Cyber Insurance
Made Simple

Cyber Risk Series – Episode 1 Transcript
Brought to you by MGA Insurance Group

Kim: Well hello everybody, and welcome to the Cyber Risk Series, brought to you by the MGA Insurance Group. I’m joined by Jerry Powell, who brings a wealth of experience. Welcome Jerry, thank you.

Jerry: Thank you.

Kim: You are a cyber expert — some decades now, is it? How many decades is it now?

Jerry: Yes, I’ve been focused on technology for over 20 years. When you think about cybercrime 10 years ago, it really wasn’t something that was in the headlines. But now, we can’t escape it. It’s certainly been making headlines around Australia, particularly over these last couple of years.

Kim: Why is that?

Jerry: The cyber risk landscape is constantly changing, and that’s shaped by advancements in technology, the evolving tactics of cyber criminals, and the increasing reliance on IT systems. And I think one of the key concerns is that really any business could be a potential target.

Kim: Absolutely.

Jerry: So the cyber criminals of today have no interest in who you are or what your industry is. What they want to do is monetise — to attack and make money. They’ll invest time and money to gain entry into a system, and they will sit and wait, watching the tone and behaviour of a business over potentially six or nine months. They’ll study how things operate — how payments are made, how a CEO communicates with the CFO. Understanding how the business operates allows the cyber criminal to cleverly craft how and when they’re going to launch their attack.

Kim: When they do, it’s fair to say this is not just technological warfare — this is psychological warfare.

Jerry: That’s correct. The sophisticated cyber criminals out there are part of global organisations. Their skill sets and financial capability are immense. They have not only technological skills but also psychological skills — they understand human behaviour, and they exploit that to gain access and trust. They understand how clever we think we are with our passwords. They know that an “e” will be changed to an ampersand, or that we’ll put a “1” after our password, and then make it a “2” — they’re all over this. They understand psychology and who they’re targeting. Like when we look at businesses and the nature of industries —

Kim: Is there traditionally a particular industry or organisation type that a cyber criminal would attack?

Jerry: In Australia, professional services, financial institutions, and healthcare have been the main industries targeted for complex cyber risk. But we’re seeing a change — industries that haven’t traditionally been at risk are now becoming attractive to cyber criminals. We’re talking about industries like manufacturing, construction, and farming, for example.

Kim: It’s equally fascinating and terrifying, Jerry. Thank you so much for joining me for Part 1 of the Cyber Risk Series, brought to you by the MGA Insurance Group. Our next part in this series will look at what types of industries and businesses are being targeted — particularly small businesses — and how you can protect yourself from cyber criminals. Thanks so much for joining us.

Cyber Risk Series – Part 2 Transcript
Brought to you by MGA Insurance Group

Kim: Hello again, and welcome back to Part 2 of our five-part Cyber Risk Series, brought to you by MGA Insurance Group. I’m joined once again by cyber-security guru Jerry Power, and today we’re turning our attention to small business. It’s the global and national companies that have hit the headlines in recent times — but are small businesses just as at risk of a cyber-attack?

Jerry: Kim, from a cyber-risk perspective, we’re seeing Australian SMEs targeted for a number of reasons. Some of the observations are that SMEs generally have limited cyber-security controls and limited financial resources compared to large enterprises. Yet they still hold valuable data — credit-card details, personal information, intellectual property — and all of that can be monetised by cyber criminals. The criminals know exactly what they’re after.

Kim: What are some of the particular areas of potential damage for a small business?

Jerry: There are a number of areas. Firstly, ransomware and extortion attacks — these can cripple a business. Then there’s the cost of dealing with the aftermath: IT forensics, IT remediation, and figuring out how to get the criminals out of the system. There may also be a regulatory requirement for the company to advise customers that their personal information is now in the hands of criminals.

Kim: Is it fair to say one of the biggest Achilles heels for small business operators is this sense of blind faith — that “it’s not going to happen to me”?

