Cyber Insurance Guide for Australian Small Business

Cyber insurance has gone from a niche product to an essential consideration for Australian businesses of all sizes. With the ACSC reporting a cyber crime every eight minutes in Australia, and ransomware attacks increasingly targeting small businesses, the question is no longer whether you need cyber insurance but what coverage is right for your business.

This guide breaks down cyber insurance for Australian SMBs: what it covers, what it costs, how to qualify, and how to make an informed purchasing decision.

What Cyber Insurance Covers

Cyber insurance policies vary significantly between insurers, but most cover two broad categories.

First-Party Coverage (Your Own Losses)

Business interruption: Lost revenue while your systems are down due to a cyber incident. This covers the income you would have earned during the downtime period, subject to a waiting period (typically 8 to 12 hours) and maximum indemnity period (typically 60 to 120 days).

Data recovery and restoration: The cost of recovering, restoring, or recreating data that has been damaged, deleted, or encrypted by an attacker. This includes the cost of IT specialists, forensic investigators, and any third-party data recovery services.

Cyber extortion/ransomware: The cost of responding to a ransomware demand, including negotiation specialists, and in some cases, the ransom payment itself (though paying ransoms is increasingly discouraged and some policies are limiting this coverage).

Incident response costs: The cost of hiring incident response specialists, forensic investigators, legal advisors, and crisis communication consultants after a cyber event.

Notification costs: Under the Notifiable Data Breaches (NDB) scheme, you may be required to notify the OAIC and affected individuals. Cyber insurance covers the cost of notifications, credit monitoring services, and the administrative overhead of managing the notification process.

Regulatory investigation costs: If the OAIC investigates your business following a breach, cyber insurance can cover legal fees and costs associated with responding to the investigation.

Third-Party Coverage (Claims Against You)

Privacy liability: Claims from individuals whose personal information was compromised in a breach. This includes legal defence costs and any settlements or judgments.

Network security liability: Claims from third parties who suffer losses because your network was compromised and used to attack them (for example, if your compromised email is used to send malware to your clients).

Media liability: Claims arising from content published electronically, such as defamation, copyright infringement, or invasion of privacy. Not always included in standard policies.

What Is Typically NOT Covered

• Prior known incidents: Events you were aware of before the policy start date
• Unencrypted portable devices: Some policies exclude losses from unencrypted laptops, USB drives, or phones
• Social engineering/CEO fraud: Some policies exclude or separately sub-limit losses from social engineering attacks (where an employee is tricked into transferring funds). Check this carefully.
• Infrastructure failure: Power outages, internet provider outages, or hardware failures unrelated to a cyber attack
• War and terrorism: State-sponsored attacks may be excluded under war exclusion clauses
• Intentional acts: Losses resulting from deliberate actions by the insured

What Cyber Insurance Costs in Australia

Cyber insurance premiums have increased significantly over the past two years, driven by the rise in ransomware claims. However, for small businesses, coverage is still accessible.

Indicative premiums for Australian SMBs (2022):

Annual Revenue	Coverage Limit	Estimated Annual Premium
Under $1 million	$250,000	$800 to $2,000
$1 to $5 million	$500,000	$1,500 to $4,000
$5 to $10 million	$1 million	$3,000 to $8,000
$10 to $20 million	$2 million	$5,000 to $15,000

These are indicative ranges. Actual premiums depend on your industry, security posture, claims history, and the specific insurer.

Industries that pay more:

• Healthcare (due to the sensitivity of health data)
• Financial services
• Professional services (legal, accounting)
• Retail and e-commerce (payment card data)

Factors that reduce premiums:

• Strong security controls (MFA, endpoint protection, backups, patching)
• Employee security awareness training
• Incident response plan in place
• No prior cyber claims
• Regular security assessments or penetration testing

How Insurers Assess Your Risk

When you apply for cyber insurance, the insurer will assess your risk through an application form and, for larger policies, a more detailed questionnaire or assessment.

Common questions on cyber insurance applications:

1. Does your business use multi-factor authentication for email and remote access?
2. Do you have endpoint protection (antivirus/EDR) on all devices?
3. Do you regularly back up business data? Are backups tested?
4. Do you have a patch management process?
5. Do you encrypt portable devices and sensitive data?
6. Do you provide security awareness training to employees?
7. Do you have an incident response plan?
8. Have you experienced a cyber incident in the past five years?
9. Do you process or store payment card data?
10. Do you handle health information or other sensitive data?

The MFA question is critical. Many Australian insurers now require MFA as a prerequisite for coverage. If you do not have MFA enabled on email and remote access, you may be declined coverage or face significantly higher premiums.

