Cyber Insurance for Australian Businesses: The 2021 Guide

Two years ago, cyber insurance was something most Australian SMBs vaguely knew about but rarely considered. Today, it’s quickly becoming as essential as public liability coverage. The cyber threat landscape has evolved dramatically, ransomware attacks have become commonplace, and the costs of a breach can be catastrophic for small businesses.

But the cyber insurance market is also evolving rapidly—premiums are rising, coverage terms are tightening, and insurers are asking more questions about your security posture. Understanding this landscape is crucial before you buy or renew a policy.

This guide covers what Australian SMBs need to know about cyber insurance in 2021: what policies actually cover, what they don’t, how to qualify for coverage, and how to make an informed purchasing decision.

Why Cyber Insurance Matters Now

The statistics paint a clear picture. According to the Australian Cyber Security Centre, reported cybercrime costs to Australian businesses exceeded $33 billion in the past year. Small businesses aren’t immune—they’re often targeted precisely because they have weaker defences than enterprises.

The Notifiable Data Breaches scheme, now in its third year, has made the consequences of breaches more visible. Businesses must notify affected individuals and the Office of the Australian Information Commissioner when significant breaches occur. This notification requirement alone creates substantial costs in legal advice, communication, and remediation.

Then there’s ransomware. What was once primarily an enterprise concern now hits businesses of all sizes. Attackers have realised that smaller businesses often pay because they lack the resources for extended recovery. Average ransomware demands in Australia now frequently exceed $50,000, and that’s before counting the business disruption costs.

The question isn’t whether your business faces cyber risk—it does. The question is how you’ll manage that risk.

What Cyber Insurance Actually Covers

Cyber insurance policies vary significantly between insurers, but they typically address two broad categories: first-party losses (direct costs to your business) and third-party liability (claims from others).

First-Party Coverage

Incident Response Costs: This covers the immediate costs when you discover a breach—forensic investigation to determine what happened, legal advice on notification requirements, and crisis communication support. These costs add up quickly; forensic investigations alone often exceed $20,000.

Business Interruption: If a cyber incident prevents you from operating, this covers lost income and additional expenses during the interruption period. For a retail business hit by ransomware during peak season, this coverage can be the difference between survival and closure.

Data Recovery: Covers the cost of restoring data from backups or, where necessary, recreating lost data. If ransomware encrypts your customer database and your backups fail, this coverage helps fund reconstruction.

Cyber Extortion (Ransomware): This is increasingly significant coverage. Policies may cover ransom payments (though this is controversial and some insurers are limiting this) and the costs of negotiation with attackers.

Notification and Monitoring: When you need to notify affected individuals about a breach, this covers the communication costs, credit monitoring services for affected people, and call centre support to handle inquiries.

Regulatory Defence: If you face investigation by the OAIC or other regulators following a breach, this covers legal defence costs and potentially fines and penalties (where insurable by law).

Third-Party Coverage

Privacy Liability: Covers claims from individuals whose personal information was compromised. If customers sue because their data was breached, this responds.

Network Security Liability: If your systems are compromised and used to attack others, this covers claims from those third parties. Imagine your email system being used in a phishing campaign against your customers—they may have claims against you.

Media Liability: Covers claims arising from your digital content—defamation, intellectual property infringement, or other content-related claims.

Professional Liability (Tech E&O): For technology businesses, this covers claims arising from technology services you provide to clients.

What Cyber Insurance Doesn’t Cover

Understanding exclusions is as important as understanding coverage:

War and State-Sponsored Attacks: Most policies exclude acts of war, which increasingly includes nation-state cyber attacks. The definition of “war” in cyber context is evolving and contested.

Unpatched Vulnerabilities: Many policies exclude breaches resulting from failure to apply security patches within a reasonable timeframe. If you’re breached via a vulnerability that’s been patched for months, coverage may be denied.

