What's covered under Australia's Notifiable Data Breaches (NDB) scheme?

The NDB scheme under the Privacy Act requires notification of individuals if a data breach is likely to result in serious harm. Your cyber policy should cover investigation costs, notification expenses, credit monitoring, and legal advice on NDB compliance. Ensure your policy covers all affected individuals and extends to notifications to the Privacy Commissioner if required.

How important is APRA CPS 234 compliance coverage?

APRA CPS 234 (Prudential Standards for Information Security) applies to APRA-regulated entities (banks, insurers, superannuation funds). Your policy should cover CPS 234 incident reporting obligations, remediation costs, and regulatory defence. If you're regulated by APRA, ensure your cyber policy explicitly supports CPS 234 compliance.

Should I choose a domestic or international (Lloyd's) cyber insurance carrier in Australia?

Domestic (APRA-regulated) carriers understand Australian regulations and may offer faster claims processing. Lloyd's policies often provide broader coverage and are designed for complex risks. For small businesses, a domestic carrier may be suitable. For mid-market and regulated entities, Lloyd's or international carriers often provide better coverage. Compare both for your risk profile.

What is ACSC Essential Eight alignment and why does it matter?

The Australian Cyber Security Centre's (ACSC) Essential Eight mitigation strategies are industry best practice. Many insurers offer premium discounts or coverage enhancements for organisations that demonstrate Essential Eight implementation. Check whether your policy offers discounts for Essential Eight adoption or whether compliance affects your coverage scope or terms.

Compare Australian Cyber Insurance Policies: NDB & APRA Coverage Guide

Comparing Cyber Insurance in the Australian Market

The Australian cyber insurance market is shaped by the Notifiable Data Breaches (NDB) scheme under the Privacy Act, APRA prudential standards for regulated entities, and the Australian Cyber Security Centre's Essential Eight framework. Two policies at the same price can have vastly different protections depending on NDB compliance support, APRA coverage, and alignment with industry best practice.

Australia also distinguishes between domestic carriers (regulated by APRA) and international carriers (often Lloyd's). If you're comparing policies yourself, understanding these distinctions and Australia-specific risk factors is essential.

Australian-Specific Comparison Factors

These coverage areas are particularly important in the Australian market:

Coverage Area	What to Compare	Why It Matters in Australia
NDB Scheme Compliance Coverage	Breach investigation, notification, credit monitoring, and Privacy Commissioner reporting	The Notifiable Data Breaches scheme requires notification to individuals if a breach is likely to result in serious harm. Costs include investigation, notification, and credit monitoring. Ensure your policy covers investigation, notification to all affected individuals, and Privacy Commissioner reporting if required.
APRA CPS 234 Coverage (If Regulated)	Coverage for incident reporting to APRA, remediation, and regulatory defence	APRA Prudential Standard CPS 234 applies to banks, insurers, and superannuation funds. If you're APRA-regulated, your policy must cover incident reporting obligations, incident containment costs, and regulatory defence. Check whether your carrier understands APRA requirements.
Domestic vs International Carriers	Whether insurer is APRA-regulated (domestic) or overseas (Lloyd's, international)	Domestic carriers are regulated by APRA and understand local requirements. Lloyd's policies are often broader but may require more claims management effort. Domestic carriers may be faster for claims; Lloyd's may provide better coverage for complex risks. Choose based on your risk profile.
ACSC Essential Eight Alignment	Premium discounts or coverage enhancements for Essential Eight implementation	The Australian Cyber Security Centre's Essential Eight mitigation strategies are industry best practice. Many insurers offer discounts (5–15%) for organisations demonstrating Essential Eight implementation. Check whether your policy offers discounts and whether compliance affects coverage scope.
Business Interruption Waiting Period (AUD)	How long after an incident before BI coverage kicks in, expressed in Australian dollars	Australian policies typically express BI limits in AUD. A 72-hour waiting period can cost tens of thousands in lost revenue. Shorter waiting periods (6–12 hours) are more protective but cost more. Align waiting period with your revenue and recovery time.
Ransomware & Extortion Coverage	Coverage for ransomware payments, extortion demands, and investigation costs	Ransomware is a significant threat to Australian organisations. Check whether ransomware is covered without sub-limits or if there's a sub-limit. Verify whether extortion demands (threats to publish data) are covered separately from encryption/system damage.
Incident Response Panel (Australian-Based)	Quality and availability of Australian forensic and incident response firms	A strong Australian incident response panel is important for rapid, compliant response. Check whether the panel includes firms with NDB and APRA experience. A panel with 8+ Australian-based firms is preferable.
Regulatory Fine Coverage	Coverage for Privacy Act fines and APRA enforcement action costs	The Privacy Commissioner can seek civil penalties, and APRA can impose significant enforcement action on regulated entities. Check whether your policy covers Privacy Commissioner fines and whether it covers APRA enforcement defence if applicable.
Crisis Management & Reputational Coverage	Coverage for PR, media management, and reputational harm response in AUD	A breach affects customer trust and brand reputation. Crisis management coverage (PR consulting) helps minimise long-term damage. Check limits and whether this is included in your policy.
Data Residency & Jurisdictional Considerations	Whether policy covers data stored or processed in Australia, and international data flow implications	Some policies exclude international data centres or apply different terms to data held outside Australia. For organisations with international data flow, ensure your policy covers incidents regardless of where data is stored or processed.

