The Australian cyber threat landscape
Australia faces a rapidly escalating cyber threat. According to the Australian Cyber Security Centre (ACSC), one cyber crime report is made every 6 minutes in Australia, with businesses across all sectors facing growing risks of ransomware, data theft, and business email compromise.
The financial impact is substantial. Small businesses report an average cost of A$46,000 per cyber incident, whilst medium-sized businesses face average costs of A$97,000. Beyond direct financial loss, breaches can result in regulatory fines, reputational damage, operational downtime, and erosion of customer trust.
Critical infrastructure β including energy, water, telecommunications, and healthcare β faces sustained and sophisticated attacks. The evolving threat landscape means cyber insurance has moved from a nice-to-have to a business essential for organisations of all sizes.
Australian cyber insurance costs
Premiums in Australia are calculated based on business size, industry sector, risk profile, coverage limits, and claims history. The table below shows typical annual premiums in AUD by business size:
| Business Size | Annual Premium (AUD) | Typical Coverage |
|---|---|---|
| Micro (1β10 employees) | A$600βA$1,800 | A$500KβA$1M |
| Small (11β50 employees) | A$1,500βA$4,000 | A$1MβA$2M |
| Mid-market (51β250 employees) | A$4,000βA$18,000 | A$2MβA$5M |
| Upper mid-market (251β1,000 employees) | A$18,000βA$60,000 | A$5MβA$10M |
| Enterprise (1,000+ employees) | A$60,000βA$600,000+ | A$10M+ |
Actual premiums vary significantly based on factors such as:
- Industry sector: Healthcare, finance, and critical infrastructure pay higher premiums due to regulatory requirements and attack likelihood.
- Revenue and employee count: Larger organisations typically pay more in absolute terms but may achieve better rates per unit of coverage.
- Security posture: Businesses with strong cybersecurity practices (employee training, multi-factor authentication, regular patching) may qualify for discounts.
- Claims history: Previous claims increase future premiums.
- Coverage customisation: Optional covers such as extortion expense, legal defence, and crisis management can increase the premium.
- Excess (deductible): Choosing a higher excess reduces the premium.
Australian regulatory landscape
Australia's regulatory environment for data security and privacy is complex, with multiple frameworks imposing obligations on businesses handling customer and employee data.
Notifiable Data Breaches (NDB) Scheme
The NDB scheme, part of the Privacy Act 1988, makes it mandatory for organisations to report eligible data breaches to affected individuals and the Office of the Australian Information Commissioner (OAIC) if the breach is likely to cause serious harm. Failure to report can result in significant penalties. Cyber insurance that covers NDB investigation, notification costs, and credit monitoring is essential.
Privacy Act 1988
Australia's Privacy Act establishes strict obligations for handling personal information. The OAIC can conduct investigations and issue compliance notices. Recent amendments introduced civil penalty provisions, with penalties up to A$50 million, 30% of adjusted turnover, or three times the benefit gained from the breach β whichever is greatest. Regulatory defence costs and civil penalties coverage should be included in your policy.
APRA CPS 234
The Australian Prudential Regulation Authority (APRA) CPS 234 Information Security Standard applies to APRA-regulated entities including banks, insurance companies, and superannuation funds. It imposes strict requirements for information security governance, risk management, and incident response. Organisations subject to APRA must ensure their cyber insurance covers compliance costs and regulatory defence.
Security of Critical Infrastructure Act 2018 (SOCI)
SOCI applies to operators of critical infrastructure in energy, telecommunications, water, and transport. The legislation imposes reporting obligations for cyber incidents and requires implementation of security measures. Organisations subject to SOCI must have cyber insurance that covers incident response, regulatory investigation costs, and remediation.
Australian Signals Directorate Essential Eight
The ASD Essential Eight is a set of cybersecurity controls recommended for all Australian organisations. Whilst not legally mandated, adoption is increasingly expected by insurers, regulators, and customers. Demonstrating implementation of the Essential Eight can lower insurance premiums and help satisfy investor and customer expectations.
