Australian small and medium enterprises (SMEs) are increasingly in the crosshairs of cybercriminals, and industry experts are calling for tougher national cybersecurity rules and clearer risk benchmarks to protect these vulnerable businesses—many of which remain uninsured and underprepared.
“The financial fallout from a single cyber event can be devastating,” said Susie Amos, principal and head of commercial lines at Finity Consulting Pty Ltd., speaking to Insurance Asia. “For an SME, in some cases, even a fraction of this cost could lead to insolvency.”
Amos believes a uniform and cost-effective certification framework would help SMEs navigate their cybersecurity needs while also signaling their readiness to insurers and customers.
“A consistent and affordable certification system would give SMEs a clear path to improvement and inform the market about their level of preparedness,” she said via Zoom.
The urgency is underscored by sobering statistics: six out of ten Australian SMEs have faced a cyberattack, with average losses hitting $32,000 (AU$50,000) for small firms and $40,320 (AU$63,000) for medium ones, according to the Australian Cyber Security Centre.
Despite these risks, many SMEs are deterred by the high price tag of cyber insurance—ranging from $448 (AU$700) to as much as $32,000 (AU$50,000) per year.
Kristine Salgado, cyber broker leader for Pacific at Marsh, said there’s a dangerous misconception among SMEs that they’re unlikely targets because they don’t manage sensitive data at scale.
“The misconception is that [cyber risk] only applies to data,” Salgado told Insurance Asia in a separate Zoom interview. “But it actually applies to system availability, the ability to conduct business using technology, and reputation.”
Lindsey Nelson, head of cyber development at CFC Underwriting Ltd., highlighted that ransomware is behind 89% of cyber-related business costs in Australia—far outpacing the global average of 71% and the US figure of 65%.
“That figure for Australian businesses is quite shocking. Australia is a heavy SME economy, and SMEs are often downstream victims of larger-scale attacks.”
There are currently 2.6 million SMEs in Australia, making up 97.2% of all businesses, based on Australian Bureau of Statistics data.
SMEs, lacking deep cybersecurity resources, are often quicker to pay ransoms to restore operations. This vulnerability is exacerbated by systemic risks tied to shared reliance on major service providers.
Salgado cited the recent CrowdStrike incident as a wake-up call. “The CrowdStrike could have triggered widespread disruption, but many companies with strong business continuity plans eased the fallout.
“That’s probably the bigger challenge for insurers — how to model those systemic losses,”
The recently enacted Cyber Security Act 2024 only requires businesses with an annual turnover above $1.92 million (AU$3 million) to report ransomware attacks—excluding 98% of all Australian businesses, Nelson noted.
Back in 2020, cyber insurance rates more than doubled, straining SMEs with limited cybersecurity budgets. Though pricing has stabilised, Nelson warns that sustainable improvement hinges on strong underwriting practices.
“Clients want confidence that the market knows what it’s doing when it comes to cyber insurance,” she said. “They want predictability and consistency in terms, year on year, so they can budget accordingly without surprises.”
Looking ahead, Amos estimates the long-term economic damage from SME underinsurance could run into tens of billions of dollars.
She’s clear on what needs to happen next: “The government needs to invest substantially in strengthening Australia’s national cybersecurity defences.” she said.
