Know the gaps in your Australian cyber coverage, including APPs compliance, notifiable data breach scheme issues, and how to negotiate broader protection.
Australian cyber insurance exclusions are shaped by the Privacy Act (Australian Privacy Principles or APPs), the notifiable data breach scheme, and the rising threat of class actions under Australian Consumer Law (ACL). The biggest gap many Australian businesses don't anticipate: class action liability from customers suing under ACL, which can exceed AUD 5 million for larger breaches. Your cyber policy may exclude or cap class action defence and settlement costs significantly.
The Privacy Act requires Australian businesses to implement reasonable security safeguards (APP 11). Cyber policies may exclude coverage if you failed to meet APP requirements β particularly APP 11's requirement for security measures "appropriate to the information held and the level of risk." If a breach occurs because your encryption was inadequate or your access controls were insufficient, the insurer may argue you violated APP 11 and deny coverage.
The challenge: APPs don't mandate specific controls (unlike GDPR or state law in the US). The Australian Information Commissioner's Office (OAIC) assesses reasonableness on a case-by-case basis depending on your business size and the sensitivity of data. Document your APP 11 compliance thoroughly: encryption choices, access controls, incident response procedures, and employee training. This is your defence against exclusions for APP non-compliance.
Australia's notifiable data breach scheme (Part IIIC of the Privacy Act) requires notification within 30 days if there's likely to be serious harm from the breach. The OAIC oversees compliance and can issue compliance notices. Cyber policies must cover the cost of mandatory notification: letters, credit monitoring, public announcements, and OAIC engagement.
The gap: some Australian cyber policies exclude notification costs entirely or cap them at AUD 50K β far less than the actual cost for a major breach affecting thousands of Australians. For a breach of 10,000 records at AUD 20 per notification, you're looking at AUD 200K in costs alone, before OAIC engagement. Ensure your policy's notification cost coverage is adequate and doesn't have low caps.
This is the biggest gap in Australian cyber insurance that catches businesses by surprise. If your breach exposes customer data and damages result (identity theft, financial loss, emotional distress), customers increasingly sue under the Australian Consumer Law (ACL) as a class action. The ACCC has been pushing class actions as a remedy for privacy violations.
Class actions in Australia are expensive to defend (legal costs alone can exceed AUD 2 million) and settlements are often large (AUD 5β30 million for major breaches). Some Australian cyber policies exclude class action liability as uninsurable, whilst others cap it at AUD 2β5 million. If you're a large organisation holding customer data, class action coverage is critical. Clarify in your policy: what's the limit for class action defence and settlement costs?
Australian policies typically include war and terrorism exclusions under Lloyd's Market rules. However, cyber-specific carve-outs (LMA5567, 5568, 5569, 5570) are increasingly standard but not universal. For Australian critical infrastructure operators and organisations handling sensitive government information (especially defence and national security work), explicit cyber-war coverage is essential.
Regional cyber threats are also a concern: nation-state actors targeting Australia's critical infrastructure, and Chinese cyber espionage targeting Australian businesses and government data. If your policy was written before 2018 and doesn't include explicit cyber-war language, you have a significant gap. Ensure your policy schedule includes Lloyd's Market Association endorsements for cyber-specific attacks.
Australian cyber policies cover business interruption from your own systems being compromised, but exclude interruption from pure infrastructure failures (NBN outages, electricity grid failures) unless the failure was caused by a cyber attack. For Australian businesses in regional areas dependent on NBN, or for any business with cloud-only operations, this gap is real.
If the NBN backbone in your region experiences an outage affecting thousands of Australian businesses, your cyber policy won't cover your lost revenue. Business interruption coverage requires proof the outage was caused by a cyber attack on your own systems. For cloud-dependent businesses, clarify the trigger for business interruption coverage.
The OAIC can issue compliance notices requiring you to implement security improvements, conduct audits, or provide breach notifications. These remediation costs may not be covered by standard cyber policies. Some policies exclude costs associated with OAIC investigations or compliance notices. If the OAIC issues a notice requiring you to implement new security controls (costing AUD 200K+), your cyber policy may not cover it.
Clarify in your policy: are costs for OAIC-mandated compliance improvements covered, or just incident response costs? For organisations that have had prior OAIC investigations, this gap is particularly important.
Get an Australian specialist broker to review your policy and identify gaps specific to APPs, notifiable breach scheme, and ACL class action risks.
Find a Broker Now β