Australian cyber insurance providers
Australia's cyber insurance market includes specialist providers, traditional insurers, and international carriers underwriting through Lloyd's of London.
Specialist Cyber Providers
- CFC Underwriting: Global specialist with strong Australia presence; known for responsive claims and tailored solutions.
- Emergence Insurance: Australian-based specialist focused on SME and mid-market segment.
- Dual Australia: Specialises in technology and professional services sector.
Traditional Insurers
- QBE Insurance: Large multi-national with established Australian cyber team.
- IAG (Insurance Australia Group): Major domestic insurer offering cyber policies under various brands.
- Suncorp: National carrier with competitive SME cyber offerings.
- Allianz Australia: International insurer with strong cyber capability.
Lloyd's Syndicates
International specialists underwrite cyber risk through Lloyd's of London, often accessed via Australian brokers. These carriers are particularly competitive for mid-market and enterprise risks.
Broker Requirements
Any broker arranging cyber insurance in Australia must hold an Australian Financial Services Licence (AFSL) or be an authorised representative of a licensed broker. Always verify a broker's AFSL status with the Australian Securities and Investments Commission (ASIC) before engaging.
Australia-specific coverage considerations
When selecting cyber insurance for your Australian business, prioritise these Australia-specific features:
NDB Compliance Costs
Your policy should cover NDB scheme investigation costs, notification expenses, credit monitoring services, legal advice, and OAIC communication. Some policies include cover for regulatory defence should the OAIC commence enforcement action.
OAIC Investigation Defence
The OAIC investigates alleged Privacy Act breaches. Your cyber insurance should cover legal defence costs, expert witnesses, and negotiated settlements arising from such investigations.
APRA Regulatory Coverage
If your business is APRA-regulated (bank, insurer, superannuation fund), ensure your policy covers APRA investigation costs, compliance remediation, and regulatory defence.
SOCI Compliance
Critical infrastructure operators should ensure incident response and remediation costs for SOCI-reportable incidents are covered, including investigation and government liaison.
Unique Geographic Challenges
Australia's vast geography and distributed workforce create connectivity challenges. Ensure your policy covers business interruption losses arising from extended outages affecting remote locations, and covers the cost of cyber incident response across multiple time zones.
Trans-Tasman Operations
Many Australian businesses operate in or have customers in New Zealand. Confirm that your cyber insurance extends to NZ operations, or obtain separate cover if needed. Privacy law differences mean you may need separate crisis management resources for each jurisdiction.
Getting cyber insurance in Australia
Obtaining cyber insurance in Australia follows a structured process:
Step 1: Assess Your Risk
Identify your business's exposure to cyber risks, including data types handled, compliance obligations, critical systems, and previous incidents. This informs your coverage requirements.
Step 2: Find a Broker
Engage a licensed broker with AFSL credentials and experience in your sector. Specialised cyber brokers understand current market conditions and can negotiate competitive terms.
Step 3: Complete Your Proposal Form
Provide detailed information about your business, IT infrastructure, security controls, employee size, revenue, and claims history. Accuracy is essential β misrepresentations can lead to claim denial.
Step 4: Get a Quote
Your broker will obtain quotes from multiple insurers. Compare coverage, limits, excesses, and support services alongside price.
Step 5: Review and Bind
Once you're happy with the terms, your broker will arrange binding cover. Review the policy wording carefully to understand exclusions and conditions.
CyberPolicyFinder Can Help
CyberPolicyFinder matches you with specialist cyber insurance brokers in Australia at no cost. Answer a few quick questions about your business, and we'll connect you with a broker who understands your sector and can negotiate the best terms. It's free, fast, and comes with no obligation.
Get Matched with a Broker βOther countries
Cyber insurance requirements vary significantly by jurisdiction. If you operate in multiple countries, read our guides for your other markets:
United Kingdom
GDPR, ICO enforcement, FCA-regulated brokers
UK guide βUnited States
State privacy laws, HIPAA, SEC rules
US guide βCanada
PIPEDA, provincial privacy, OSFI rules
Canada guide β