SME cyber insurance on the rise: Attacks, regulations and contracts fuel growth

The landscape of cyber insurance for small and medium-sized enterprises (SMEs) could be shifting rapidly. According to a recent BizCover report, cyber insurance uptake among SMEs has increased by an impressive 50% over the past year. This surge marks a potential inflection point for brokers and the wider insurance industry, challenging the long-standing perception that SMEs are slow to adopt cyber cover.

For years, brokers and cyber risk analysts have expressed frustration at the persistent reluctance of SMEs to purchase cyber insurance, often citing cost concerns, perceived complexity and a lack of awareness about cyber threats. However, the latest data suggests that this inertia is fading. In fact, a recent study by Astra Security Blog found that over 50% of cyber insurance claims now originate from SMEs, highlighting not only increased uptake but also a growing exposure to cyber risk among smaller businesses.

Industry data underscores the urgency behind this trend. The Australian Cyber Security Centre (ACSC) reported a 23% increase in cybercrime reports in 2023, with SMEs representing a significant proportion of victims. Furthermore, some sources indicate that SMEs have experienced a 40% rise in ransomware attacks and a 56% increase in fund transfer fraud incidents over the past year. These statistics are a stark reminder that cybercriminals are increasingly targeting smaller organisations, often due to their perceived weaker security postures.

But brokers in Australia and New Zealand and say there are two other key drivers pushing SMEs to take out cover. One of them is cyber regulations.

New legislation is pushing more firms to take out cyber cover

“In Australia certainly, legislation is moving more and more towards some sort of impulsion on cover,” said one cyber broker. “New Zealand is possibly not far behind.”

For example, The Notifiable Data Breaches (NDB) scheme mandates that organisations must notify affected individuals and the Office of the Australian Information Commissioner (OAIC) if a data breach is likely to result in serious harm. Recent amendments are also driving firms to insure. Individuals can now seek legal recourse for breaches caused by intentional or reckless conduct, increasing the financial risk for businesses.

There’s also the Security of Critical Infrastructure Act (SOCI) that was updated to impose higher penalties and, in some cases, criminal liability for data breaches involving critical infrastructure. Also, since May, mandatory reporting of ransomware payments is required for SOCI-regulated entities and businesses with annual revenue above $3 million.

Cyber insurance obligations in business contracts

Cyber insurance obligations in business contracts are another factor behind increasing cyber uptake among SMEs. The result is further erosion of that long held reluctance from SMEs to buy cover. This is changing the landscape for brokers and their clients.

“What I’m seeing is an adoption of requests for certificates in order for a client to work or operate with a technology provider,” said one broker. “You might then need to evidence other types of insurance and the one that I’m seeing now, more and more, is evidence that you’ve got cyber insurance.” He said this means contractors providing any form of cyber or tech assistance are now being required to show that they have cyber cover. The broker compared this to a builder needing public liability insurance to work on a property.

For brokers, these trends present both challenges and opportunities. The challenge is to help SME clients understand the changing risk landscape and the new regulatory and contractual requirements. The opportunity lies in providing expert guidance and tailored solutions as cyber insurance becomes a standard part of business operations for SMEs.

Are you a cyber broker? Are you also seeing increasing uptake of cyber covers? Please tell us about it below.