‘We can’t insure for cyber risk as we did for ships at sea!’: Protecting Australian SMEs demands a new cyber insurance approach

Cyber insurance Coalition

“For small Australian businesses, navigating the dynamic digital risk landscape is like navigating a small boat setting sail in a vast sea,” writes Sam Weaver, general manager at Coalition Australia, an emerging player in Australian burgeoning cyber insurance sector.

Much like an inexperienced sailor in the face of a sudden storm, a small business may find itself unprepared for turbulent conditions, with the rising severity of digital threats, potentially leading to enormous losses.

In fact, the Australian Cyber Security Centre [pdf] receives approximately 144 reports of cybercrime from SMEs each day – one every 10 minutes. Concurrently, the average cost of cybercrime for small businesses has risen to $46,000 this year, up from $39,000 last year.

While these stats may seem shocking, when you learn how unprotected SMEs in Australia are right now, you may ask yourself whether those numbers could realistically be even higher.

Sam Weaver GM Coalition

Sam Weaver, general manager at Coalition Australia

According to the Australian Securities and Investments Commission’s 2023 Cyber Pulse Survey [pdf], small businesses reported an average score of just 1.42 out of four for cyber protection, 1.34 for detection, 1.36 for response, and 1.28 for recovery. Furthermore, almost half of SMEs [pdf] rated their understanding of cybersecurity as ‘average‘ or ‘below average’ and were poorly set up to defend themselves against cyber-attacks, reflecting inadequate cybersecurity knowledge and cyber hygiene best practices.

At Coalition, in an analysis of more than 1,000 Australian SMEs, we found that small businesses have some of the most preventable vulnerabilities in their defences.

A staggering three in four (75 per cent) Australian SMEs use non-secure internet connections, almost half (45 per cent) use non-secure email services, and nearly one in four (24 per cent) have insufficiently configured an email security system or do not have one at all.


These security concerns are some of the most apparent yet fixable defensive gaps. It’s almost like driving with an expired driver’s licence, exposing small businesses to unnecessary risk and potentially costly consequences.

The low adoption of cyber insurance among Australian SMEs

While larger businesses in Australia have increasingly adopted cyber insurance to protect themselves against looming threats, underinsurance remains a significant issue for small businesses. According to the Insurance Council of Australia, only 20 per cent of Australian SMEs are properly equipped with cyber insurance.

The low adoption of cyber insurance among Australian small businesses stems from a lack of awareness of what’s available, an underestimation of cyber threats, and a reflection of the painful nature of procuring cyber insurance.

Through Coalition’s conversations with brokers and SMEs in Australia, it’s evident that some are completely unaware of the existence of cyber insurance. Meanwhile, those who recognise its existence often mistakenly assume that cyber threats exclusively target large organisations, businesses engaged in online product or service sales, or entities dealing with sensitive data, such as those in the financial or medical sectors. These compounded assumptions make small businesses think they are too inconspicuous to attract cyber attackers.

Lastly, insurance is supposed to provide peace of mind for the insured, making them feel protected and secure in the event of a cyber incident. Yet, the traditional approach to cyber insurance has been, well, traditional: applying historical data to model and price risk, selling a policy, and leaving it untouched until an incident occurs.

These methods, originally developed for insuring ships at sea, cannot be applied to digital risk that is more affected by future trends than past performance.


Also, many of these approaches do not leverage the available tools and massive amounts of digital data that exist to help assess risk, set congruent policy prices, and provide meaningful coverage. The problem is that businesses – particularly SMEs – suffer as a result. Applying traditional insurance methods to an evolved risk such as cyber can often make the entire endeavour seemingly not worth it.

A new approach to protecting businesses

Continuing to use the old insurance model can be a risk in itself. SMEs need a new way to protect themselves that helps them improve their defences, stay on top of new and evolving threats, and leverage data to help them understand their risk. With businesses generating more data than ever, sticking to traditional forms of protection leaves businesses exposed as potential targets for cybercriminal groups.

Now, ‘active’ cyber insurance has emerged in Australia as a revolutionary solution tailored to the digital age. Unlike historical approaches, it uses technology to assess each individual policyholder’s risk, taking into account the diverse SME business landscape across different company sizes, types, and industries.

Active cyber insurance is more than risk transfer; it is policyholders and insurers working together to lower cyber risk.


It’s an innovative approach that collaborates with organisations to understand their cyber risk profiles, fortify their defences, and prevent digital risk before it strikes.

By combining assessment, protection, and response all in one place, active cyber insurance provides policyholders with a risk assessment to better understand their existing security posture and cyber defensive areas they should reinforce. Secondly, by continuously scanning and monitoring an organisation’s digital environment, active risk management platforms provide real-time alerts about vulnerabilities and exposures and flag emerging threats before they can escalate into full-blown incidents, leading to significant business disruption.

Lastly, if and when an attacker inevitably breaks through, with active cyber insurance, a team of on-demand security professionals is available to help businesses respond to and quickly recover from an incident, returning them to normal business operations as soon as possible.

Australia is now at a pivotal moment in its cybersecurity journey. The latest voluntary cyber health checks and one-on-one assistance initiatives announced by the Australian Government to support SMEs in combating cybercriminal groups are positive steps forward.

As businesses adapt to the digital age, the evolution of cyber insurance becomes not just a necessity but an imperative strategy in safeguarding digital assets. Small businesses need to understand not only that they are at risk, but also that they have innovative options to give them the protection they need.

Sam Weaver is general manager at Coalition Australia, backed by Allianz Australia and touted as the “world’s first active cyber insurance provider”.

Recruited to Coalition’s US headquarters in 2021, Weaver jumped ship to the firm’s Australian arm in mid-2023, right before its official launch late last year. Weaver previously served in a senior leadership position at risk management and reinsurance multinational Aon, based at the company’s US head office in Chicago, IL.