Protecting SMEs: Cyber Insurance Insights from Katrina Hickson

Is your business truly prepared to tackle a cyber incident? In this exciting episode of the REDD’s Technology and Business Podcast, join host Nigel Heyn as he engages with guest Katrina Hickson from Emergence, a leading expert in cyber insurance. Together, they delve into the critical importance of cyber preparedness for businesses, sharing invaluable insights and real-life examples from the world of cyber risk management.

She explores critical aspects such as identifying policy exclusions and ensuring comprehensive coverage against ransomware and social engineering threats. Katrina doesn’t shy away from sharing challenging stories, including the Queensland real estate firm that fell victim to a business email compromise and the ransomware attack that escalated into a life-threatening situation.

On a positive note, Katrina offers an encouraging outlook on the future, highlighting the increasing availability of cyber insurance for small and medium enterprises and a rising commitment to cyber resilience in Australia.

Whether you’re a business owner, a broker, or just curious about the subject, this conversation is rich with actionable advice and eye-opening stories. Are you ready to take the initiative in securing your business? Join in and start building your defences today.

#CyberInsurance #BusinessResilience #CyberSecurity #SMEProtection #DigitalSafety

00:00 – Start
00:25 – Guest Introduction
00:38 – Katrina’s Career Background
01:37 – Understanding Emergence and Its Role
02:32 – Cyber Insurance Simplified
03:09 – Trends and Challenges in Cyber Insurance
04:12 – The Critical Need for Cyber Insurance
06:12 – Common Gaps in Cyber Insurance Coverage
12:12 – Key Considerations for Cyber Insurance Coverage
13:50 – Real-Life Impact of Cyber Incidents
15:51 – Ransomware and Personal Threats
17:15 – The Future of Cyber Insurance
18:20 – Recommendations for Effective Cyber Insurance
19:01 – Cyber Threats Targeting SMEs
20:34 – Katrina’s Vision for the Future
21:08 – Closing Thoughts

If you would like to discuss any of the topics discussed in this episode further with a REDD expert or if you would like to be a guest on the show, please get in touch either via our website, [email protected], or through any of the links below. https://redd.com.au

https://www.linkedin.com/company/redd-digital/
https://www.linkedin.com/in/nheyn/
https://www.linkedin.com/in/katrina-hickson-90602975/

00;00;00;00 – 00;00;20;27

Speaker 1

Yeah.

00;00;21;00 – 00;00;28;14

Speaker 1

Welcome to Redd’s Business Technology podcast. I’m your host, Nigel Heyn. And today I’ve got a special guest. I’m Katrina from Emergence. Welcome, Katrina. And great to have you here.

00;00;28;15 – 00;00;29;19

Speaker 2

Thank you. It’s good to be here.

00;00;29;24 – 00;00;36;28

Speaker 1

Can you start Katrina by? Just explain to the viewers and listeners a bit about your story. You know, what brought you to what you’re doing today?

00;00;36;29 – 00;00;56;09

Speaker 2

Yeah, sure. Well, I grew up out at, Ipswich at West and always wanted to be a receptionist while I was at school, so I thought I’d give it a crack and got my first job at, RACQ insurance on reception. Decided after a little while it was a little bit too boring for me, so moved into claims.

00;00;56;21 – 00;01;12;07

Speaker 2

Been in the insurance industry ever since. And cyber about four years ago. I got tapped on on the shoulder and cyber was, I guess a new topic that a lot of brokers were. We’re hearing about having a lot of trouble talking to their clients about. And I thought, you know, this is, I guess, the way of the future.

00;01;12;07 – 00;01;17;10

Speaker 2

And I think I’ll jump on board before it really starts to take off. So yeah, fast forward and here we are.

00;01;17;11 – 00;01;34;28

Speaker 1

Fantastic. And look, you know, cyber is such a critical piece. You know we’ve seen you know the good, the bad, the ugly. And that’s why it’s important to for people like you to share your story and help educate others, especially the people that listen. Can you talk about Emergence in itself? You know, what your role is and the bit about the company, because I don’t think many of our listeners will actually know who.

00;01;34;28 – 00;01;35;14

Speaker 1

Emergence is.