Prior Known Events: Breaches that occurred before your policy began, or that you knew about when applying, are not covered.

Intentional Acts: If an employee or executive intentionally causes a breach, coverage typically won’t respond.

Bodily Injury and Property Damage: Physical consequences of cyber events are usually excluded from cyber policies (though may be covered elsewhere).

Fines for Willful Non-Compliance: While regulatory defence may be covered, fines for willful or knowing violations of law typically aren’t.

Cryptocurrency and Digital Assets: Many policies explicitly exclude theft of cryptocurrency or losses to digital asset holdings.

How Insurers Assess Your Risk

When you apply for cyber insurance, insurers evaluate your risk profile. Understanding their criteria helps you both qualify for coverage and secure better terms.

Security Controls They Typically Ask About

Multi-Factor Authentication: Does MFA protect access to your systems, especially for remote access, email, and privileged accounts? This is increasingly a baseline requirement.

Backup Practices: Do you maintain regular backups? Are backups tested? Are they offline or otherwise protected from ransomware? Insurers want to see the 3-2-1 backup rule in practice.

Endpoint Protection: What antivirus/anti-malware do you run? Is it centrally managed and kept updated?

Email Security: Do you have email filtering in place? Are protocols like SPF, DKIM, and DMARC configured to prevent spoofing?

Patch Management: How quickly do you apply security patches? Many insurers specifically ask about patching timeframes.

Employee Training: Do you provide cybersecurity awareness training? How often?

Incident Response Planning: Do you have a documented incident response plan?

Business Factors

Insurers also consider:

Industry: Healthcare, finance, and retail face higher premiums due to the sensitivity of data they handle and regulatory requirements.

Revenue Size: Larger businesses typically have more exposure and pay higher premiums.

Data Volume: How much personal information do you hold? More records mean more exposure.

Claims History: Previous cyber incidents affect your risk profile.

Geographic Operations: Operating in multiple jurisdictions increases compliance complexity.

The Application Process

Applying for cyber insurance has become more rigorous. Here’s what to expect:

Initial Questionnaire

You’ll complete a detailed questionnaire covering your business operations, IT environment, security controls, and claims history. These questionnaires have grown from a single page to 10+ pages as insurers have gotten more sophisticated.

Underwriting Review

For larger policies or higher-risk industries, underwriters may:

• Request additional documentation
• Ask follow-up questions about specific controls
• Require a call to discuss your security posture
• In some cases, require a security assessment or scan

Quotation and Terms

You’ll receive quotes that include:

• Premium (annual cost)
• Limit (maximum payout)
• Retention/deductible (what you pay before insurance responds)
• Sub-limits (reduced limits for specific coverage types)
• Conditions and exclusions

Binding Coverage

Once you accept and pay, coverage binds. You’ll receive your policy documents, which you should read carefully.

Choosing the Right Policy

With multiple insurers offering cyber coverage, how do you choose?

Coverage Breadth

Compare what’s actually covered. Some policies look cheap but have extensive exclusions or low sub-limits for critical coverage like ransomware or business interruption.

Limits and Retentions

Consider what an incident might actually cost you:

• Ransomware: $50,000-$500,000+ including business interruption
• Data breach: $100-$500 per record in notification and remediation costs
• Regulatory investigation: $50,000-$200,000+ in legal costs

A policy with a $100,000 limit might seem adequate until you need it. For most Australian SMBs, $1 million minimum coverage makes sense, with higher limits for larger businesses or those handling sensitive data.

Retentions (deductibles) also matter. A $25,000 retention means you pay the first $25,000 of any claim. Lower retentions mean higher premiums.

Insurer Expertise and Support

Cyber insurance is specialised. Look for insurers with:

• Dedicated cyber claims teams
• Panel of approved incident response vendors
• 24/7 breach response hotlines
• Experience with Australian regulatory requirements

Some insurers provide additional services like security assessments, employee training resources, and incident response planning templates.

