In 2024-25, the Australian Cyber Security Centre (ACSC) answered over 42,500 calls to their hotline. The ACSC’s average self-reported cost of cybercrime per report was $56,600 for small businesses and $97,200 for medium businesses. All of these figures were up from the year before.¹
Globally, the frequency and severity cyber risk continues to increase. Ransomware and other attacks are increasingly sophisticated and more invasive, with sensitive data targeted and operating systems disabled.
Consequently, the cost to investigate, repair and recover has increased too.
What is cyber insurance?
Cyber insurance, which is a relatively novel product, provides coverage to businesses for liability relating to cyber threats.
While all products are different, the range of assistance provided under a cyber policy includes coverage for:
- forensic investigation
- data restoration
- customer notification and rectification eg call centres, and
- indemnification of penalties imposed by government regulators.
Where the data breach is due to the malicious acts of a foreign government actor or criminal gang coverage may include costs related to:
- the services of a negotiator
- legal advice to determine if any ransom payment is legal or reportable, and
- indemnification of the ransom the business decides to pay.
Challenges associated with cyber risk
Significant underinsurance for cyber risk. Globally, SMEs and micro businesses account for 30% of cyber market premium.² Increasing general awareness of cyber risk and by extension awareness of cyber insurance is an important first step towards improving small business cyber hygiene and access to cyber insurance.
The unique challenges cyber risk poses to designing and providing affordable cyber insurance policies. The ever changing nature of cyber risk, which means coverage cannot be predicted on prior historical claims experience, and incomplete data sets makes it difficult to price premiums.
Opportunities associated with cyber risk
Helping businesses improve their cyber security health – when writing a cyber insurance policy, insurers need to access their client’s data, IT processes and potentially test their cyber defences to analyse and price the risk. In doing so, this provides an opportunity to identify weaknesses in the businesses’ data protection and cyber security practices, providing learnings to improve their cyber security health. Recent enhancements to national cyber security legislation will also serve to harden the entire Australian business community against cybercrime.
What action is the industry taking?
Cyber risk is rapidly evolving, and the Insurance Council is working with members and government agencies to provide relevant information where it can and contribute to the national cyber security project.
Since September 2021, insurers have started reporting details of separate cyber policies written to APRA to assist in the development of relevant policies.
Tips for businesses
For all businesses, particularly SMEs, the Insurance Council endorses the Australian Cyber Security Centre’s Essential Eight Maturity Model as a good first step towards improved cyber security health.
