Tech Talk: How to close the SME cyber protection gap

Vol 48 Issue 1

In short

• A recent Australian Actuaries Institute paper found that while larger businesses are now taking cyberthreats seriously, relatively few Australian SMEs are doing likewise.
• Even when SME owners are conscious of the potentially existential threat of a cyber attack, they’re been reluctant to purchase policies they can’t easily understand and fear they might struggle to afford.
• Both insurers and governments have a role to play, chiefly by raising awareness, providing training and creating a broader range of user-friendly cover.

In 2022, the Actuaries Institute of Australia analysed the cyber vulnerabilities of big, mid-sized and small Australian businesses. It found there was room for improvement all round.

At about the same time the green paper was released, two massive data and privacy breaches made headlines around the country.

First, there was the cyber attack Australian telecommunications company Optus, in September 2022 that compromised the personal data of millions of customers.

The following month, Australia’s private health insurer Medibank revealed it had experienced a similar breach, with hackers gaining sensitive, private details of 9.7 million Australians.

Win-Li Toh is president of the Actuaries Institute and lead author of Cyber Protection Gap Widens for SMEs, which was released in late 2024. Following up on the 2022 paper, Toh found larger organisations had upped their game, but small to medium-sized enterprises (SMEs) remained poorly protected and alarmingly uninsured.

“The Optus and Medibank breaches in Australia, and the Waikato District Health Board ransomware attack in 2021, concentrated the minds of board members and C-suiters in this part of the world,” says Toh. “But these well-publicised incidents only seem to confirm SME owners’ mistaken belief that hackers mainly target large organisations.”

The lurking threat

Toh notes that while they rarely attract media attention, attacks on SMEs are common.

“Hackers target SMEs about 40 per cent of the time,” she says. “Cybercriminals would prefer to breach a bank’s defences rather than a butcher’s, but large financial institutions have industry-leading cyber defences and SMEs don’t.”

While SMEs must do their part, Toh argues it’s unrealistic to expect resource-constrained businesses to address the cyber protection gap without external assistance.

“SMEs have gone through a pandemic, a cost-of-living crisis, and are now navigating significant geopolitical and economic uncertainty,” she says.

“If a small business isn’t breaking even — and almost half of the Australian ones weren’t when I was doing my research — you can’t expect its owner to be worrying about cybersecurity.”

The global state of play

Australia and New Zealand are cybersecurity laggards. By Toh’s calculations, only 10–25 per cent of Australian SMEs and 8–10 per cent of New Zealand SMEs have cyber insurance. It’s about 40 per cent in the United States.

Dinesh Murali, director and general manager of Delta Insurance New Zealand, says the downside of living in a high-trust society is that businesses don’t assume cybercriminals are targeting them, or that they could face serious repercussions in a worst-case scenario.

He also notes that SMEs often assume their managed service provider (MSP) will look after their cybersecurity. However, this is frequently not the case.

And, if a cyber event happens — even one that would seem to be the responsibility of the cybersecurity provider — there are usually contractual limitations that may prevent recovery of losses from the MSP.

“Cyber is still a growing market here; there were only a couple of insurers offering cyber cover in New Zealand a decade ago,” says Murali.

“The American market is significantly more mature, driven by a highly litigious environment. US regulators have created a framework that incentivises businesses to take cybersecurity seriously.”

Slow improvements

While their initiatives have so far only met with modest success, APAC governments have been encouraging SMEs to get with the cybersecurity program.

For example, a Cyber Wardens initiative was announced in Australia’s 2023-24 federal budget. It aims to provide government-funded online training to SME owners and staff.

Toh says this is a promising start, but she notes: “There are 2.5 million Aussie SMEs. Cyber Wardens has funding to provide training to 15,000 of them.”

New Zealand launched a similar Own Your Online initiative in 2023. It’s also had various iterations of a Cybersecurity Awareness Week since 2012.

Tom Roberts, team lead for threat and incident response at New Zealand’s National Cyber Security Centre (NCSC), wishes SMEs were doing more, but he’s optimistic that progress is being made.

