromised, your website has been shut down, and the reputation you’ve worked so hard to build is about to come crashing down.

So who do you turn to?

Chances are, if you don’t have a cyber insurance policy in place, you’d have no idea, according to Emily Winwood, Commercial Manager at DUAL Australia.

“Do you go to the police? 99% of the time cyber victims don’t know who to contact,” she says. “That’s the benefit of buying one of these policies: you have a team of privacy experts, IT forensic investigators and specialist consultants who will actually negotiate with hackers who are demanding ransom payments.”

Outlining scenarios like the above is the best way for brokers to jolt their clients into understanding that cybercrime is not some futuristic problem that they’ll never encounter. It’s happening to SMEs all around Australia right now.

Australia saw a whopping 109% rise in cybercrime incidents last year, according to a PwC survey of 127 nations.

“It’s a huge risk that has a bigger probability than an office being burnt down by a fire – which everyone insures for,” says Lynette Walsh, Arthur J. Gallagher’s Branch Manager, Sydney Commercial.

“Being able to share a real story of another client who has gone through a cyber loss really helps put them in the shoes of that client.”

One of the big problems facing the cyber insurance market is the accuracy of statistics because currently there are no mandatory data breach notification laws. They’ve been proposed by the Federal Government however, and their implementation would spell good news for brokers.

“When we see mandatory data breach notification laws introduced, we’ll be able to get some real data and we’ll really be able to see the cost to Australian business,” says Walsh. “That’s when we’ll be able to support our conversations with real statistics.”

James Crowther, Cyber Portfolio Manager for London Australia Underwriting (LAUW), adds it’s important that brokers bring themselves up to date with these potential law changes as they pose a huge risk to businesses.

“It will mean that their reputation may be on the line, because no longer can they brush these data breaches under the carpet,” he says.

HOW BIG IS THE RISK TO SMES?

CASE STUDY 1: DATA EXTORTION IN THE HEALTH CLINIC SECTOR

The data breach statistics we already do have paint a worrying picture for SMEs. The Australian Government estimates almost 700,000 businesses (33%) have experienced a cybercrime. Small to medium size businesses were targeted 60% of the time, with the average cost of a cybercrime attack costing more than $275,000.

And while the global average increase in cyber attacks was 38% last year, Australia saw a whopping 109% rise in incidents, according to a 2016 PwC survey of 127 nations.

“We’re a legitimate economic crime hotspot – it’s not a good picture,” says PwC Partner and Forensic Services Leader, Malcolm Shackell.

While that might be a gloomy prospect, it provides a “phenomenal opportunity” for brokers, says DUAL’s Emily Winwood.

“There’s about 2.1 million companies in Australia, and the estimates are that less than 2% buy cyber insurance,” she says.

Despite this, brokers and their clients often remain seriously underprepared.

“Many small businesses often believe they’re too small to be the target of a cyber attack,” says Najibi Bisso, National Commercial Manager, CGU Professional Risks. “But no matter how big or small they are, if they have a digital footprint they are potentially exposed.”

Winwood says SMEs are such a juicy target for cyber criminals because they’re lacking in awareness.

“If you start working for a big international company, you’re more likely to get training about IT policies and procedures, including what emails not to open,” she says.

“Whereas if you’re an SME, chances are you outsource your IT, and you may not be across all the ins and outs of how everything works and what you are and aren’t protected against.”

Troy Filipcevic, Managing Director of Emergence Insurance, agrees. He says human error is often the biggest risk SMEs face.

“Their own employees can bring the business undone,” Filipcevic says. “There has been an increase in phishing email activity and more businesses being impacted by ransomware and viruses such as CryptoLocker.”

A notorious ransomware trojan, CryptoLocker is propagated via infected email attachments. All it takes is one staff member to click open a suspicious looking file, and a business’s file network becomes compromised.

That’s usually when a business will get a notice advising they have 72 hours to pay a ransom, which will only increase if they fail to pay.

“But there is no guarantee you’ll get what they’re promising,” warns Winwood. “Sometimes they do, sometimes they don’t. It really just depends on the individual circumstances.”

COVERING YOUR BACK

CASE STUDY 2: PAYING TO KEEP UP YOUR REPUTATION

 

Paying up in the hope the hackers will keep their word isn’t, of course, the only option. Those who take out a good cybercrime policy will usually be advised of the best way to back-up files, and a specialist IT team will come in to restore those files, if needed, which can take anywhere between three days and a few weeks.

With that kind of time frame in mind, it’s important to look at what a good cyber policy for SME owners should cover.

DUAL’s Emily Winwood says businesses need to be covered for three elements: first party cover; third party cover; and business interruption.

An incident response team is critical in order to ensure that within the first 24 hours after a breach, the situation is managed as efficiently as possible to prevent any further loss or damage.

“The first party element covers you for your own costs, for example, if you had to repair or restore your IT system,” she says.

“For third party cover, say your systems are breached and private information gets out in the public domain, it would cover you if one of your clients sues you for breach of privacy.”

James Crowther, of LAUW, adds that a good SME policy should have an incident response team available.

“That incident response team is critical in order to ensure that within the first 24 hours after a breach, the situation is managed as efficiently as possible to prevent any further loss or damage,” he says.

There has also been the recent emergence of embedded cyber policy extensions on top of existing products, such as an IT, Professional Indemnity or Management Liability policies. But it’s not something Emergence Insurance’s Troy Filipcevic recommends.

“Brokers should not be offering what we call ‘cyber lite’,” he says. “These policies can provide inadequate protection, if any at all. Our view is that brokers should be offering standalone products only.”

On the other hand, Winwood argues that cyber extensions can act as important gateway policies for brokers.

“We started offering this two or three years ago and we’ve sold it to a lot of our existing policyholders,” she says. “What we have seen is that in the second or third year, the clients who originally bought a cyber extension, which is $200, are starting to buy a $550 standalone policy.”

Winwood says that while underwriters need to “constantly tweak the dials” on their policy coverage, they have no trouble keeping up with what’s happening.

“The cyber exposures do change. And it is a rapid moving space, but it’s not that rapidly in the sense that malware and viruses have actually been around for a very long time,” she explains.

And while uptake among SMEs may still be low, underwriters know this product will only become more vital as business is increasingly conducted online.

“It’s been our fastest growing product line so this is a huge opportunity for brokers to educate their clients,” says Winwood.

“Everybody uses a computer. Everybody uses the internet. Everybody uses email. So everybody has cyber exposure.”