• Australian organisations are facing increasingly sophisticated and capable cyber criminals.
  • Lack of basic controls often leads to exploitation.
  • Cyber insurance is an important component of a comprehensive risk management strategy.

Regardless of business size, cyber breaches continue to rise. In March 2023, the Office of the Australian Information Commissioner (OAIC) reported that notifications of data breaches had increased by 26 percent, up to 497, in the July-December 2022 period.[1] Alarmingly, 70 percent of those breaches related to criminal or malicious activities, of which ransomware remained the prevailing cause of the breach.[1]

According to the Australian Cyber Security Centre (ACSC), many security practitioners are warning that ransomware attacks, which had seen some measure of decline, are on the rise again.[2] In 2023, Aon has observed a sharp uptick in ransomware attacks on its clients, with an increase in claims/incidents reported across the small to medium enterprise (SME) sector and large corporates. In a number of these incidents, a lack of multi-factor authentication (MFA) has either led to the compromise or has resulted in a large incident. Whilst insurers have been focusing on MFA as a critical security control for over 24 months, it is clear some organisations still need to uplift their security. Compounding this problem is the increasing reliance on third parties for management of networks, and a lack of MFA applied to such access points may undermine security controls.

Australian organisations are facing increasingly sophisticated and capable cyber criminals who are targeting companies for their data and money, resulting in reputation damage, significant financial losses, and in some instances, even business closure.[3] Many SMEs are identified as under-resourced to manage these threats, with less cyber security barriers compared to larger organisations.[3]

Whilst the costs of insurance solutions may draw some budgetary scrutiny, being uninsured in this increasingly digital world can be high risk and high cost.

How Cyber Attack Trends for SMEs Affect the Cost of Cyber Insurance

A cyber incident can take many forms such as malware, business email compromise and phishing. All of these have varying consequences including identity theft, financial theft, and privacy breaches. A cyber attack can be costly – the losses incurred could mean an organisation goes into debt in order to recover, and potentially even cease trading altogether.

Cyber insurance is an important and prudent component of a comprehensive risk management strategy and is relevant for all businesses to consider. Data and computer systems are heavily relied on and are the lifeblood of many organisations. Such digital presence and reliance carry the risk of being targeted by cyber criminals.

Despite the increase in cyber attacks, the cyber insurance market appears to be stabilising. We are seeing trends in the market leading to more positive outcomes in policy coverage, increased limits being provided by insurers, and importantly, premiums stabilising and potentially reducing. The increased number of insurers providing cyber coverage and increased limits of indemnity are also helping to drive much needed competition.

Continue Reading

What is Cyber Insurance?

Cyber insurance is designed to help cover certain financial losses a business might incur due to a cyber incident. Any business with computers connected to the internet is vulnerable to cyber risks such as malware and viruses, denial of service attacks and data/privacy breaches.

What Does Cyber Insurance Cover?

If a business suffers an attack, it is likely that costs will be incurred as a result. For example, there are costs involved to obtain advice and support, identify the source and scope of the attack, restore systems, recover the data, and to notify victims of privacy breaches. These are known as first party losses.

A claim under a typical cyber insurance policy may also cover other costs, such as liabilities and losses associated with the cyber incident in question.

The liability and regulatory environment in Australia following recent data breaches, is evolving, with new fines and penalties set to elevate Australia as a global leader in regulatory controls, oversight, and enforcement in this space.

Following a cyber attack, a cyber insurance policy may offer access to an incident response specialist who can help coordinate the steps needed to assist in the recovery from a cyber incident.

This can include:

  • Arranging a forensic investigation of computer systems
  • Assisting in obtaining legal advice
  • Responding to regulators if required (for example if there has been a privacy breach)
  • Providing public relations support to help minimise reputational damage
  • Advising on costs to secure computer systems against a future cyber attack

It is worth noting not all costs are covered under a cyber insurance policy and cover will be subject to an organisation’s particular policy terms, conditions, and exclusions. For example, salary costs for employees, damage to property other than computer hardware, internet or utility outages, and uninsurable fines are not typically covered under cyber insurance.

How Much Does Cyber Insurance Cost?

The cost of coverage is relative to the threats faced and the cyber security posture an organisation has to face those threats. Just like any other insurance policy, the cost of the policy depends on several factors, such as business size, revenue, number of employees, and the industry the organisation operates in.

More specifically to cyber risks, when calculating premiums for cyber insurance, some factors considered include potential downtime following an attack and the likely revenue impacts to the organisation, the types of data stored, likelihood of human error and the financial implications, and reliance on automation, systems, or data.

As criminal activity continues to gain momentum organisations should focus on securing networks and applying this concept to third and fourth party providers that operate within the same environment. A secure network requires constant vigilance and significant investment, which can all come undone if a trusted vendor doesn’t have the same focus on security.

Best practices suggest organisations should prepare and plan for an incident, however this concept has also evolved and morphed into practicing multiple different scenarios, and indeed should involve a scenario where a critical provider suffers an outage. In addition to a focus on security, it is important to diligently prepare for when security does indeed fail. This should include understanding risk transfer options, including cyber insurance options, and understanding what is available through your cyber insurance policy pre and post incident.

When considering cyber insurance options, it is essential to carefully review the potential cyber risks for your organisation, as well as potential losses that may be suffered following a cyber attack.




[1] Australian Government, Office of the Australian Information Commissioner, Notifiable Data Breaches Report: July to December 2022, 01st March 2023.

[2] Mimecast, Ransomware’s Decline Reveals Value of Improved Defenses, March 30, 2023.

[3] Australian Government, Australian Cyber Security Centre, Cyber Security and Australian Small Businesses, November 2020.

Want to keep up to date with our insights?

Privacy Policy