00;01;35;14 – 00;01;57;05

Speaker 2

Yeah, sure. So, I head up the distribution team. So my team across Australia, New Zealand, look after broker relationships and work with brokers to educate them on, on cyber insurance. Emergence is an underwriting agency that specialises in cyber insurance. So, we started the company about ten years ago, operating in the market locally and have recently launched into New Zealand.

00;01;57;18 – 00;02;21;16

Speaker 2

And we solely focus on cyber insurance. So originally when Troy, our CEO, started the business, he named him agents to look at emerging risks. But after a couple of years focusing on cyber, he decided that that was definitely the path that we needed to go down. We needed to be specialised. So, we look after a range of of clients from a cyber insurance perspective, start ups all the way to large ASX listed companies across Australia.

00;02;21;20 – 00;02;31;19

Speaker 1

Fantastic. And for those people that don’t really understand cyber insurance in its essence, you know you guys are the true specialists. Can you dumb it down for our viewers? What actually is cyber insurance?

00;02;31;19 – 00;02;55;29

Speaker 2

Yeah, sure. So it’s transferring the risk of cyber costs that that come out of a cyber event. So cyber insurance effectively will cover any financial loss that that the business may suffer. And also cover any, any cost to get the business back up and running after a cyber event. It also covers things like public relations and crisis communication and really provides guidance to, to insureds on how to recover after a cyber event.

00;02;56;01 – 00;03;12;23

Speaker 1

Fantastic. And probably given that you’ve been in Emergence for, you know, the last four years, what have you seen come in the industry, go in the industry, and I guess crystal ball and what’s what’s changing in the cyber insurance business. Now off camera, before you’re saying this, I’m interested in changes coming. So can you share what what you can in that space Katrina.

00;03;12;23 – 00;03;34;22

Speaker 2

Yeah, absolutely. So insurance generally goes through cycles. We talk about a hard market in a soft market. In a hard market there’s not many, not much capacity available for for insurers to write business. So you generally will find the, the criteria to get a cyber insurance policy would be a lot harder. The premiums will be a lot, a lot higher.

00;03;34;23 – 00;03;52;09

Speaker 2

Over the last probably 18 months, we’ve seen quite a lot of capacity increase here in Australia. So what that then means for end clients is the bar. To actually obtain a cyber insurance policy is getting a little bit lower. It’s easier to obtain a cyber insurance policy, and it’s becoming a lot more cost effective because there’s a lot more capacity out there.

00;03;52;23 – 00;04;06;27

Speaker 2

So we’re definitely seeing that at the moment where, clients who maybe 18 months ago or two years ago may have struggled to obtain a cyber insurance policy and now actually getting a, getting a policy and being able to, have a cost effective plan.

00;04;06;29 – 00;04;12;25

Speaker 1

And in your words, the top three reasons that people need cyber insurance. What would they be?

00;04;13;19 – 00;04;35;10

Speaker 2

I think initially as peace of mind when a cyber event occurs, it can be extremely, upsetting for the business, quite challenging for the staff and then also the concern around the customer impact as well. So the top three things I would say is, is having that peace of mind that you can call an expert at any time, day or night, to get advice and support, through that process.

00;04;35;22 – 00;04;58;00

Speaker 2

The other part is just that financial support as well. So, we often find, particularly for businesses that don’t have cyber insurance, that if they do suffer a cyber event, that they’re at risk of actually falling over and going into liquidation post of the event because of the reputational damage and the costs associated with, the client notifications and, and whatever else is, occurring during that event.

00;04;58;11 – 00;05;21;01

Speaker 2

So having that support, financial support to ensure that the business can continue to operate, can continue to pay their staff. And whilst they are recovering and then probably the third piece would be, I guess the advice around the legal aspects as well. So, there’s quite a few legalities, particularly around ransomware events and also around customer notification if customers data’s breached.

00;05;21;01 – 00;05;26;26

Speaker 2

So having that, legal support and guidance to help the insured make sure that they’re meeting their obligations as well.

00;05;27;00 – 00;05;45;05

Speaker 1

Yeah. And I think people don’t appreciate, you know, how drastic these cyber events could be. And we were involved with an organisation that got hacked by the lockpick, the Eastern Bloc, group. And you don’t realise these are billion dollar organisations that, you know, the average Joe organisation is going up against them without a party like you is supporting them.

