Standardised certification should be introduced to help small businesses demonstrate their cyber preparedness, the Actuaries Institute says in a new paper. 

The standard could become mandatory in order to hold cyber insurance or sign contracts with government, according to report co-author and Taylor Fry principal Win-Li Toh.  

Cyber Security Certification Australia, a joint industry and government initiative, already offers an annually updated certifiable standard, and the report says this should be adopted as the industry norm.

It would make it easy for SMEs to show they take cybersecurity seriously and would be in line with similar systems such as the Green Star buildings rating program, Ms Toh says.

Win-Li Toh is the opening speaker at the upcoming Insurance News cyber seminar to be held in Sydney on November 21. In person and live-stream tickets are available here.

The report warns small businesses risk being left behind in cyberattack prevention efforts unless they receive more help from insurers, tech providers and government.

While a series of cyberattacks over the past two years was a “stark wake-up call” for corporate Australia to strengthen cybersecurity, most of the nation’s 3 million SMEs have not followed suit, according to Ms Toh.

Real estate agents, mortgage brokers, doctors’ practices and pharmacists often hold sensitive and personal information, and a cyberattack could have a major impact.

“They shouldn’t be dependent on luck to protect them from a cyberattack – they need to depend on knowledge, good cyber hygiene and robust cyber defences,” the report says.  

“We’d like to see industry, insurance companies and governments work together to ensure SMEs are protected and have practical, cost-efficient means to strengthen their cyber defences and ability to respond.”

The number of reported cybercrimes in Australia hit 94,000 in the year to June 2023, with the average cost for a small business at $46,000. Despite the threat, the report says cyber insurance is still relatively uncommon among SMEs, with estimates for coverage ranging from about 10%-25%.

The cost and complexity of cyber insurance is a significant barrier for many SMEs, says Ms Toh, the incoming Actuaries Institute president.

“SMEs often haven’t had the bandwidth or opportunity to really understand and tackle the risks. They’re daunted by the technical jargon and don’t know where to start with implementing cybersecurity measures. They don’t realise a serious cyber incident could cause their business to collapse.”

Cyber insurance policy pricing starts at about $700 a year for a sole trader and can pass $50,000 for a medium-size business. More than 10 insurers and underwriting agencies, several backed by Lloyd’s, offer cyber insurance to Australian SMEs.

The market’s annual gross written premium is estimated at about $600 million, compared with $16 billion for home cover.  

“Cyber insurance is still a relatively new product. The cyber market is growing but still only comprises a very small proportion of the Australian insurance industry,” the report says.

“One industry stakeholder we spoke with believes cyber insurance is today where management liability was 15 to 20 years ago – difficult to sell, but common practice. They thought cyber insurance must similarly ‘earn its stripes’ to gain credibility.”

The report says many SMEs are unaware of the benefits, and while brokers have upskilled rapidly in recent years, one-on-one client conversations explaining how the insurance works are limited.

Small businesses employ 5.1 million Australians and 42% of all apprentices and trainees.