“It’s difficult to quantify results,” he says. “However, the educational videos have been viewed many thousands of times, and market research suggests they’ve successfully raised awareness and educated New Zealanders.

We always make our educational resources as straightforward and practical as possible for time-poor business owners.”

Roberts also argues vendors should be doing more. “The NCSC is a strong proponent of ‘secure by design’. That means devices should be secure from the get-go. After all, people don’t expect to pay extra for seatbelts when buying a car.”

What insurers can do

Unfortunately, there is only so much that awareness campaigns and online training can achieve. In Australia and New Zealand, and even in parts of the APAC region with a reputation for being at the cutting edge of the digital economy, secure-by-design technologies remain the exception rather than the rule.

Insurers will likely need to redouble their efforts to warn SME clients about cybersecurity threats and provide them with appealing options.

“The New Zealand market is rapidly maturing,” says Murali. “Local SMEs now have a significantly broader selection of affordable, appropriate and comprehensible policy options. That’s something brokers might want to make clear to their SME clients, especially if they’ve had frustrating experiences in the past.”

Murali’s colleague Sebastian Phua, Delta’s head of Distribution and Marketing in Singapore, notes that while the regulatory regime is more rigorous in his market and incentivises taking out cover, getting SMEs to invest in cyber insurance is still challenging.

Around two-thirds of Singaporean SMEs remain uninsured. Delta’s response, Phua explains, has focused on removing friction from the application process and providing reassuring and timely customer service.

Delta’s response, Phua explains, has focused on removing friction from the application process and providing reassuring and timely customer service. “We have a streamlined application process for SMEs to readily take up cover,” he says.

“Responsiveness is also key. SMEs expect a prompt and agile service, especially when it comes to claims handling.”

Phua says a short, simple application process is just the start. Insurers targeting SMEs with cyber cover should also provide easy-to-understand policy wording. On top of that, he notes, “Delta has found SMEs want a competitive offer and a low policy excess”.

Changing needs

Phua also warns that policyholder needs can change overnight. “The cyber landscape is complex and fast-moving,” he says. “Wherever they’re based, insurers must recognise that and provide competitive, fit-for-purpose products.”

Toh is all for insurers making their application process as straightforward as possible but warns trade-offs are inevitable. “A one-size-fits-all policy lends itself to a quick and simple application process,” she says, “but such policies tend to penalise SMEs doing the right thing and reward those that aren’t.”

Toh points to a different scenario in the US, where, she says, SMEs take cybersecurity seriously.

“Firstly, they’re more likely to be fined or sued than their APAC counterparts and, secondly, larger American businesses will often only allow SMEs into their supply chain if they provide proof of solid cyber defences,” she explains.

“I’d imagine SMEs in this region, particularly New Zealand, will come under more pressure from governments and corporate clients to get their house in order.”

Smoothing the cybersecurity pathway for SMEs

The paradox of SME cybersecurity is that most SME owners have directly experienced a cyber incident, or at least know another business owner who has, yet remain convinced they have little to worry about.

Accordingly, Actuaries Institute president Win-Li Toh and Delta Insurance New Zealand’s Dinesh Murali suggest brokers take a patient, soft-sell approach to getting their SME clients over the line. “People are moved by stories, not statistics,” Toh notes.

“My advice would be to share stories about the trouble poorly defended and uninsured SMEs have found themselves in after a breach. That will likely be more effective than endlessly quoting figures about the prevalence of attacks or the average cost of a breach.”

Murali suggests brokers start by encouraging clients to bolster their cyber defences and introduce the coverage discussion later.

“There’s usually lots of low-hanging fruit with SMEs, many of which haven’t even introduced things like multifactor authentication,” he observes.

“If brokers can help their clients put the fundamentals in place, they’ll be well placed to discuss taking the logical next step — investing in cyber insurance.”

Writer’s insight

“As a tech writer, I never cease to be amazed at how common it is for people to think cybercrime is a serious threat while simultaneously believing it won’t happen to them. It’s a contradiction that can have dire consequences for those with their head in the sand.”