What Is Cyber Insurance?

A complete guide to understanding what cyber insurance covers in Australia, how claims work, what's excluded, Privacy Act and notifiable data breach scheme requirements, and how to choose the right policy for your Australian business.

Updated April 2026 15 min read

What is cyber insurance?

Cyber insurance is a type of business insurance that covers your financial losses from cyber incidents like data breaches, ransomware attacks, system outages, and other digital disruptions. It's also known as "cyber liability insurance" or "cyber risk insurance."

In Australia, cyber incidents are hitting businesses hard. 39% of Australian businesses experienced a cyber attack in 2024, and cyber incidents continue to pose growing risks across all sectors. For small and medium businesses, a single breach can be catastrophic. 60% of SMBs close within 6 months of an attack. Cyber insurance exists because many businesses can't absorb this financial shock alone, especially given Privacy Act compliance requirements and notifiable data breach scheme obligations.

Key point: Cyber insurance reimburses you for direct costs (forensic investigation, ransom negotiation, notification costs under the Privacy Act) and third-party claims (lawsuits from affected customers). You're buying protection for a type of liability and operational crisis, not a physical asset.

What does cyber insurance cover?

Most cyber insurance policies split coverage into two main categories: costs to YOUR business (first-party) and claims FROM OTHERS (third-party).

First-party coverage (costs to your business)

This covers direct costs you incur in response to a cyber incident:

  • Incident response and forensic investigation β€” The cost of hiring experts to investigate the breach, determine what was compromised, and identify the attacker.
  • Data recovery and restoration β€” Costs to recover lost or corrupted data and restore systems to normal operation.
  • Business interruption losses β€” If your systems are down, you lose revenue. This covers the income you would have earned during the outage.
  • Ransomware payments β€” Some policies reimburse ransom payments if you decide to pay. Note: Australian authorities increasingly advise against payment.
  • Notification costs β€” The Privacy Act requires notification of affected individuals following a serious data breach. Cyber insurance covers letters, email campaigns, and call centre costs.
  • Credit monitoring β€” Providing monitoring services to individuals affected by the breach (often 1-3 years).
  • Public relations and crisis management β€” Costs to hire PR firms to manage reputational damage and public communication.

Third-party coverage (claims from others)

This covers legal claims and regulatory action arising from the incident:

  • Privacy Act regulatory defence β€” Defence costs if you face investigation by the Office of the Australian Information Commissioner (OAIC) and cover for regulatory action.
  • Notifiable data breach scheme costs β€” Coverage for obligations and costs arising from the OAIC's notifiable data breach scheme.
  • Legal defence costs β€” Lawyers to defend you against lawsuits from affected customers or partners.
  • Settlements and judgments β€” Compensation you're ordered to pay to affected parties after losing a lawsuit.
  • PCI DSS fines β€” If you process card payments and suffer a breach, payment networks may fine you. Cyber insurance can cover these.
  • Media liability claims β€” Claims that your business defamed someone or invaded privacy through your digital systems or online presence.

Most policies come with coverage limits (e.g., AUD $1 million total), deductibles (you pay the first AUD $10,000 of any claim), and sub-limits (e.g., ransomware covered up to AUD $500,000, even if total limit is AUD $1 million).

What doesn't cyber insurance cover?

Insurance is defined as much by what it excludes as by what it includes. Here are the most common cyber insurance exclusions:

  • Acts of war or nation-state attacks β€” Most policies exclude attacks by governments or military forces. This "war exclusion" is standard across insurance.
  • Unpatched known vulnerabilities β€” If a security patch was available and you didn't apply it, the insurer may deny claims from attacks exploiting that specific vulnerability.
  • Bodily injury or property damage β€” Cyber insurance covers digital losses. If a cyber attack leads to physical harm, that's typically covered by your general liability policy, not cyber.
  • Long-term reputational damage β€” Cyber insurance covers short-term crisis costs (PR, notification). Permanent loss of customer trust or market share isn't covered.
  • Loss of future revenue β€” Business interruption covers revenue lost during the incident. It doesn't cover future lost business due to reputational harm.
  • Prior known claims β€” If you knew about a potential claim before buying the policy, it's excluded.
  • Voluntary shutdowns β€” If you choose to shut down your systems without insurer approval, resulting losses may not be covered.
  • Social engineering (sometimes) β€” Some policies exclude or heavily sub-limit losses from social engineering attacks (e.g., CEO fraud). Check your policy carefully.

Read the fine print: Exclusions vary significantly between insurers. A breach that one insurer covers, another may exclude. Always ask your broker to highlight exclusions relevant to your business and industry.

How does a cyber insurance claim work?

Step 1: Incident occurs β€” You discover a breach, system outage, or suspected attack.

Step 2: Contact insurer immediately β€” Call your insurer's claims hotline right away. Most Australian policies require prompt notification. Delaying notification may void coverage.

Step 3: Insurer appoints incident response team β€” The insurer will typically have a preferred team of forensic experts, legal counsel, and PR firms. Some policies let you choose your own; others require you to use the insurer's panel. The insurer pays the IR team directly.

Step 4: Containment and investigation β€” The IR team stops the attack (if ongoing), investigates what happened, identifies what data was compromised, and documents findings.

Step 5: Claim assessment β€” The insurer reviews the incident and IR findings to determine what's covered under your policy. They'll assess whether exclusions apply, whether costs are reasonable, and whether the claim is within coverage limits and deductibles.

Step 6: Payout β€” Once approved, the insurer reimburses you for covered costs or pays vendors directly.

Important: Good cyber insurance policies don't just provide moneyβ€”they provide people. Your policy includes access to forensic investigators, Australian-qualified legal counsel familiar with Privacy Act notification requirements, and PR specialists. These are often more valuable than the dollar payout because they know how to handle incidents efficiently and protect you from OAIC action.

Australian regulatory landscape

Australia's cyber insurance landscape is shaped by the Privacy Act (which includes the Australian Privacy Principles) and the notifiable data breach scheme. The Privacy Act requires organisations to take reasonable steps to protect personal information. The notifiable data breach scheme, part of the Privacy Act, requires organisations to notify individuals and the OAIC if a serious data breach occurs. Additionally, the Telecommunications (Interception and Access) Act and industry-specific regulations apply to different sectors. Cyber insurance covers regulatory defence costs and obligations under these frameworks.

Last updated: April 2026

Ready to find the right cover?

Get matched with a specialist cyber insurance broker β€” free, fast, no obligation.

Find My Policy β†’
Related guides

How much does cyber insurance cost in Australia?

Pricing data by company size and industry. Plus the factors that push Australian premiums up or down.

Read β†’

Do I actually need it?

Not every business needs the same cover. Find out whether cyber insurance makes sense for your size and sector.

Read β†’