Cyber Insurance in Australia — What It Actually Covers (And What It Does Not)

Cyber insurance has become an important risk management tool for Australian businesses, particularly as the average cost of a data breach has exceeded $4 million and ransomware attacks are increasingly common. However, the market is complex — many policies contain exclusions that effectively void coverage in the most common attack scenarios, and the application process has become significantly more rigorous as insurers have tightened requirements.

What Good Cyber Insurance Covers

A comprehensive cyber insurance policy covers two broad categories. First-party costs — expenses your business incurs directly from a cyber incident: incident response and forensic investigation (often $20,000 to $100,000 for a serious incident), data recovery and system restoration, business interruption losses while systems are down, ransomware payment coverage (with conditions), crisis communications, and regulatory response costs. Third-party liability — costs arising from claims made against your business: privacy breach liability from affected customers, regulatory fines and penalties, defence costs for related legal actions, and media liability for defamation or copyright claims arising from a breach.

Common Exclusions That Catch Businesses Out

Security control exclusions: Many policies require specific security controls to be in place at the time of a claim — MFA, endpoint protection, regular tested backups, and documented security policies. If you cannot demonstrate these were in place when the breach occurred, the insurer may deny or significantly reduce the claim. This has become the most common basis for claim disputes. Social engineering exclusions: Some policies explicitly exclude losses from social engineering attacks where an employee is tricked into authorising a transfer — meaning BEC losses may not be covered without a specific social engineering endorsement. War and nation-state exclusions: Attacks attributed to nation-state actors may be excluded under war clauses — a clause that has been subject to significant legal dispute following NotPetya claims.

The Application Process Has Changed

Cyber insurance applications in 2025-2026 require detailed technical questionnaires covering MFA adoption, backup procedures, endpoint protection, email security configuration, and incident response planning. Insurers are increasingly declining coverage or loading premiums significantly for businesses that cannot demonstrate basic security controls. Having your Essential Eight controls in place before applying significantly improves both eligibility and premium.

Before You Buy

Read the security requirements section carefully and ensure you genuinely meet them. Ask specifically whether social engineering and business email compromise are covered — and what limits apply. Understand the sub-limits for specific events like ransomware payments and business interruption. IntrusionX can help you prepare your security posture for a cyber insurance application, ensuring you meet insurer requirements and can accurately answer technical questionnaires. Contact us for assistance.

Making a Claim — What to Expect

When a cyber incident occurs, notify your insurer as early as possible — most policies require prompt notification and some have time limits measured in hours or days. Work with the insurer's appointed incident response team rather than engaging your own independently, unless the policy allows this. Document everything from the first moment — time, date, what was observed, what actions were taken. Preserve evidence by not wiping or rebuilding systems until the forensic team has assessed them. The insurer's forensic team will determine the cause, scope, and potential liability, which affects both the claim amount and your obligations to notify affected parties.

The Right Premium for the Right Controls

Businesses with strong security controls — MFA everywhere, tested backups, documented policies, staff training — consistently pay lower cyber insurance premiums and have higher claim success rates. The investment in security controls therefore pays off twice: it reduces the likelihood of an incident, and it reduces the cost of insurance and improves coverage when an incident does occur. IntrusionX can help you implement the security controls that insurers reward, and provide the documentation that supports your insurance application and any future claims. Contact us for a free assessment.