The incidence of cyber attacks targeting businesses and organisations of all sizes has surged in the past couple of years as criminals took advantage of business disruptions and refined new tools as well as proven techniques such as social engineering. Our panel of cyber experts provided their insights and defensive risk management advice at a recent Gallagher Cyber Insight Series Webinar.

Our webinar panel comprised Michael Herron, Gallagher National Head of Financial Lines; Robyn Adcock, Gallagher Cyber/Technology Practice Leader; John Moran, Partner at Clyde & Co and Michael Bruemmer, Vice President, Data Breach Resolution & Consumer Protection at Experian.

While the size of the Optus and Medibank cyber breaches made the global top 10 list, our experts believe these high-profile breaches represent the tip of the iceberg of actual incidents, which may be even more detrimental to smaller businesses with less resources.

By volume 60 to 70% of cyber attack remediation work in Australia is for small to medium-sized businesses, which hits their balance sheets hard if they don't have cyber insurance cover. Even not-for-profits are not exempt, representing 10% of all incidents.

Cyber criminals may target low-hanging fruit: businesses without secure systems, or those with valuable data which they may be able to extort for substantial ransoms or sell. In 2022 41% of the 5,000 breaches Experian serviced were targeted for data that would sell at a high cost on the dark web.

Who are the key targets of cyber attacks on businesses?

  • Financial services
  • Healthcare
  • Manufacturing
  • Technology
  • Wholesale and retail
  • Education
  • Hospitality

Key vulnerabilities targeted

Ransomware and business email compromise topped the list in Australia in Q4 2022. Criminals are going after business credentials by using refined phishing techniques via social engineering emails to compromise senior executives.

4 key principles of a cyber resilience strategy

Cyber attacks have increased 600% since the start of the COVID-19 epidemic. Complete cyber security may not be an achievable goal but cyber resilience will enable businesses to respond to and recover from breaches more quickly and in better shape.

This calls for a holistic approach to organisational culture, beyond technical security controls, and includes regulatory compliance planning, preparation and testing how the business will respond to an attack, as well as data back-up for recovery.

Experian's records show that companies that follow these recommended principles are 15% less likely to be targeted and breaches are 25% less expensive than businesses that are unprepared.

  1. Prepare for the worst — prepare and test your ransomware decision-making framework. It can be valuable to rehearse your response with different groups of external consultants.
  2. Understand your data risk profile — map data, develop policies, identify and remediate off-policy behaviour. Know what your important data is and how its compromise might impact your business.
  3. Develop a clear communications strategy — one with clarity, consistency and transparency to enable immediate response, including a notification process that fits regulatory requirements.
  4. Manage third parties — by setting out your business's position regarding contracts, standards and expectations of cyber security controls. Review contracts, closing off exposures, map what the service provider delivers and what they need to do in the case of an incident.

Insurance availability as at Q1 2023

The cyber insurance market remains highly dynamic and responsive to developments, but in some good news for businesses premium rate increases are stabilising after prior spikes as insurance clients lift their security practices and there is new capacity in the Australian and London markets.

Businesses need to be conscious of coverage changes as insurers are rebalancing their risk transfer and risk retention positions, and that policy conditions will always be under analysis.

Access to cyber insurance cover remains based on best practice cyber security risk management.

The key to getting positive cyber insurance results is to:

  • start early
  • be equipped to answer comprehensive question sets
  • meet with potential insurers
  • focus on data security controls to achieve the best terms
  • drive improvements in your cyber maturity
  • use the application process to drive your business's security priorities.

Learn more

Watch a replay of our recent 'Navigating the Cyber Landscape: Top Cyber Risk Predictions for 2023' webinar to learn more about emerging cyber threats, the implications for your business and risk mitigation strategies.

Other webinar topics covered include:

  • the latest cyber threats and criminal techniques
  • emerging data security regulations in Australia
  • new developments in the cyber insurance market
  • tips to ensure your business can obtain optimal cyber coverage.

The role of cyber insurance in supporting cyber threat readiness

In the event of a cyber attack, a robust cyber insurance policy provides access to experts not only in negotiation but also forensic investigation, remediation measures, as well as cover for the legal and reputational costs involved.

How Gallagher can help

In addition to cyber insurance protection Gallagher offers expertise, advice and resources for building business resilience to withstand cyber security incidents.


Gallagher provides insurance, risk management and benefits consulting services for clients in response to both known and unknown risk exposures. When providing analysis and recommendations regarding potential insurance coverage, potential claims and/or operational strategy in response to national emergencies (including health crises), we do so from an insurance and/or risk management perspective, and offer broad information about risk mitigation, loss control strategy and potential claim exposures. We have prepared this commentary and other news alerts for general information purposes only and the material is not intended to be, nor should it be interpreted as, legal or client-specific risk management advice. General insurance descriptions contained herein do not include complete insurance policy definitions, terms and/or conditions, and should not be relied on for coverage interpretation. The information may not include current governmental or insurance developments, is provided without knowledge of the individual recipient's industry or specific business or coverage circumstances, and in no way reflects or promises to provide insurance coverage outcomes that only insurance carriers' control.

Gallagher publications may contain links to non-Gallagher websites that are created and controlled by other organisations. We claim no responsibility for the content of any linked website, or any link contained therein. The inclusion of any link does not imply endorsement by Gallagher, as we have no responsibility for information referenced in material owned and controlled by other parties. Gallagher strongly encourages you to review any separate terms of use and privacy policies governing use of these third party websites and resources.

Insurance brokerage and related services to be provided by Arthur J. Gallagher & Co (Aus) Limited (ABN 34 005 543 920). Australian Financial Services License (AFSL) No. 238312