Australian Market Tiers: Policy Comparison Framework

Australian cyber insurers offer tiered coverage in AUD. Here's a simplified comparison:

Tier	Annual Premium (AUD)	Total Limit (AUD)	Regulatory Fine Coverage	BI Waiting Period	Best For
Basic	AUD 1,500–AUD 4,000	AUD 300K–AUD 750K	Limited	72 hours	Small businesses, low regulatory exposure
Standard (Domestic)	AUD 4,000–AUD 12,000	AUD 750K–AUD 2M	AUD 1M–AUD 2M	24 hours	Mid-market, moderate regulatory risk
Comprehensive (Lloyd's)	AUD 12,000–AUD 35,000+	AUD 2M–AUD 5M+	AUD 2M–AUD 5M+	6–12 hours	Mid to large businesses, APRA-regulated entities, high regulatory exposure

Note: These are typical 2026 ranges for Australia. Premiums vary by industry, company size, data types, security controls, and claims history. Financial services and healthcare typically pay 1.5–2× these amounts.

Domestic vs Lloyd's: The Australian Carrier Landscape

The choice between domestic and Lloyd's policies depends on your risk profile:

Domestic (APRA-regulated) carriers: These insurers are regulated locally and understand the NDB scheme and Australian privacy law. They typically offer faster claims processing and are well-suited for straightforward risks. Best for small to mid-market businesses with simple risk profiles.
Lloyd's carriers: These are underwritten by syndicates at Lloyd's of London and often provide broader coverage designed for complex risks. Lloyd's policies are typically more expensive but offer greater flexibility and often better coverage for APRA-regulated entities. Best for mid-market and enterprise organisations with complex risks.

Australian Policy Comparison Checklist

Policy wording (full document, not marketing summary)
Schedule showing limits and sub-limits in AUD
NDB scheme coverage: investigation, notification, credit monitoring, all affected individuals
APRA CPS 234 coverage (if regulated by APRA)
Domestic vs international carrier (APRA-regulated or Lloyd's?)
ACSC Essential Eight discounts or coverage enhancements
Business interruption waiting period and AUD limit
Ransomware sub-limits and extortion demand coverage
Australian incident response panel details (how many firms?)
Regulatory fine coverage: Privacy Commissioner and APRA (if applicable)
Crisis management and reputational coverage in AUD
Data residency and international data flow implications
Claims procedures and notification requirements

Common Australian Cyber Insurance Mistakes

Assuming all NDB coverage is the same. Some policies limit notification to a subset of affected individuals. Ensure your policy covers notification to all affected individuals as required by the Privacy Act.
Not confirming APRA coverage if regulated. If you're APRA-regulated, you need explicit CPS 234 coverage. Some policies exclude APRA-regulated entities or provide limited coverage. Confirm in writing.
Choosing Lloyd's purely for prestige without comparing coverage. Lloyd's policies are often better, but a well-chosen domestic policy may be sufficient. Compare on coverage and claims support, not brand.
Not asking about Essential Eight discounts. Many insurers offer 5–15% discounts for Essential Eight implementation. Ask whether your policy provides discounts and whether you qualify.
Accepting a 72-hour BI waiting period without negotiation. A 72-hour waiting period can cost thousands in lost revenue. For high-turnover businesses, negotiate for 6–12 hours.
Not checking incident response panel expertise in NDB and APRA. A panel without NDB and APRA experience may not deliver compliant, effective response. Ensure the panel includes specialists in Australian privacy law and APRA requirements.
Overlooking data residency implications. For organisations with international data flow or cloud hosting, check whether your policy covers incidents regardless of where data is stored.

Step-by-Step Comparison Process for Australian Policies

Define Your Australian Risk Profile and Regulatory Status

Are you APRA-regulated (finance, insurance, superannuation)? What personal information do you handle? How many individuals would be affected by a breach? Have you implemented ACSC Essential Eight? Use this to set target coverage limits in AUD, especially for NDB notification, APRA compliance, and business interruption.

Decide: Domestic or Lloyd's?

If you're small with straightforward operations, a domestic carrier may suffice. If you're APRA-regulated or have complex risks, get Lloyd's quotes. Consider getting both so you can compare coverage and price.

Get Quotes from 3+ Australian-Focused Carriers

Work with a specialist Australian cyber insurance broker who has access to both domestic and Lloyd's markets. Request quotes from at least three carriers and ask the broker to present apples-to-apples comparisons on your key factors above.

Compare Using the Australian Checklist

For each policy, document NDB coverage scope, APRA alignment (if applicable), carrier type (domestic or Lloyd's), Essential Eight discounts, BI waiting period in AUD, ransomware sub-limits, incident response panel expertise, and regulatory fine coverage. Create a spreadsheet to see them side by side.

Negotiate Terms and Review Policy Wording

Ask whether the carrier will shorten BI waiting periods, increase Essential Eight discounts, or broaden NDB or APRA coverage. Once terms are agreed, read the full policy wording carefully. Pay attention to NDB coverage scope, APRA clause details (if applicable), data residency implications, and claims procedures. A broker will flag issues for you.

Not sure which Australian cyber insurance is right for you?

A specialist Australian cyber insurance broker understands the NDB scheme, APRA requirements, and the difference between domestic and Lloyd's policies. Get matched with one for free.

Get Matched with a Broker →

Last updated: April 2026

How to Compare Australian Cyber Insurance Policies