Cyber Insurance · Australian SMB Guide

Cyber Insurance in Australia: What You Actually Need to Know

Australian cyber insurance premiums have risen sharply. Underwriting requirements are stricter. And more businesses are being declined or having claims excluded for gaps in basic controls. This guide covers what cyber insurance covers, what insurers require, and how to get better terms.

Check your insurance readiness — free Read the guide ↓

Why the Australian Cyber Insurance Market Has Changed

Between 2019 and 2023, Australian cyber insurers paid out billions in ransomware and business email compromise claims. The claims rate for cyber policies exceeded most other commercial insurance lines. Insurers responded by tightening underwriting requirements, increasing premiums, adding exclusions, and in some cases declining businesses that couldn't demonstrate basic controls.

For Australian SMBs, this means three things have changed: getting a quote is harder, the premium is higher than it used to be, and policy exclusions are broader. Businesses that were automatically insured five years ago are now being asked detailed questions about their MFA setup, backup practices, and patch management processes.

The good news: businesses with the right controls in place can still get comprehensive coverage at reasonable premiums. The gap between insurable and uninsurable is usually a handful of specific technical measures — not a complete security overhaul.

$46,000+

Average cost of a cyber incident for Australian SMBs

ACSC Annual Cyber Threat Report

20–60%

Typical premium difference between well-protected and underprotected businesses

Coalition, Chubb underwriting data

1 in 5

Australian SMBs experienced a cyber incident in the past year

ACSC data

What Does Cyber Insurance Cover?

Australian cyber insurance policies are split into two categories: first-party coverage (your own costs) and third-party coverage (your liability to others). Not all policies include both, and coverage limits and exclusions vary significantly between insurers.

First-Party Coverage — Your Own Costs

✓Incident response costs — Forensic investigation, breach containment, legal advice
✓Data recovery — Restoring or recreating data lost in an attack
✓Business interruption — Revenue loss while systems are offline
✓Ransomware and cyber extortion — Payment negotiations and ransom payment (subject to conditions)
✓Crisis communications — PR support and customer communications
✓Regulatory fines — Costs related to Privacy Act and other regulatory investigations

Third-Party Coverage — Your Liability to Others

✓Customer notification costs — Notifying affected individuals under the NDB scheme
✓Liability claims — Legal defence and settlements from customers whose data was exposed
✓Media liability — Claims arising from content published on company systems
✓Network security liability — Third-party losses caused by failures in your security
✓Regulatory defence — Legal costs defending against Office of the Australian Information Commissioner investigations

Common exclusions to watch for

War and state-sponsored attacks, bodily injury or property damage, prior known incidents, infrastructure already breached at inception, and losses arising from controls that were misrepresented in the application. The last exclusion is the most common reason claims are denied — always answer application questions accurately.

What Australian Cyber Insurers Require

Coalition, Chubb, Beazley, AIG, and the specialist cyber underwriters all ask the same core questions. Here are the controls that are now effectively non-negotiable for coverage in the Australian market.

Multi-Factor Authentication (MFA)

Non-negotiable

Required on email (Microsoft 365 / Google Workspace), remote access (VPN, RDP), and any internet-facing admin panels. Missing MFA on email is the single most common reason applications are declined or premiums are increased significantly.

Tested backups stored offline or immutably

Non-negotiable

Backups must be isolated from live systems — cloud backups that sync with no separate access controls are not sufficient. The key word is "tested": insurers increasingly ask when backups were last restored and what the result was.

Incident response plan

Non-negotiable

A documented plan defining what to do in the first 24 hours of a breach — who to call, who decides, how to contain, and how to notify. Does not need to be elaborate; a practical one-page plan is sufficient.

Patch management

Required

Critical patches on internet-facing systems applied within a defined timeframe (typically 14–30 days for most applications; 48–72 hours for critical vulnerabilities in internet-facing services).

Endpoint Detection and Response (EDR)

Increasingly required

Basic antivirus is no longer sufficient at higher coverage levels. EDR (CrowdStrike, SentinelOne, Microsoft Defender for Endpoint, or equivalent) is required by most insurers for policies above $1M.