00;05;45;05 – 00;06;01;25

Speaker 1

You know, it’s so hard to navigate the minefield of, you know, what the legal obligations are. And obviously the governments, you know, enforcing new changes in that regard. So I think, you know, it’s great hearing that know simplified way. These are the things that people need cyber insurance for. Yeah. What exclusions do you see people I guess gloss over.

00;06;01;25 – 00;06;16;12

Speaker 1

And obviously you know we we to organisations and work with great brokers. Some people don’t really understand cyber which is you know, your specialisation. But the common themes that you see people just, you know, forget or don’t include or they just do a very simple cyber policy and they get caught out.

00;06;16;14 – 00;06;36;20

Speaker 2

Yeah. So there’s a couple of different elements. We often find that some ransomware, cover can be sublimated or excluded. So that’s the cost associated with recovering or dealing with a ransomware event. So you think of the ransomware payment, if that needs to be paid, any sort of business interruption or loss of revenue as a result of the ransom payment?

00;06;36;28 – 00;06;58;20

Speaker 2

So that would be quite a significant one. Ransomware is definitely in the top three higher costs for our insured. So having a, a cyber insurance policy that doesn’t cover ransomware to the full limit is, is definitely something to be mindful of. Probably more exclusion as well. So a lot of, cyber insurance policies will have a war exclusion.

00;06;58;20 – 00;07;17;05

Speaker 2

So it will exclude any cyber event as a result of an act of terrorism or war. However, you will find with some really good policies where there will be a right back which allows, if you’re an innocent bystander, effectively. So if you weren’t the original target, and you get, impacted, then you can, you can, get covered from there.

00;07;17;05 – 00;07;36;14

Speaker 2

So that would be one around that war exclusion. Your insurance broker should be able to, to talk you through those pieces. But that would be one that I guess a lot of people do gloss over. Another one is also just around, retroactive date. So that is, you could have a hacker in your system for, for many, many months before they, they show their face.

00;07;36;25 – 00;07;57;28

Speaker 2

And some policies will actually have a date where anything that, occurred prior to that particular date won’t be covered, whereas having no retroactive date or nil retroactive date. Effectively, that means if you don’t know that they’re in your system and they got in a year ago, you know, six months ago, and then they show their head whilst you’re in that policy period, then the policy will respond.

00;07;58;04 – 00;08;02;06

Speaker 2

So you want to make sure that there’s no, retroactive date applied to your policy.

00;08;02;07 – 00;08;12;17

Speaker 1

Okay. That’s a great advice. Again, I learnt something that could tell you. Fantastic. How we go in, in ghosts and battle like, we losing. Are people making more claims or less like, can you share what the stats are in Australia?

00;08;12;17 – 00;08;51;16

Speaker 2

Yeah, yeah. So, we’re probably seeing a, change in, in claim behaviour, so definitely still getting a lot of business email compromise and ransomware. But social engineered theft is absolutely, dominating, I guess, from a, from a claims perspective. We’re seeing the use of AI, we’re seeing the use of, computer systems that are now completing these phishing campaigns and really pushing insureds to, to pay funds into fraudulent bank account details that are so they look so legitimate and they’re so targeted around, you know, the busiest times of the week when they’re going to target an insured, you know, Friday at 4 p.m. or a Monday morning.

00;08;51;18 – 00;08;55;28

Speaker 2

Yeah. So I guess the social engineered theft would be a big driver.

00;08;56;03 – 00;09;03;07

Speaker 1

Yeah. Okay. And can you show your stats on I guess from what you know, of Australian businesses that actually have cyber insurance that don’t do you know. Yeah.

00;09;03;07 – 00;09;24;26

Speaker 2

Sorry. I hear it’s around 85% don’t have cyber insurance, but talking to our insurance brokers, I would say it would be less than 5% that they often will say less than 5% of their clients have cyber insurance. And I think there’s a couple of different factors for that. One is definitely, a lack of understanding of how prominent, cyber events are in Australia.

00;09;25;07 – 00;09;46;13

Speaker 2

And then also the implications when there is a cyber event, it’s not as easy as, you know, paying a ransom and you back up and running. It’s a lot more complicated than that. And there’s a lot more legislation involved and legality, involved. But then it also I think, cost as well. So previously, as I mentioned, in the hot market, it was quite expensive to, to, to get cyber insurance.

