Number-crunchers are urging the federal government, businesses and insurers to fix the gaps in cyber protection that are costing the Australian economy billions of dollars.
Risk experts at the Actuaries Institute on Wednesday released research showing the vulnerability of organisations, from small firms to large corporates.
“Sitting back and doing nothing shouldn’t be an option when cyber attacks cost the Australian economy $33 billion last financial year,” institute president Annette King said.
The report’s lead author Win-Li Toh found only one in five (20 per cent) of small to medium enterprises have cyber insurance, compared with up to 70 per cent for larger organisations.
And yet 75 per cent of ransomware attacks in 2021 were on companies with fewer than 1000 people.
Prime Minister Anthony Albanese told federal parliament the Optus breach, that’s exposed the details of almost 10 million customers, should be “an absolute wake-up call for corporate Australia”.
Australia clearly needs new laws governing data collection and security, he said during Question Time.
Ms Toh said with government support on skills, guidance and better regulation, a deeper and better-informed cyber insurance market could do more than provide payouts when the first line of defence fails.
“It can also strengthen that first line, by offering clear signals and incentives to business – in the form of eligibility, pricing and sharing of insights – on best-practice standards,” she said.
With Russia’s invasion of Ukraine adding to risks, another concern for firms is the declaration of acts of cyber war as excluded from insurance cover.
The world’s insurance market recently gave directions to underwriters on excluding liability for losses from any state-backed cyber attack.
Cyber risk was already growing at unprecedented levels globally, with ransomware attacks more than tripling in two years.
Ransomware is a form of malicious software, or malware, that can lock out computer users. Hackers then demand payments in exchange for restoring access to data and systems.
Targets of ransomware attacks in Australia have in recent years ranged from logistics giant Toll Group to hospitals in Victoria.
“The accessibility of ransomware as a service, combined with the development of crypto currencies enabling untraceable payments has super-charged the growth of cyber attacks,” Ms Toh said.
“This has brought more organisations of different types and sizes under the widening net of cyber criminals to the point where it is now clear that no firm is immune.”
But government departments are a long way off minimum standards of cyber security and many businesses are also falling short, she warned.
“Adding to these challenges are escalating cyber losses that have reduced insurer appetite for this class, significant shortage of capacity to provide the levels of protection needed across the market, and premium hikes in the double/triple digits over the past two years,” Ms Toh said.
Former home affairs minister Karen Andrews has proposed new cyber extortion laws so that cybercriminals who use ransomware face an increased maximum penalty of 10 years in jail.
Attacks on critical infrastructure such as phone networks would attract a maximum penalty of 25 years in jail, under the bill she reintroduced to parliament this week after failing to push it through while in government.