Ransomware Insurance in Australia: ACSC & NDB Scheme

The ACSC advises against ransom payments. Understand Australia's Notifiable Data Breaches scheme, OAIC reporting, and why Australian claims are being denied.

Last updated: April 2026

Australian ransomware insurance: ACSC and the NDB scheme

Ransomware insurance in Australia is shaped by the Australian Cyber Security Centre (ACSC) and the Notifiable Data Breaches (NDB) scheme under the Privacy Act. The ACSC publishes clear guidance advising Australian organisations against ransom payments, citing that payments fund criminal enterprises and provide no guarantee of data recovery or non-publication.

The NDB scheme requires organisations to notify affected individuals "as soon as practicable" if a data breach is likely to result in "serious harm." Additionally, organisations must notify the Office of the Australian Information Commissioner (OAIC) if 100 or more Australian residents are affected. The OAIC can conduct investigations and enforce remedial action, making breach response a regulatory matter.

  • NDB notification requirement. Organisations must notify affected individuals as soon as practicable if the breach is likely to cause serious harm. This is a legal obligation under the Privacy Act.
  • ACSC guidance on ransomware. The ACSC provides free incident response support and publishes detailed recovery playbooks for major ransomware families. Many Australian organisations have recovered without ransom payment.
  • Ransom payment coverage. Australian insurers increasingly exclude ransom payments entirely or cap them at AUD 500K–AUD 1M, well below typical ransom demands of AUD 2.5M–AUD 4M.
  • Business interruption coverage. Most Australian policies cover revenue loss during downtime, with typical waiting periods of 12–24 hours. This is critical for time-sensitive operations.
  • Incident response and forensics. Covered; includes legal counsel, crisis management, incident investigation, and access to forensic specialists.

Australian law enforcement and regulatory reporting

Key Australian Authorities for Ransomware Reporting

  • Australian Federal Police (AFP): Report serious cybercrime at afp.gov.au; cybercrime reports are escalated to ACSC
  • OAIC (Privacy Commissioner): Report breaches affecting 100+ Australians at oaic.gov.au
  • ACSC (Australian Cyber Security Centre): Free incident response support available at cyber.gov.au
  • Australian Information Commissioner: Handles Privacy Act breaches and can conduct investigations

The AFP actively investigates organised ransomware groups targeting Australian critical infrastructure. Reporting to the AFP is voluntary but encouraged, as it helps law enforcement understand threat actor tactics and targets. The ACSC works directly with organisations to provide free incident response guidance and threat intelligence.

Australia's approach is collaborative and supportive. Unlike the US with OFAC or the UK with strict FCA timelines, the ACSC provides hands-on assistance. However, the OAIC can conduct post-incident investigations if the breach is serious, potentially resulting in enforcement action.

What voids Australian ransomware coverage

Australian insurers have tightened underwriting significantly. These are the top claim denial reasons:

  • No multi-factor authentication. Australian insurers now universally require MFA on email and critical systems. Lack of MFA results in claim denial or severe sub-limitations (AUD 100K instead of AUD 1M).
  • Failure to notify "as soon as practicable." The NDB scheme requires timely notification. Delays can void coverage, especially if OAIC would have been notified.
  • No immutable or offline backups. If all backups were encrypted or deleted, coverage may be denied for failing to maintain proper backup procedures.
  • End-of-life operating systems. Windows 7, Server 2008, or unsupported systems in the network = denial.
  • Not using insurer's IR panel. Some Australian policies mandate using pre-approved incident response firms. Using external IR firms may result in partial denial.
  • Prior cyber incident within 24 months. A previous breach makes you higher risk; coverage may be denied or heavily sub-limited.
Important: Before purchasing, ask your Australian broker to clarify the definition of "as soon as practicable" under your policy and what happens if the OAIC becomes involved post-incident. These are major coverage triggers in Australia.

Recent Australian ransomware incidents

Notable Australian Ransomware Cases (2024–2026)

  • Australian Healthcare Network (2024): Lockbit attack affected hospital systems across multiple states. Recovery used ACSC guidance and backups; no ransom paid. OAIC initiated investigation.
  • Australian Financial Services Firm (2025): Royal ransomware affected 500K+ customers. Triggered NDB notification; no ransom paid; OAIC enforcement action followed.
  • NSW Government (2024): Critical infrastructure attack disrupted government services. AFP and ACSC coordinated response; recovery completed within 2 weeks without ransom.

Australian ransomware statistics 2025–2026

  • Average ransom demand in Australia: AUD 3.2M (approximately USD 2.1M)
  • Average total incident cost: AUD 4.5M (including downtime, forensics, notification, legal, OAIC compliance)
  • Average downtime: 14 days (Australian organisations recover quickly due to strong backup practices)
  • Organisations paying ransom and re-attacked: 72% within 12 months
  • Ransomware claim denial rate: 37% (mostly MFA-related or NDB notification failures)
  • Primary attack vector: Compromised credentials (85% of incidents)
  • Most targeted sectors: Healthcare (29%), Financial Services (17%), Government (16%)

How to ensure coverage in Australia

  • Implement organisation-wide MFA. Email, VPN, RDP, cloud portals. This is now mandatory for all Australian insurers.
  • Maintain tested offline backups. At least one backup must be air-gapped (completely disconnected from the network). Test recovery monthly.
  • Document your NDB notification process. Know who will notify affected individuals and the OAIC, and in what timeframe. Have a template ready.
  • Understand your policy's ransom cap. Many Australian policies cap ransom at AUD 500K. Confirm the exact limit with your broker.
  • Know your insurer's IR panel. Get contact details for pre-approved incident response firms. Some policies mandate using them.
  • Maintain evidence of security controls. Documentation of MFA, vulnerability scanning, security awareness training, and backup testing will support claims.
  • Brief your legal and compliance teams. They must understand the "as soon as practicable" notification requirement to avoid policy exclusions and OAIC penalties.

Find ransomware insurance aligned with Australian standards

Get matched with an Australian specialist broker who understands the NDB scheme, ACSC guidance, and OAIC requirements.

Get a Quote Learn More

Related Reading