00;09;46;13 – 00;09;59;09

Speaker 2

Or if you weren’t completely up to scratch, you wouldn’t be able to actually get cyber insurance. That’s definitely softened now. But we just need to educate clients to let them know that now is the time that you can get in, and get a good policy.

00;09;59;11 – 00;10;19;12

Speaker 1

Fantastic administration. Your, you know, sharing your story on a podcast are really appreciate that. Self-insurance. Right. So, you know, it’s interesting to us the percentage of people we have a lot of organisations, big ones that, you know, I think we’ve struggled to communicate the fact that, you know, sure, you need to put the hygiene in place. You need a good provider, you know, primary, secondary backups like just mitigate the risk and do the fundamentals right.

00;10;19;15 – 00;10;28;05

Speaker 1

And then when it comes to discussion about insurance, I go, oh, look, we’ve tried it in the past and you know it’s too expensive. We looked at self insurance. So can you share a bit about, I guess you know, the pros and cons of that.

00;10;28;05 – 00;10;52;08

Speaker 2

Yeah. I guess it’s like anything it depends on your risk appetite and what the business is actually comfortable with, with holding the risk. Insurance is a great transfer tool. But there’s a lot of ways around where you can kind of blend the two of self insurance and non self insurance. I think the importance of, of cyber insurance is it’s such a specialist team that gets brought in when there is an event.

00;10;52;08 – 00;11;14;09

Speaker 2

And majority of businesses in Australia, I would assume, wouldn’t have all of those expertise in business to be able to respond immediately. You know, you think of the, crisis communications and public relations teams, the league, the legal side of things. Whilst you can engage your legal partner or your IT partner, do they have the skills around dealing with a specific cyber event?

00;11;15;12 – 00;11;42;25

Speaker 2

Sorry that the costs involved in self insuring you would generally find that they increase quite significantly when you don’t have those experts immediately in your corner, but a way in which you can kind of blend the two is having a, a higher excess. So if you’re wanting to self-insure, for example, you know, you want 500,000 of self-insured that you’re going to put in a bank account, then you could look at getting a policy where you have a $500,000 excess, and then you’ve just got insurance for the layer on top of that for another million or 2 million.

00;11;42;27 – 00;12;01;05

Speaker 2

So, I think that there’s, there’s definitely some businesses that are comfortable with self insuring. But I think with the way that the, the tide’s going with cyber events, the, the legislation, the legalities, having that safety net over and above what you’re comfortable financially to have is, is a good option.

00;12;01;08 – 00;12;18;13

Speaker 1

So you mentioned earlier brokers, right? I know in the past we’ve dealt with a few. There’s obviously a difference between like even I.T providers. Right. Yeah. We strive to be the best we can be and genuinely want to help. But what should people be looking out for or asking questions of their broker? Because I think there’s a difference between ones that would consider themselves cyber specialist.

00;12;18;13 – 00;12;27;23

Speaker 1

So actually it can lean on organisations like yours. Are there any, stand out questions you can give advice to ask a broker whether they actually really know cyber insurance or whether they should be looking elsewhere?

00;12;27;23 – 00;12;45;02

Speaker 2

Yeah, sure. I guess the first thing is a broker is there for the client, and whilst we love them to use our products, there is a number of other cyber insurers in the market. So the first thing is I would ask them, have you looked at the market and what’s available in the market, and what’s the differences between the particular policies?

00;12;45;18 – 00;13;07;13

Speaker 2

So that should be the first one is making sure that they’re actually scoping out the market and what’s, what’s available. Depending on occupation, and industry that the clients in, you’d want to look at things, around fines and penalties, notification costs, making sure that you’ve got all of those covered, making sure that the, any exclusions that are in, in that policy that that you’re aware of them.

00;13;07;13 – 00;13;26;00

Speaker 2

So asking what the exclusions are and getting some, commentary around that. I think that will definitely show, the understanding of the broker. And the good thing is there’s a lot of brokers around Australia, have great relationships with cyber insurers, and if they don’t know the answer straight away, they will be able to to get that. Yeah.

