What Does Cyber Insurance Cover in Australia?

Australian cyber insurance coverage overview

Australian cyber insurance covers financial losses from cyber incidents under a regulatory framework centred on the Privacy Act's Notifiable Data Breaches (NDB) scheme, APRA CPS 234 guidance for regulated entities, the Essential Eight maturity model, and the Australian Privacy Principles. Coverage splits into first-party (your direct costs) and third-party liability (claims from others), with strong emphasis on NDB notification, regulatory cooperation with the Office of the Australian Information Commissioner (OAIC), and supply chain resilience.

First-party coverage: your direct costs

First-party coverage reimburses your organisation's immediate incident response and recovery expenses.

• Incident response and forensic investigation: Professional investigation to determine whether personal data has been compromised, breach containment, emergency support, and root cause analysis. Typically covered up to AUD$80K–$350K depending on policy size.
• Data recovery and system restoration: Costs to restore systems from backups, recover lost data, rebuild infrastructure, and return to normal operations.
• Business interruption losses: Compensation for lost revenue while systems are down and operations cannot continue. Includes emergency overtime and expedited recovery. Sub-limits typically range AUD$200K–$2M+.
• Notifiable Data Breaches notification costs: Costs of notifying affected individuals under the Privacy Act's NDB scheme when a data breach is likely to result in serious harm. This includes letters, emails, phone calls, and credit monitoring. Usually sub-limited to AUD$100K–$400K.
• Credit monitoring and identity protection services: Providing affected individuals with credit monitoring, fraud resolution services, and identity theft protection as expected practice following a serious data breach.
• OAIC investigation and regulatory defence: Legal fees to respond to investigations and requests from the Office of the Australian Information Commissioner, including preparation of compliance responses and data handling documentation.
• Public relations and reputation management: Professional services for media response, customer communications, and reputation recovery following a high-profile breach.
• Ransomware and extortion costs: Coverage for incident response, recovery, and business interruption from ransomware attacks. Ransom payments are often excluded or strictly limited due to government guidance.
• Notification to Australian Credit Reporting Bodies: Costs of notifying credit reporting agencies and managing credit default listings following identity theft or financial fraud resulting from the breach.

Third-party coverage: claims from others

Third-party liability protection covers when other parties hold your organisation liable for losses caused by your cyber incident or security failure.

• Legal defence costs: Attorney fees to defend civil claims from affected individuals, customers, or partners alleging losses from your breach or security failure.
• Compensation and settlements: Court-ordered or negotiated compensation payments to settle claims from affected parties.
• Regulatory response costs: Limited coverage for costs associated with OAIC investigations and enforcement actions. Government-imposed fines are typically excluded, but investigation and defence costs are covered.
• Privacy liability claims: Claims alleging your organisation violated the Privacy Act, the Notifiable Data Breaches scheme, Australian Privacy Principles, or mishandled personal data.
• Network security liability: Coverage if your systems are compromised and used to attack other organisations, and those organisations hold you liable.
• Professional liability (IT services and software): Claims that your IT services, advice, or software caused financial loss to customers.
• Media liability: Claims arising from content published on your website or social media platforms.

Australian-specific regulatory requirements

Australian cyber insurance is shaped by the Privacy Act, NDB scheme, and sector-specific requirements:

• Privacy Act and Notifiable Data Breaches scheme. The Privacy Act Notifiable Data Breaches scheme requires organisations to notify affected individuals and the OAIC when a data breach is likely to result in serious harm. Notification must occur without unreasonable delay. Insurance covers the cost of determining whether NDB applies, notifying affected individuals, and cooperating with the OAIC.
• Australian Privacy Principles (APPs). The 13 APPs govern how organisations handle personal information. APP 1 (Management of personal information) requires security safeguards. Insurance covers costs of demonstrating APP compliance and defending against OAIC investigations.
• APRA CPS 234 (APRA-regulated entities). The Australian Prudential Regulation Authority expects APRA-regulated institutions (banks, insurers, superannuation funds) to maintain appropriate cyber incident insurance and third-party risk management. CPS 234 guidance recommends insurance as part of operational resilience, though it's not a strict mandate.
• Essential Eight maturity model. The Australian Signals Directorate (ASD) publishes the Essential Eight as a minimum cyber security baseline. While not mandatory for most organisations, government contractors must implement Essential Eight controls, and many insurers offer 10-25% discounts for organisations demonstrating alignment.
• OAIC expectations. The OAIC publishes expectations for data breach response, including a 'negative determination' assessment process to establish whether NDB applies. Insurance covers these investigative costs.
• Sector-specific regulations. Health sector organisations are subject to the Privacy Act plus state health regulations. Financial services companies are regulated by ASIC and APRA. Government contractors must comply with ASD guidelines. Insurance should cover relevant sector-specific breach response requirements.

Coverage limitations and sub-limits

Most Australian cyber policies apply sub-limits — separate maximum amounts for specific coverages distinct from the overall policy limit. For example, an AUD$500K policy might sub-limit NDB notification to AUD$150K and business interruption to AUD$250K. Once these sub-limits are exhausted, the insurer stops paying for those coverages, even if the overall limit remains unused.

Optional additional coverages

• Social engineering and wire fraud: Covers employee losses from social engineering attacks and fraudulent wire transfer instructions. Increasingly important in Australia.
• Dependent business interruption: Covers losses when a critical supplier or customer is breached and their downtime affects your operations. Important for supply chain resilience.
• Cyber extortion and ransom negotiation: Professional negotiation services with extortionists (ransom payments often excluded due to government guidance against paying threats).
• Cryptojacking: Unauthorised use of company computing resources for cryptocurrency mining or other malicious purposes.
• Invoice manipulation and business email compromise: When attackers intercept email and redirect invoices or payment instructions to fraudulent accounts.
• Cross-border breach notification: Coverage for incidents affecting residents of other countries (US, UK, EU) requiring notification under GDPR, CCPA, and other foreign laws.