Cyber Insurance for Australian Small Businesses: A Practical Buyer's Guide

Cyber insurance has moved from a niche product sold to enterprise legal and financial firms into something that many Australian SMBs now need to seriously consider. The reason is straightforward: the financial consequences of a significant cyber incident — system downtime, forensic investigation, data recovery, mandatory notifications under the Notifiable Data Breaches scheme, regulatory exposure, and potential claims from affected customers — routinely run into the hundreds of thousands of dollars. For a business turning over $3–10 million, that kind of unplanned cost is existential.

Yet the majority of Australian SMBs either have no cyber insurance at all, or carry a policy they have never read closely enough to know what it actually covers. Many discover the gaps only when they file a claim.

This guide explains what cyber insurance covers, what it does not cover, what underwriters are looking for before they'll insure you, and what you should be asking your broker before you sign anything.

Why Australian SMBs Need to Think About Cyber Insurance

The scale of the problem facing Australian small and medium businesses is not abstract. The Australian Signals Directorate's annual Cyber Threat Report consistently identifies ransomware, business email compromise, and data theft as the primary threats to Australian organisations of all sizes. The ASD has also been clear that SMBs are not beneath the notice of cybercriminals — in many cases they are specifically targeted because they tend to have weaker security controls than their enterprise counterparts while still holding commercially useful data.

A significant cyber incident triggers costs across multiple categories at once. Forensic investigators need to determine how the attacker got in and what they accessed. Legal counsel needs to assess whether the incident triggers mandatory notification under the notifiable data breaches scheme administered by the Office of the Australian Information Commissioner. If notification is required, affected individuals need to be told promptly, which itself carries direct costs — drafting, printing, postage, call centre time — and indirect costs in reputation. If ransomware is involved, the business may face days or weeks of downtime while systems are rebuilt, representing real lost revenue. And if personal information of customers or employees was compromised, those individuals may have grounds to bring claims under privacy legislation, exposure that has grown since the 2024 Privacy Act amendments introduced a statutory tort for serious invasions of privacy.

An annual premium for a $1 million cyber insurance policy with reasonable coverage and a good claims service from an established insurer might run $3,000–$8,000 for a small business with sound security controls. The total cost of an uninsured significant incident is almost certainly higher — often dramatically so. The insurance case is not difficult to make once the numbers are put side by side.

The harder question is not whether to buy cyber insurance, but how to buy it intelligently: understanding what the policy actually covers, what it excludes, what the insurer will require of you, and whether the policy you are looking at is meaningfully better than a cheap alternative.

What Cyber Insurance Actually Covers

Cyber insurance policies are typically divided into two broad coverage categories: first-party coverage (your own losses) and third-party coverage (claims brought against you by others). Understanding this distinction matters because the exposures are different and the sublimits can differ significantly within the same policy.

First-Party Coverage — Your Own Costs

First-party coverage responds to the direct costs your business incurs as a result of a cyber incident.

Ransomware and extortion payments. If your systems are encrypted by ransomware and you decide to pay the attackers' demand, your cyber policy may cover that payment — subject to important conditions. Consult your insurer before paying anything. Paying a ransom to an entity that is subject to Australian autonomous sanctions legislation — for example, a threat actor linked to North Korea, Iran, or Russia — may constitute a sanctions violation under Australian law, regardless of whether an insurer is footing the bill. Your insurer's legal counsel needs to assess the situation before any payment is made. Beyond the legal question, ransom payments are not guaranteed to result in working decryption keys. See the ransomware prevention article for a full treatment of the prevention and response considerations.

Incident response and forensic investigation. This is frequently the largest single cost item in a cyber incident. Engaging a qualified cybersecurity firm to investigate how the breach occurred, what was accessed or exfiltrated, and how to contain the attacker typically costs tens of thousands of dollars for even a moderate-sized incident. First-party cyber coverage pays for this. It is worth noting that most cyber insurers maintain a panel of approved incident response firms — you may not be free to engage whoever you prefer.

Business interruption. If a cyberattack renders your systems unavailable and you cannot trade, you are losing revenue every day. Business interruption coverage pays for lost income and the additional costs of operating in a degraded state during the recovery period. The calculation is typically based on your average daily revenue multiplied by the number of days of outage, with a waiting period (often 8–12 hours) before coverage commences. Understanding the waiting period and any sublimits on business interruption is important — this is where SMBs often find the coverage narrower than they expected.

Data recovery. Rebuilding corrupted or encrypted data is time-consuming and expensive — or sometimes impossible if backups are inadequate. Data recovery coverage pays for the costs of restoring or recreating data that was damaged, encrypted, or destroyed in an incident.

Crisis communications and public relations. A significant breach can cause real reputational damage. Coverage for crisis communications pays for external PR and communications consultants to help manage the public response, customer communications, and media handling. This is distinct from reputational harm itself (which is not covered — see below) — it specifically covers the professional services cost.

Third-Party Coverage — Claims Against You

Third-party coverage responds when others bring claims or proceedings against your business as a result of a cyber incident.

Regulatory defence costs. Following a notifiable data breach, the OAIC may investigate your organisation. In more serious cases, ASIC may also take an interest where the incident involves financial data or listed entity obligations. Regulatory defence coverage pays for legal representation in those investigations and enforcement proceedings. The APRA and ASIC have both signalled increasing scrutiny of cyber risk management practices, which makes this coverage more relevant than it was five years ago.