00;13;26;17 – 00;13;35;24

Speaker 2

So yeah, I would definitely push around, the market, what’s available with the, with all the competitors and then pushing an understanding for the, exclusions.

00;13;35;24 – 00;13;52;20

Speaker 1

Excellent. Great advice. Katrina. Really appreciate. Let’s go to a bit of a scary topic now in terms of, you know, what’s the worst or a story you can share. Obviously desensitised, but, that’s been a really bad experience that, you know, I guess you guys have had to help rescue you. Turn around. You know, potentially business has gone under.

00;13;52;20 – 00;14;08;07

Speaker 1

Like, I guess for the listeners who haven’t been through a cyber incident. And there’s a big difference. Like I’ve been through a few, unfortunately. And, when you’re thinking the the weeds and you actually experience it, it’s completely different to sitting on a tabletop exercise and doing the theory. So what can you share that you’ve been involved?

00;14;08;07 – 00;14;33;20

Speaker 2

Yeah, there’s a couple that come to mind. The first one was a real estate business here in Queensland, actually. They suffered a business email compromise. So the threat actor, gained access to the email account. Over the weekend, a young couple from Byron Bay actually purchased a property, and the real estate agent had sent them an email with the trust account, details for their deposit of 5%, which was quite significant.

00;14;35;00 – 00;15;04;07

Speaker 2

Because the they suffered a business email compromise. That email was actually diverted. The threat actor changed the bank details and sent that email from the insurance, email address asking for the payment to be made into, the fraudulent bank details, which the purchasers actually did. The reason I bring that one up is so they lost obviously, the funds, that they paid, but they, they couldn’t complete the obligations under the contract of purchase for that property.

00;15;04;07 – 00;15;34;05

Speaker 2

So they actually lost the purchase. There was financial implications for the for the client because they, lost, the purchase and then obviously reputational damage for, for the insured. So, with that particular one, a number of months down the track, the young couple that actually separated because of the stress of losing that, that, that amount of money and it just goes I get goose bumps when I talk about it because, you think of the, the people behind, all the victims behind this and the everyday people.

00;15;34;05 – 00;15;52;14

Speaker 2

And, you know, this young couple had saved up tens of thousands of dollars to purchase their dream first home. And something like this has created that much stress in their life that, that it’s dissolved their relationship. So it’s horrible. Yeah. I think that’s, that’s one that sticks with me quite, quite a lot. It makes me operational when I think about it.

00;15;53;06 – 00;16;13;10

Speaker 2

The other one, which I find, quite hair raising, is we had a nationwide business, but it was headquartered here in Brisbane as well. The CEO, suffered a ransomware event across the network. They had great backups. So, initial thoughts where we’d be able to recover from backups. We don’t need to engage with the threat actor.

00;16;13;29 – 00;16;46;22

Speaker 2

We’ll have a bit of downtime, but we’ll be able to get them back up and running, relatively quickly. Whilst the threat actors were in the environment, they actually were able to obtain, the CEO’s parents details, elderly parents who, see our second generation. So, the original owners and because we weren’t engaging with the threat actor because we were planning on restoring from backup, they obviously got upset about that and they actually made contact with the elderly parents, and threatened their, their life, to put pressure on the CEO to pay the ransom.

00;16;46;29 – 00;16;58;06

Speaker 2

So in that particular incident, we ended up paying quite a significant ransom, a seven figure ransom. Purely just to, I guess, avoid the threats of of harm against the family members.

00;16;58;11 – 00;17;15;12

Speaker 1

Yeah, well, that’s when, you know, insurance comes into its own, and it’s worth its weight in gold tenfold over. Instead of talking about sad things, let’s talk about good things. What’s the future that you say? You know, you’ve been in industry quite a while. You are a specialist. Crystal ball in the next couple of years. What can you share?

00;17;16;00 – 00;17;37;07

Speaker 2

I definitely see, a lot more access for businesses to get cyber insurance. As I mentioned, there’s a lot more capacity in the market here in Australia. So I think the, the entry level is now, a lot more, attainable, particularly for small businesses that don’t have a lot of money to spend on cyber security or don’t have expertise within their business.

