Uptake of cyber insurance by small businesses in Australia is still alarmingly low. The reality is that your business is highly likely to experience a cyber security incident, such as a data breach, a hacking incident or a phishing attack which involves being tricked into clicking a malicious link or file, or unknowingly giving access to sensitive financial accounts or client information.

Don't make the mistake of thinking that cyber criminals target only larger organisations — small businesses can hold valuable information, conduct expensive transactions and may be easily targeted by criminals using sophisticated software developed to penetrate computer systems.

As small businesses are less likely to have the technology and security defences that a large business would, without strong cyber risk management strategies and insurance policies in place a cyber attack could seriously threaten your business financial viability.

Here are 5 simple reasons why small businesses need to give thought to obtaining cyber insurance.

1. Your staff rely on computers to get their jobs done

It's stating the obvious, but here's the thing: if your business uses any internet-connected devices for work purposes, you should think about cyber insurance.

Simply accessing the internet on devices — whether they be computers or smartphones on or off a protected network — puts your business at risk of a cyber attack. Nobody is immune to cyber risk, and every business that's using technology and the internet should highly consider cyber insurance as part of an effective risk management plan.

2. Your business handles and/or stores personal data from clients and customers

If you use, store or disclose personal information about your customers or clients and suppliers, you need to think about cyber insurance. Why? Because this information is a valuable commodity for hackers, and collecting it makes you a target for data breaches and other cyber security incidents like phishing attempts.

For example, a common incident is where cyber hackers pretend to be your supplier and send your business a very legitimate looking suppler invoice for payment, falsely gaining funds from your business. Or they could falsely charge your clients via a fake invoice appearing to be from your business itself, causing considerable financial and reputational damage.

Personal information refers to any information that can be used to ascertain or reveal someone's identity such as their name, address, email address or telephone number. While small businesses are mostly exempt from Privacy Act obligations in terms of data security regulations, this is under review and every care should be taken with third party data.

If your business has relationships with overseas suppliers or customers it will be subject to the data privacy regulations in those regions, such as the General Data Protection Regulation (GDPR) in Europe.

3. Your password protocols may not be strong enough

Many small businesses use cloud-based services with different accounts to store sensitive or personal business information. Using easily guessed passwords, or the same password for the different accounts, can make this data vulnerable to cyber criminals with the skills to decode encrypted information.

Along with implementing multi-factor authentication (user identification plus password, which may be sent to a mobile device on a one time basis), using professional business password management services can help with ensuring you and your staff are using secure passwords for multiple accounts.

Another practical way to protect sensitive information is to restrict access to a need to know-only basis. This can help limit damage if one staff member is the target of a cyber attack, via phishing, for example.

4. Your business couldn't financially survive a cyber attack

The average cost of a cyber attack is estimated to be $39,000 for a small business — certainly a cost to cripple your enterprise. But these estimates don't account for the indirect, hidden costs of a cyber attack which includes (but isn't limited to):

  • business interruption or destruction
  • reputational damage and loss of customer trust
  • insurance premium increases
  • lost contract revenue and loss of intellectual property
  • damage to share price.

When we take these kinds of indirect costs into account, the total cost of a data breach skyrockets. A cyber attack could seriously compromise your financial viability, so a cyber insurance policy is an important consideration for your business. At the very least, this can cover risks such as financial loss arising from lost revenue, data retrieval, privacy fines and legal expenses.

5. Your existing insurance policies probably won't cover losses from a cyber attack

Most business liability policies exclude cover for cyber liability.

Don't assume that you're covered just because you have public liability, management liability or other business insurance policies in place. You need a separate cyber insurance policy that covers your risk exposures and includes costs such as business interruption, legal expenses and data recovery.

The website provides useful information about what forms of cyber attacks you need to be aware of as well as links to free cyber security resources for improving your business's defence.

How Gallagher can help

In addition to cyber insurance protection and advice Gallagher offers expertise, advice and resources for building business resilience to withstand cyber security incidents.



Gallagher provides insurance, risk management and benefits consulting services for clients in response to both known and unknown risk exposures. When providing analysis and recommendations regarding potential insurance coverage, potential claims and/or operational strategy in response to national emergencies (including health crises), we do so from an insurance and/or risk management perspective, and offer broad information about risk mitigation, loss control strategy and potential claim exposures. We have prepared this commentary and other news alerts for general information purposes only and the material is not intended to be, nor should it be interpreted as, legal or client-specific risk management advice. General insurance descriptions contained herein do not include complete insurance policy definitions, terms and/or conditions, and should not be relied on for coverage interpretation. The information may not include current governmental or insurance developments, is provided without knowledge of the individual recipient's industry or specific business or coverage circumstances, and in no way reflects or promises to provide insurance coverage outcomes that only insurance carriers' control.

Gallagher publications may contain links to non-Gallagher websites that are created and controlled by other organisations. We claim no responsibility for the content of any linked website, or any link contained therein. The inclusion of any link does not imply endorsement by Gallagher, as we have no responsibility for information referenced in material owned and controlled by other parties. Gallagher strongly encourages you to review any separate terms of use and privacy policies governing use of these third party websites and resources.

Insurance brokerage and related services to be provided by Arthur J. Gallagher & Co (Aus) Limited (ABN 34 005 543 920). Australian Financial Services License (AFSL) No. 238312