Jerry: Exactly. Many small businesses think, “I’m too small,” or “I don’t have anything of value.” But the reality is, the criminals don’t care who you are or what industry you’re in — they’re looking for an opportunity. They want to lock somebody down, demand a ransom, get paid, and move on. There are different categories and levels of expertise among cyber criminals, and some are incredibly sophisticated.

Kim: So considering how advanced these criminals are, that same blind faith small businesses place in their IT providers — “they’ve got my back, it’ll be fine” — could that be leaving them exposed?

Jerry: I think very much so. The whole existence of a business can be at risk. I’ve insured technology industries for professional negligence for over 20 years, and they’re very good at contractual management — they’ll often have clauses limiting their liability or waiving liability for any loss.

Kim: I understand one of the biggest risks — possibly the most common area you’re seeing — is this wrongful payment of invoices?

Jerry: That’s right. What you’re referring to there is phishing or social-engineering attacks, where a criminal sends a deceptive email. They then use that to extract money from the business. The challenge for a business owner is that sometimes the criminal will use the invoicing system of the business itself to send a fake invoice to a customer. But the money is then directed straight to the criminal enterprise. The challenge for the business owner is that they still have an outstanding debt that hasn’t actually been paid. The customer, meanwhile, is pointing the finger at the business owner, saying, “I’ve paid it — but you’ve allowed criminals into your system.” That can potentially lead to litigation — and of course, more cost with that litigation.

Kim: Absolutely. And I suppose the moral of the story here is that we shouldn’t underestimate the sophistication of cyber criminals — no matter how big or small your business may be.

Jerry: Absolutely. If they want to extract money, they’ll use every skill and tactic available to do that.

Kim: That’s sobering, Jerry. But we’ve got some good news coming up in our next episode. In Part 3, we’ll help you identify the categories of cyber risk and what you can do to manage them. But thank you again for joining us today, Jerry — and thank you for joining us for Part 2 of the Cyber Risk Series, brought to you by MGA Insurance Group.

Cyber Risk Series – Part 3 Transcript
Brought to you by MGA Insurance Group

Kim: Hello everyone, and welcome back to the Cyber Risk Series, proudly brought to you by the MGA Insurance Group. Today we’re going to look at the different categories of risk. I’m joined once again by Jerry Power — with a decade of expertise under your belt, Jerry. What are the types or categories of risk that an organisation and its employees should be considering?

Jerry: Kim, when you talk about risk — particularly cyber risk for business — there are really two main categories. There’s people or employee risk, and there’s system risk.

Kim: You are a cyber expert — some decades now, is it? How many decades is it now?

Jerry: Yes, I’ve been focused on technology for over 20 years. When you think about cybercrime 10 years ago, it really wasn’t something that was in the headlines. But now, we can’t escape it. It’s certainly been making headlines around Australia, particularly over these last couple of years.

Kim: So tell us about the people risk.

Jerry: Obviously, there’s that unpredictability of people — we’re all guilty of making mistakes, and sometimes those mistakes can have dire consequences. When we talk about people risk, we’re referring to the weaknesses that stem from people’s actions, behaviours, or lack of awareness or training that could potentially expose the business.

Kim: So the sort of things you’re talking about are phishing and social-engineering attacks — where employees are tricked or deceived into clicking on an email or opening an attachment that deploys ransomware into the business.

Jerry: Exactly. These cyber criminals literally “fish” — they infiltrate, wait for months, and study communication styles and tones to understand how a business interacts. They work on human behaviour and psychology, using that knowledge to make their scams look real and authentic. What they’re trying to do is make something appear completely legitimate — but it’s actually a fake email or even a fake website. For example, they might use a Greek letter “a” instead of an English “a” in a web address — it looks identical, but it’s not.

Kim: That’s mind-blowing. I’ll be the first to admit I’m not particularly good at this — I think I’ll be reviewing my passwords after this conversation!