00;17;37;22 – 00;18;01;19

Speaker 2

So there’s that option there for them to actually get a good policy for a good premium. We’re also seeing obviously a lot more focus from the government on, cyber resilience and taking, taking cyber seriously within businesses. So I think we’ll see a lot more pressure from, legislators actually really pushing Australian businesses to consider cyber insurance.

00;18;02;00 – 00;18;13;22

Speaker 2

We’re also starting to see, some segments having mandated, cyber insurance requirements if they’re doing contracts with certain businesses or organisations. So I think we’ll start to see a lot more of that as well.

00;18;13;26 – 00;18;24;05

Speaker 1

Yeah. Fantastic. One good question that I know people ask, what are three things you reckon might recommend organisations to to ensure they’ve got the right cyber insurance in place?

00;18;24;18 – 00;18;48;20

Speaker 2

One, make sure you’re talking to your broker about it. Definitely asking those questions around the exclusions. What’s covered? What’s not. I would absolutely recommend making sure that you’ve got ransomware to the full, limit that you’re, that you’re purchasing. And then also making sure that you’ve got some sort of, cyber theft or social engineered theft cover as well, because we are seeing a lot of those, events occurring.

00;18;48;20 – 00;18;54;13

Speaker 2

So that’s the manipulation of invoices, and paying funds into fraudulent bank account details.

00;18;54;17 – 00;19;00;13

Speaker 1

Anything else that you’re saying in terms of, you know, just, I guess, hygiene businesses like different industries that you can share that.

00;19;00;13 – 00;19;19;02

Speaker 2

So, yeah. So we’re probably fine for now. For my statistics. So remembering, I said, we do, you know, start up businesses right up to large ASX listed companies. Majority of our clients who do claim with us or do suffer cyber event sit in that, 0 to 1, 0 to 3 mil turnover bracket. Okay.

00;19;19;03 – 00;19;43;23

Speaker 2

So it’s that sweet spot SME clients. And what’s quite interesting about that is, generally we find that clients with a business of that size think that they’re immune to it because they’re small fish. Why would a threat actor worry about hacking them when they can go and hack a $200 million company? When actually our stats actually show that the the, the highest claim claiming clients.

00;19;44;04 – 00;20;02;07

Speaker 2

And I think the reason for that is, like I said before, one, they may not have the funds available to really, implement robust cyber security measures. And then to, they might not have the expertise in-house or have a good partner, and Missus Pay or the likes to actually support them through it as well.

00;20;03;02 – 00;20;26;13

Speaker 2

From an occupation perspective, we see white collar. So, professional services, legal accounting, finance broking, those that whole trust accounts are generally quite, big targets, those that hold sensitive information about customers or clients. But then also manufacturing and construction are a huge target as well. Yeah.

00;20;26;13 – 00;20;34;08

Speaker 1

Fantastic. What’s next for you, Katrina? You’ve been building up and now an expert in cyber, you know, where do you see yourself in five years from today?

00;20;34;09 – 00;20;54;19

Speaker 2

Yeah, I think, I think this will definitely be be my career. I, I want to stay in the cyber game. I really enjoy it. I find it challenging. I love helping insureds when, when they do suffer a cyber event, and getting them back up on their feet. I think for me, the industry is constantly changing.

00;20;54;19 – 00;21;07;00

Speaker 2

Cyber threats are constantly changing, so you can’t get bored of it. There’s always something to learn. There’s always something to know. And I think that that will definitely keep me engaged and, and driving forward from a cyber perspective.

00;21;07;03 – 00;21;25;12

Speaker 1

Thank you so much for sharing. I really appreciate, you know, personally taking the time but also emergence has been a great, you know, supporter of, you know, our clients and what we do when I’m your, our insurance provider too. So really, really appreciate it. And hopefully, you know, I, we probably get you back for I reckon another episode next year because there’ll be lots of changes and, there’s interest in the stats.

00;21;25;18 – 00;21;39;18

Speaker 1

You know, 85% of businesses don’t have it. And, you know, we do struggle, which is why this is so important to actually educate people that, you know, it’s not a case of, you know, won’t happen to me. It’s a case of when and then who do you call, right? Yeah, I, I really appreciate your time, Katrina. Thank you so much.

00;21;39;18 – 00;21;51;05

Speaker 2

Thank you. Thank.