Choosing the Right Policy

Coverage Amount

How much coverage do you need? Consider:

• Revenue lost during downtime: How much does your business earn per day? Multiply by the number of days it could take to recover from a serious incident (7 to 30 days for many SMBs).
• Data recovery costs: Forensic investigation and data recovery typically costs $10,000 to $50,000 for SMBs.
• Notification costs: If you hold personal information for thousands of customers, notification costs can be substantial.
• Legal and regulatory costs: Legal representation for an OAIC investigation can cost $20,000 to $100,000 or more.

For a typical Australian SMB with 10 to 50 employees, $500,000 to $1 million in coverage provides a reasonable safety net.

Excess/Deductible

Most cyber insurance policies have an excess (deductible) that you pay before the insurer covers costs. For SMBs, this is typically $2,500 to $10,000. Higher excess means lower premiums but more out-of-pocket cost when you claim.

Waiting Period

Business interruption coverage typically has a waiting period (8 to 24 hours) before coverage begins. During this period, you bear the cost of lost revenue. Shorter waiting periods cost more.

Retroactive Date

Some policies cover incidents that occurred before the policy start date but were not discovered until later. The retroactive date defines how far back this coverage extends. Unlimited retroactive dates are ideal.

Sub-limits

Check for sub-limits on specific coverage types. A policy may have $1 million in total coverage but only $100,000 for ransomware payments or $50,000 for social engineering losses. Ensure sub-limits are adequate for your specific risks.

Australian Cyber Insurance Providers

Several insurers offer cyber insurance to Australian SMBs:

Emergence Insurance: Australian-based, specialises in cyber insurance for SMBs. Offers quick online quotes for smaller businesses.

Chubb: Global insurer with a strong cyber product for Australian businesses. Good for larger SMBs and mid-market.

AIG (now Berkshire Hathaway Specialty Insurance in Australia for some products): Established cyber insurance provider with comprehensive coverage.

CGU/IAG: Offers cyber insurance as part of broader business insurance packages. Good for businesses wanting to bundle policies.

Dual Australia: Underwriting agency offering cyber products through brokers.

Recommendation: Work with an insurance broker who specialises in cyber insurance. The market is complex, and a broker can compare products, negotiate terms, and ensure you are not overpaying or underinsured.

How to Qualify for Better Rates

Improving your security posture not only protects your business but also reduces your insurance costs. The following controls have the most impact on premiums:

Multi-factor authentication: Enable MFA on all email accounts, VPN access, and cloud services. This is the single most impactful control for both security and insurance.

Endpoint detection and response (EDR): Deploy an EDR solution on all workstations and servers. Products like Microsoft Defender for Endpoint (included with Microsoft 365 Business Premium), CrowdStrike, or SentinelOne are well-regarded.

Backup strategy: Implement the 3-2-1 backup rule (three copies of data, on two different media, with one copy offsite). Critically, at least one backup should be air-gapped or immutable (cannot be modified or deleted by ransomware).

Patch management: Demonstrate a regular patching process for operating systems and applications.

Security awareness training: Regular training for all staff on phishing, social engineering, and security best practices.

Incident response plan: A documented plan that outlines how your business will respond to a cyber incident.

Making a Claim

If you experience a cyber incident:

1. Contact your insurer immediately. Most policies have a 24/7 incident hotline. Early notification is critical and may be a policy requirement.
2. Follow your incident response plan. If you have one, follow it. If not, your insurer will likely provide access to incident response specialists.
3. Preserve evidence. Do not wipe or rebuild systems before forensic investigation. Document everything.
4. Comply with notification obligations. If the incident involves personal information, assess whether it is a notifiable data breach under the NDB scheme.
5. Keep records of all costs. Every expense related to the incident (IT specialists, legal advice, communication costs, lost revenue) should be documented for your claim.

Cyber Insurance Is Not a Substitute for Security

A common misconception is that cyber insurance replaces the need for good security practices. It does not.

Cyber insurance is a financial safety net for when (not if) an incident occurs despite your security measures. Without strong security controls:

• You may not qualify for coverage
• Your premiums will be significantly higher
• You may face claim disputes if the insurer determines you did not take reasonable precautions
• The impact of an incident will be far worse, potentially exceeding your coverage

Think of cyber insurance like car insurance. You still need to drive carefully, maintain your vehicle, and follow the road rules. Insurance covers the unexpected despite your best efforts.

Action Steps

1. Assess your current security posture against the insurer questions listed above. Address any gaps, starting with MFA.
2. Contact an insurance broker who specialises in cyber insurance. Request quotes from at least three insurers.
3. Review the policy wording carefully. Pay attention to exclusions, sub-limits, and conditions.
4. Budget appropriately. For most Australian SMBs, $1,500 to $4,000 per year is a reasonable budget for adequate cyber insurance.
5. Review annually. Your business changes, the threat landscape changes, and the insurance market changes. Review your coverage each year at renewal.

Cyber insurance is a critical component of a comprehensive risk management strategy for Australian businesses. Combined with strong security controls, it provides the financial resilience to recover from a cyber incident without devastating your business.