Almost all business owners would agree it’s foolhardy to operate without insurance against threats like fire. Vast numbers of business owners, however, will happily forego insurance against cyber crime or data breaches.

The twist, of course, is that businesses are many, many times more likely to fall victim to a cyber attack than a blaze. In fact, the risk of a damaging fire is placed at less than one in two hundred, while an estimated one in five Australian businesses is hacked, every year.

Eric Lowenstein, Aon Australia’s Financial Services Group Client Manager, says there is no question that cyber cover will eventually be known as a staple necessity for clients to purchase. “Brokers absolutely must discuss cyber as a real risk with their clients. Whatever sector the clients are in, they are exposed to cyber risk. In many instances they can have greater exposure to cyber risk than traditional insurances.”

Main myths – and how to puncture them

Still in its infancy in Australia, the cyber insurance market has an estimated value of $6 to $10 million. “I would estimate that the current cyber market for Australia is approximately $10 million,” says Matthew Clarke, AIG’s Asia Pacific PI and Cyber Manager. “It was about half of that last year and we expect to see that strong growth lead to a doubling of the market size next year.”

In the USA, which has far more advanced policies, regulations and legislation around cyber risk for businesses, the cyber insurance industry is currently worth around $2 billion of written premium, Lowenstein says. So there is plenty of room for growth in the local market.

Front of mind

One of the greatest challenges is building awareness of the many dangers of cyber exposure, and the various insurance offerings to deal with such exposures, among businesses and brokers.

Case study: Small-timer doing time

Nigel Phair, an Adjunct Associate Professor and the Director of the Centre for Internet Safety at the University of Canberra, says a major problem is that there are many and varied motivations for cyber criminals to ply their trade.

“What I see in the market today frightens me because it is all-pervasive,” he says. “There are very different people out there and their motivations to do things online are also different. Somebody might be a ‘hacktivist’ who just wants to get a message across by perhaps defacing a website. You also have ‘insiders’ that work for organisations. They might steal intellectual property while they are at work or when they are on their way out the door. You then have petty criminals who are just having a go to see what they can get. Then you go all the way to the high-end criminal offences by the serious, organised criminals. Finally you get into the realm of state-sponsored attack.”

These threats all exist, in the Australian context at least, in an environment in which we currently have few reliable statistics and only a very small evidence base, Phair says. If an Australian business suffers from cyber crime then many are not even sure which law-enforcement authority to approach about it. Furthermore, in many cases, there are no legal requirements to dictate that the business is actually obliged to tell anybody about it and so, for obvious reasons, many simply don’t.

Case study: Right on target

“It is logical that the more time we spend online and the more that organisations do online, the pickings become richer and the cyber crime increases. That is what we are seeing,” Phair says.

“It is not just about credit card theft. If you are about to go overseas on a trade mission and you have a specific negotiating position and somebody else can find out your position before you go into the meeting, that information is extremely valuable. And if something has value, somebody will likely find a way to steal it.”

The questions brokers need to be asking

How do you go about figuring out a client’s level of cyber risk then advising them on the best possible solutions? First, accept that every single one of your clients faces significant cyber risk. Then it’s a matter of figuring out what that risk looks like and what damage it might cause the business.

Case study: In through the backdoor

Aon’s Eric Lowenstein says running workshops with clients will help figure out their exposures. A good way to illustrate the real dangers, he says, is to go through a process of figuring out the real dollar costs of various types of cyber crime on the client company.

Matthew Clarke, AIG’s Asia Pacific PI and Cyber Manager, recommends that brokers begin with a basic series of questions that include:

  • What types of data do you hold?
  • Where is this data stored?
  • Who has access to it?
  • What security is in place to protect it?
  • How will your business operate if you cannot access your data?
  • What steps are in place to restore lost data following a cyber attack?
  • Does their business continuity plan address cyber threats, or just
    physical threats?

Work forwards from here, including researching specific types of threats prevalent within particular industry groups, to put together a solution that fills the exposure gaps.