Jerry: You’re not alone. Passwords are another major quagmire for business. Weak passwords are a constant issue — people often reuse the same password across multiple applications. The same login they use for work might also be used for their personal banking.

Kim: So what’s the difference between, say, an average 8-character password and a 16-character one?

Jerry: It’s quite extraordinary. One of my IT colleagues tells me that if a password is only eight characters long, their team can hack it in about 20 seconds. But a password — or better yet, a passphrase — of 16 characters could take over 20 years to crack. That’s the kind of difference that length and complexity can make.

Kim: Wow — so, we’ve talked about people risk, which is one side of the equation. What’s the other?

Jerry: Another key element of risk for any business is system risk. This refers to the weaknesses or vulnerabilities within the IT systems of a business — whether that’s servers, software, or cloud infrastructure.

Kim: And you’ve said before that too often, business owners and operators fall into the trap of thinking, “It’s okay — my IT group has my back.”

Jerry: Exactly. And that’s not always good enough. Businesses can be laying themselves bare to vulnerability without realising it. It’s a big challenge for SMEs in particular, because they often have absolute faith in their IT provider or the cloud-based systems they use. The reality is, those systems — especially cloud-based ones — can and do get hacked. Having insured the technology sector for professional negligence for over 20 years, I’ve seen providers impose limitations or waivers of liability in their contracts to reduce their own exposure. That means, if one of their clients suffers a cyber attack, the IT provider might not be held responsible for the financial impact.

Kim: Would you say one type of risk is more dangerous than the other?

Jerry: That’s a great question. With the dramatic escalation in the amount of malicious software — viruses, Trojans, and so on — system risk is certainly severe. But people risk remains just as critical, because even the best systems can’t defend against human error. The truth is, businesses need to be mindful of both. Make sure your employees are well trained, that they act as an effective last line of defence, and that your systems are secure and your software is always up to date.

Kim: Absolutely — some great advice there, Jerry. And we’re going to build on that in our next part of the series. Thank you again for joining us for Part 3 of the Cyber Risk Series, brought to you by MGA Insurance Group. In our next part, we’ll be looking at how you can protect yourself and your organisation — so it’s not all doom and gloom. We’ve got some great advice coming your way, so thank you again for joining us.

Cyber Risk Series – Part 4 Transcript
Brought to you by MGA Insurance Group

Kim: Hello again, and welcome back to our Cyber Risk Series, brought to you by MGA Insurance Group. I’m once again joined by cybersecurity expert Jerry Power. Jerry, we’ve talked about the various types of risk, and we’ve talked about some of the businesses that are most at risk in Australia. But how can organisations better protect themselves against cyber fraud and cyber attacks?

Jerry: According to cyber insurance claims managers, there are a number of things that small businesses can do to improve their security posture and reduce the potential for a cyber attack. We’re talking about things like backups — daily backups are critically important, and they substantially reduce the cost of a cyber attack. You’ve got securing data and systems, so update your systems on a regular basis to deal with any known vulnerabilities or weaknesses within systems. Then there’s using multi-factor authentication (MFA or 2MFA) — that can be the difference between having a cyber attack and not having one. Replacing passwords with passphrases or password managers is also key — it’s a more efficient and protected way of storing passwords. Finally, educating your staff — I can’t emphasise this enough. Employees are your last line of defence, so make them an effective one. Train them to spot phishing emails and social engineering attacks — that’s how you protect your business.

Kim: Because I guess when you’re looking at those layers of protection, it’s the unpredictability of people that can be the biggest hurdle.

Jerry: Very much so — and that speaks directly to the human risk. As a business owner, you need to have your employees and your systems defending the business 24 hours a day, 7 days a week, 365 days of the year. A cybercriminal only needs to get lucky once to get into your system.

Kim: How can organisations best protect their bottom line then?

