Australian businesses lost over $84 million to cybercrime in the 2022–23 financial year, according to the Australian Cyber Security Centre. The average cost of a cybercrime report from a small business was $46,000 — and that figure doesn't capture the full picture of downtime, reputational damage, and regulatory penalties that follow a serious incident.
Cyber insurance has moved from a nice-to-have to a genuine risk management tool for any business that stores customer data, relies on digital systems, or operates in a regulated industry. This guide explains what it covers, what it doesn't, and what you need to have in place before you can get a policy worth buying.
What Is Cyber Insurance?
Cyber insurance — also called cyber liability insurance — is a policy designed to protect businesses from the financial consequences of cyberattacks, data breaches, and IT system failures. Unlike general business insurance or professional indemnity, cyber insurance is specifically written to cover losses that arise from digital threats.
Most policies combine two types of coverage:
- First-party coverage — losses your business suffers directly, such as the cost of restoring systems, business interruption losses during an outage, ransom payments, and forensic investigation fees
- Third-party coverage — claims made against your business by clients, partners, or regulators as a result of a breach that compromises their data
What Does Cyber Insurance Typically Cover?
| Coverage Area | What's Included |
|---|---|
| Data breach response | Forensic investigation, legal advice, notification of affected individuals, credit monitoring for impacted customers |
| Business interruption | Revenue lost while your systems are offline, including the cost of temporary workarounds |
| Ransomware & extortion | Ransom negotiation support, payment costs (where legal), and system restoration expenses |
| Cyber fraud & funds transfer fraud | Losses from business email compromise (BEC) and fraudulent payment redirection |
| Regulatory penalties | Fines and defence costs arising from Privacy Act breaches or Notifiable Data Breach (NDB) scheme obligations |
| Crisis management & PR | Public relations support to manage reputational damage following a public incident |
| Third-party liability | Legal costs and compensation if a client sues you because their data was compromised in your systems |
What Cyber Insurance Does NOT Cover
Understanding the exclusions is just as important as understanding the coverage. Common exclusions include:
- Pre-existing incidents — breaches that occurred before the policy inception date
- Unencrypted data — many policies exclude losses where sensitive data was stored without encryption
- Known vulnerabilities — if you had an unpatched vulnerability your IT team was aware of, coverage can be denied
- Fraudulent or dishonest acts — insider theft by employees is typically excluded unless you add a crime endorsement
- Bodily injury or property damage — covered by other policy classes, not cyber
- War and nation-state attacks — increasingly contested exclusion; some insurers have tightened language following major state-sponsored attacks
Important: The Notifiable Data Breach (NDB) scheme under the Australian Privacy Act requires businesses with annual turnover over $3 million — and all health service providers — to notify the OAIC and affected individuals of eligible data breaches. Cyber insurance typically covers the cost of meeting these obligations, including legal advice and notification logistics.
How Much Does Cyber Insurance Cost in Australia?
Australian cyber insurance premiums have risen sharply since 2021, driven by the global surge in ransomware claims. That said, a genuine, well-structured policy for a small business is still accessible at a reasonable cost.
| Business Size | Typical Annual Premium | Notes |
|---|---|---|
| Micro (<5 staff, low data risk) | $1,500–$3,000 | Basic first-party coverage, lower limits |
| Small (5–20 staff) | $3,000–$8,000 | Broader coverage, $1M–$5M limits |
| Medium (20–100 staff) | $8,000–$25,000+ | Full first and third party, higher limits, possible sublimit structures |
Premiums are heavily influenced by your industry (healthcare and finance are higher risk), revenue, the volume of personal data you hold, and — critically — your existing security controls. Businesses with mature security practices typically pay significantly less than those without documented controls.
What Security Controls Will Insurers Ask About?
This is where many businesses get caught out. Cyber insurers now require documented evidence of security controls before they will offer competitive terms. The controls asked about most frequently include:
- Multi-factor authentication (MFA) — on email, VPN, remote access, and administrative accounts. This is now a near-universal requirement. Without it, you may be declined or charged a loading.
- Endpoint detection & response (EDR) — a modern endpoint security solution that goes beyond basic antivirus
- Privileged access management — controls on who can access administrative accounts and critical systems
- Tested backups — documented evidence that backups exist, are isolated from production systems, and have been successfully restored
- Patch management — a formal process for deploying critical patches within a defined timeframe
- Incident response plan — a documented plan for how your business responds to a cyber incident
- Staff security awareness training — evidence that employees have received phishing awareness training
If you can't answer yes to most of these, you're likely to receive either a declined application or a policy with so many exclusions it provides limited real-world protection.
Does Your Business Need Cyber Insurance?
The short answer for most Australian SMBs is yes — but the more important question is whether you have the security foundations in place to make that insurance meaningful.
You should prioritise cyber insurance if:
- You store personal information about clients, employees, or patients
- Your business relies on digital systems to operate — email, cloud applications, online transactions
- A ransomware attack or data breach would cause you to lose clients or face regulatory scrutiny
- You process payments or hold financial data
- You operate in a regulated sector: healthcare, legal, financial services, education
A practical note: Insurance does not replace security controls — it complements them. A policy that pays out after a ransomware attack is far less valuable than the combination of good security practices that prevent the attack from succeeding in the first place. Treat cyber insurance as the last line of financial defence, not the first.
How to Choose a Cyber Insurance Policy
1. Work with a specialist broker
Cyber insurance is a specialist product. A general business insurance broker may not understand the nuances of coverage triggers, sublimits, or exclusion language. Look for brokers with specific cyber experience and ask for the policy wording — not just a summary — before committing.
2. Check the ransomware coverage carefully
Some policies now exclude ransomware entirely or apply separate, lower sublimits. Given that ransomware is the most common costly cyber incident for Australian SMBs, a policy without meaningful ransomware coverage is a significant gap.
3. Understand the claims process
When you suffer a cyber incident, you may be under enormous time pressure. Ask your insurer who you call at 2am, how quickly forensic and legal support is deployed, and whether they have pre-approved incident response vendors or whether you have to negotiate your own.
4. Confirm business interruption coverage
Business interruption (BI) is often the largest component of a cyber claim. Understand the waiting period before BI payments begin, the daily limits, and whether the coverage is based on gross profit or revenue.
Want to understand your current cyber risk exposure before approaching insurers? We offer a free IT security assessment that documents your existing controls and identifies the gaps most likely to affect your insurability.
Book a Free Security Assessment →Getting Your Security in Order First
If you're planning to purchase cyber insurance, the most valuable thing you can do first is implement the controls insurers require. This serves two purposes: it genuinely reduces your risk, and it makes you a more attractive risk to underwriters — which translates directly into better terms and lower premiums.
The ACSC Essential Eight framework is a useful starting point. It covers the controls most likely to prevent or contain a cyber incident — including application control, patching, MFA, and backup management. Most cyber insurers are familiar with the Essential Eight and will look favourably on businesses that can demonstrate meaningful progress against it.
The Bottom Line
Cyber insurance is a genuine and necessary part of the risk management toolkit for Australian businesses that rely on digital systems. But it is not a substitute for security controls — and a policy purchased without the underlying security foundations will either be declined at claim time or deliver far less than expected.
Get the security basics right, document your controls, and then approach the insurance market. In that order.