Premium Cost

For Australian SMBs, cyber insurance premiums typically range from:

• Small businesses (under $1M revenue): $1,000-$3,000/year for $1M coverage
• Medium businesses ($1M-$10M revenue): $3,000-$10,000/year for $1M-$5M coverage
• Larger SMBs: Variable based on risk profile

Premiums have increased 20-50% over the past year as insurers respond to rising claims. This trend is likely to continue.

Preparing Your Business for Cyber Insurance

Before applying, strengthen your security posture—both to qualify for coverage and to secure better terms:

Minimum Requirements (Increasingly Non-Negotiable)

• Enable MFA on email, remote access, and admin accounts
• Implement reliable backups tested regularly, with at least one offline or immutable copy
• Deploy endpoint protection that’s centrally managed
• Basic email security including spam filtering and SPF/DKIM/DMARC

Factors That Improve Your Terms

• Security awareness training for employees
• Written information security policies
• Incident response plan
• Regular vulnerability assessments or penetration testing
• Compliance certifications (ISO 27001, SOC 2)

Documentation

Be prepared to provide:

• IT infrastructure overview
• Security policies and procedures
• Evidence of controls (MFA configuration, backup reports, etc.)
• Details of previous incidents (if any)

Working With Brokers

For most SMBs, working with an insurance broker who specialises in cyber coverage is worthwhile:

Market Access: Brokers have relationships with multiple insurers and can compare options you might not access directly.

Application Support: They help you complete applications accurately and present your risk in the best light.

Coverage Advice: They can explain policy terms and help you understand what you’re buying.

Claims Support: When you need to make a claim, your broker advocates for you.

Look for brokers with specific cyber insurance expertise—this is a specialised area, and generalist brokers may miss important nuances.

When You Need to Make a Claim

Understand the claims process before you need it:

Immediate Steps

When you discover an incident:

1. Contact your insurer’s breach response hotline immediately
2. Document everything—don’t make changes that could affect forensic investigation
3. Follow your incident response plan
4. Work with insurer-approved vendors where possible (this is often a policy requirement)

What to Expect

• Initial triage call with insurer’s incident response team
• Assignment of approved vendors (forensics, legal, PR as needed)
• Regular communication on progress and costs
• Documentation requirements for claims

Claim Timelines

• Simple claims: Weeks to months
• Complex claims involving litigation: Months to years
• Business interruption: Requires detailed documentation of losses

The Future of Cyber Insurance

The market is evolving rapidly:

Tightening Requirements: Expect more stringent security requirements for coverage. MFA is becoming mandatory; other controls will follow.

Premium Increases: Claims costs are rising faster than premiums, so expect continued increases.

Coverage Changes: Some insurers are limiting ransomware coverage or adding co-insurance requirements.

Greater Scrutiny: More rigorous underwriting and potential for coverage disputes if security representations prove inaccurate.

For Australian SMBs, this means investing in security not just because it’s the right thing to do, but because it’s increasingly required to maintain affordable cyber insurance.

Key Takeaways

Cyber insurance is an important part of managing cyber risk, but it’s not a substitute for security:

1. Insurance is part of your risk strategy, not all of it. Invest in security controls first; insurance covers residual risk.

2. Read your policy carefully. Understand what’s covered, what’s excluded, and what conditions you must meet.

3. Be truthful in applications. Misrepresenting your security posture can void coverage when you need it most.

4. Implement required controls. MFA, backups, and basic security aren’t optional anymore.

5. Work with specialists. Use brokers and insurers who understand cyber risk.

6. Review annually. Your risk profile changes; your coverage should too.

The businesses that will fare best are those that view cyber insurance as one component of a comprehensive approach to cyber risk—investing in prevention, preparing for response, and transferring appropriate risk through insurance.

---

Considering cyber insurance for your Australian business? We help SMBs strengthen their security posture to qualify for better coverage terms. Contact us to discuss your requirements.