Email security (DMARC/DKIM/SPF)

Increasingly required

Domain-based authentication prevents email spoofing and is asked about in most underwriting questionnaires. DMARC at enforcement policy (p=quarantine or p=reject) is the standard.

Privileged access management

Required at higher levels

Restricting administrative access to those who need it, with admin accounts used only for admin tasks. Required at higher coverage levels and for policies covering ransomware risk.

See exactly where you stand with insurers

Our 20-question assessment maps directly to the underwriting requirements above. Free, instant results, no account required.

Check your readiness — free

How Much Does Cyber Insurance Cost in Australia?

Premiums are highly variable — a business with strong controls pays significantly less than one with gaps, even for the same revenue and coverage limit.

Revenue	Coverage	Strong controls	Weak controls
Under $1M	$500K	$1,500–2,500/yr	$2,500–4,500/yr
$1M–$5M	$1M	$2,500–5,000/yr	$5,000–12,000/yr
$5M–$20M	$2M	$5,000–10,000/yr	$10,000–25,000/yr
$20M–$50M	$5M	$10,000–20,000/yr	$20,000–50,000/yr

* Indicative ranges only. Actual premiums depend on industry, claims history, data volumes, and specific controls in place. Obtain quotes from a specialist cyber insurance broker.

Factors that affect your premium

MFA on email and remote access

Reduces premium significantly — often 15–30%

Tested, isolated backups

Major impact on ransomware sublimit and premium

EDR deployed across all endpoints

Required at some coverage levels; reduces premium at others

Industry sector

Healthcare, legal, and financial services pay more due to data sensitivity

Revenue

Directly affects exposure and premium calculation

Prior claims history

A prior ransomware claim can increase premium 50–200% at renewal

Cyber Insurers Active in the Australian Market

The Australian cyber insurance market is dominated by a small number of specialist and generalist insurers. Understanding their approach helps you prepare the right documentation.

Coalition

Technology-led underwriting. Uses active scanning of your external attack surface as part of the application. Strong SMB focus. Typically best value for businesses with good controls.

Chubb

Broad coverage, strong claims service. Higher minimum premiums. Better suited to mid-market and enterprise. Strong underwriting standards.

Beazley

Specialist cyber insurer with deep claims handling experience. Known for the quality of their breach response services included in the policy.

AIG / Cyberedge

Long-standing cyber insurer. Known for broad coverage definitions. Active in both SMB and enterprise markets.

Aon / Lockton (brokers)

Not underwriters, but the two largest specialist cyber insurance brokers in Australia. Working with a specialist broker typically gets you better terms than going direct.

Cyber Insurance FAQs

Is cyber insurance worth it for Australian small businesses?

For most Australian SMBs, yes — particularly those that handle customer data, process payments, or depend on digital systems to operate. The average cost of a cyber incident for an Australian SMB exceeds $46,000 when you include business interruption, recovery costs, and notification expenses. A cyber insurance policy with appropriate coverage costs a fraction of that annually.

What does cyber insurance cover in Australia?

Australian cyber insurance policies typically cover first-party losses including incident response, forensic investigation, data recovery, business interruption, and ransomware response. Third-party coverage includes customer notification costs, regulatory fines, and liability claims. Coverage varies significantly by policy and insurer.

What do Australian cyber insurers require?

The non-negotiable requirements are: MFA on email and remote access, tested and isolated backups, an incident response plan, and timely patch management. Additional requirements at higher coverage levels include EDR, privileged access management, and email security (DMARC/DKIM/SPF).

How much does cyber insurance cost in Australia?

Premiums for Australian SMBs typically range from $1,500 to $15,000 per year for $1M in coverage, depending on revenue, industry, and security controls. Businesses with strong controls pay significantly less — premium differences of 20–60% are common based on security posture.

Can I get cyber insurance without MFA?

Increasingly difficult. Most Australian cyber insurers will either decline to quote, add a significant premium loading, or include a broad exclusion for attacks that exploited the absence of MFA. MFA on email is now the single most important control for insurability in the Australian market.

Know your readiness before you apply

20 questions built around what Coalition, Chubb, and Beazley actually ask. Get your readiness score free — no account required.

Check your readiness — free

Full readiness report with gap analysis available for $99