Jerry: Well, we’ve talked about the different types of people risk and system risk — and a combination of both definitely helps the organisation. Having an incident response plan, which is like a playbook outlining how to deal with an attack, is also crucial. If all the controls of the business fail, there should be a cyber insurance policy there to protect the business.

Kim: So, if you had one piece of advice today for small business operators watching this, what would it be?

Jerry: The area for small business that I’m most concerned about is the social engineering risk and the payment of fake invoices. If a business is paying an invoice — validate the invoice. Ring a person within the business from a known contact and a known telephone number. Don’t use the phone number in the email — that could be a fake email that connects you directly to the threat actors or criminals.

Kim: Fantastic advice, Jerry. Thanks so much for once again joining us for our Cyber Risk Series. We’ll be wrapping up the series with our next and final Part 5, which will look at cyber insurance — and why it’s so important in helping you better protect your business. This series is proudly brought to you by MGA Insurance Group. Thank you once again for joining us.

Cyber Risk Series – Part 5 Transcript
Brought to you by MGA Insurance Group

Kim: Hello everybody, and welcome to the final part in our Cyber Risk Series, brought to you by MGA Insurance Group. Today, we’re going to discuss cyber insurance with expert Jerry Power.

Jerry: Thanks, Kim. Over the past four parts of this series, we’ve talked about what cyber risk is and how we can protect ourselves — but can we actually use cyber insurance as that added layer of protection? Yes — a cyber insurance policy provides a mechanism for small and medium-sized enterprises (SMEs) to deal with the significant costs associated with a cyber attack. It’s a costly business, and there are a lot of hidden costs involved — not just the obvious ransom or financial demand that an organisation might be facing. When you think about the life cycle of a cyber attack, every second counts. A cyber insurance policy is designed to deal with multiple elements of an incident. For example, in a ransomware event, the payment or extortion demand is only the first part of the issue. There will be a demand, typically in cryptocurrency, but after that, you need to extract the malware, rebuild the systems, and comply with regulations like Australia’s Notifiable Data Breaches Scheme. This requires notifying individuals whose personal information has been compromised, reporting to regulators, and responding to investigations — all of which are costly to manage.

Kim: That’s a lot to handle — and those costs must add up quickly.

Jerry: Absolutely. Beyond the technical recovery, you’ve got communication costs, regulatory notifications, and the risk of reputational damage. When you say every second counts, that’s no exaggeration. If a cyber attack is exposed, the business faces enormous costs — including the loss of clients, income, and the additional expense of managing operations during recovery.

Kim: Can insurance actually cover those types of losses?

Jerry: Yes, it can. Cyber insurance can cover loss of business income, increased operating costs, and even situations where people are scammed into paying falsified invoices — which is unfortunately very common. In fact, social engineering and invoice fraud are among the top three attacks occurring in Australia right now. This type of scam involves an individual being tricked into paying a fake invoice, and it’s becoming a huge issue. That’s why educating employees to recognise what a fake email or invoice looks like is critically important. If a payment is made to a fraudulent account, the transaction may circulate between financial institutions for one to three days. If employees act quickly and notify management, there’s a much better chance of recovering the money.

Kim: So, it’s fair to say that businesses — big and small — really can’t afford not to look at insurance when it comes to cyber security and cyber crime?

Jerry: Exactly. The number and severity of ransomware attacks have increased dramatically, and claims have risen by 85–95% in just the last three years. If a business doesn’t have the cash flow to manage the costs of a cyber attack, it could run out of money, which in turn could lead to the company failing — and potentially directors being personally liable for those losses. So yes, every second counts — and I can’t emphasise that enough.

Kim: Jerry, thank you so much for joining us for the Cyber Risk Series, brought to you by MGA Insurance Group. This has definitely been food for thought — extraordinary, terrifying, and equally fascinating. I’d like to think none of you will ever need to rely on this information, but sadly, this is the world we live in today. Thank you, everyone, for joining us — and we’ll see you next time.