Privacy liability. Claims from individuals whose personal information was breached fall under privacy liability coverage. With the 2024 Privacy Act amendments creating a statutory tort for serious invasions of privacy, the exposure here has expanded — individuals now have a clearer pathway to compensation without needing to demonstrate pecuniary loss.

Notification costs. Under the NDB scheme, you are required to notify affected individuals and the OAIC when a breach is likely to result in serious harm. Notification costs coverage pays for the direct costs of meeting this obligation — drafting notices, postage, call handling, credit monitoring services where these are offered to affected individuals.

Network security liability. If a failure in your network security results in a third party suffering a loss — for example, a supplier whose systems were compromised because an attacker used your network as an entry point — network security liability coverage responds to those third-party claims.

What Cyber Insurance Does NOT Cover

The claims disputes that attract the most attention in cyber insurance invariably come down to coverage gaps. Understanding what is excluded before you buy is as important as understanding what is covered.

Pre-existing breaches. Cyber policies are typically written on a claims-made basis. If an attacker gained access to your network before your policy commenced — a scenario known as "dwell time," during which attackers often sit quietly on a network for weeks or months before deploying ransomware — there may be a coverage dispute about whether the incident falls within the policy period. When you take out a new cyber policy or switch insurers, the transition period is a meaningful risk.

Nation-state attacks — the "acts of war" exclusion. Some cyber policies exclude losses arising from cyber operations conducted by nation-state actors, on the basis that these constitute acts of war and are therefore outside the scope of commercial insurance. This exclusion attracted significant industry attention after the NotPetya malware — attributed by multiple governments to Russian military intelligence — caused widespread damage to businesses globally. Courts in different jurisdictions have reached different conclusions about how this exclusion applies. Insurers are increasingly rewriting this language to provide more clarity, but you should read the relevant clause in your policy carefully and ask your broker to explain how attribution would be handled in practice.

Failure to maintain security controls. When you apply for cyber insurance, underwriters will ask you questions about your security controls. These may be framed as warranties — meaning that if the answer you give is inaccurate and you later make a claim, the insurer may decline to pay. If you stated that multi-factor authentication was deployed on all email accounts and it was not, and an attacker subsequently compromised an email account without MFA and caused a loss, you have a serious problem. This is not a hypothetical risk — it is one of the most common grounds on which cyber claims are disputed.

Social engineering and business email compromise. Standard cyber policies frequently do not cover funds lost to business email compromise and related social engineering fraud, where an employee is deceived into transferring money or changing payment details. This coverage typically requires a specific crime endorsement or social engineering rider added to the policy. Confirm explicitly with your broker whether BEC is covered and, if so, up to what sublimit. Many SMBs are surprised to learn that one of the most common cyber-enabled financial crimes is not automatically included.

Physical damage. Cyber insurance does not cover physical damage to equipment caused by a cyberattack — for example, hardware destroyed as a result of a cyberphysical attack on industrial control systems. Physical property damage falls under property insurance, and the interaction between the two policies in a cyberphysical incident can be complicated.

Intangible reputational harm. While crisis communications costs are typically covered, the intangible reputational damage that follows a breach — lost customers, reduced brand value, depressed sales — is not a covered loss. Cyber insurance reimburses specific, quantifiable costs; it cannot compensate for diffuse reputational harm.

The Security Controls Underwriters Require

The cyber insurance market has changed materially since 2020. The combination of increased ransomware frequency, larger ransom demands, and several high-profile claims has led underwriters to tighten their requirements significantly. What was once a market where almost any SMB could obtain reasonable coverage at relatively low cost has become one where carriers are selective and premiums are closely tied to the security posture of the applicant.

The controls that underwriters commonly require or ask about include the following.

Multi-factor authentication on email and remote access. MFA on business email (Microsoft 365, Google Workspace) and on any remote access solution (VPN, RDP, remote desktop tools) is now a near-universal requirement. Many insurers will decline coverage outright or apply substantial premium surcharges — often 50–100% or more — where MFA is absent. Read more about implementing multi-factor authentication in a business context.

MFA on privileged and administrative accounts. Increasingly, underwriters are not satisfied with MFA only on standard user accounts. Privileged and administrative accounts — those with elevated access to systems, infrastructure, and data — are specifically asked about. An attacker who compromises an admin account can cause significantly more damage than one who compromises a standard user, and insurers price this risk accordingly.

Endpoint detection and response. For higher policy limits — typically $1 million and above — underwriters are increasingly requiring EDR solutions rather than traditional antivirus. EDR provides behavioural monitoring and can detect attacker activity before it reaches the ransomware deployment stage. Businesses without EDR may find coverage at higher limits unavailable or significantly more expensive.

Offsite, tested backups. The backup question from underwriters is not simply "do you have backups?" It is whether those backups are stored offsite or in a location that is not accessible from the production network — so that ransomware cannot encrypt the backups along with everything else — and whether the backups are tested regularly to confirm they can actually be restored. A backup that has never been tested is not a backup for insurance purposes.

Patch management. Unpatched critical vulnerabilities are a common contributing factor in cyber incidents. Underwriters will ask about patch management practices — specifically how quickly critical patches are applied to internet-facing systems and whether there is a formal process for tracking and remediating vulnerabilities.

Incident response plan. A documented incident response plan is increasingly treated as a soft requirement. Having a plan does not guarantee coverage, but not having one may be treated as an indicator of overall security maturity — and immaturity on that question can affect both the availability and pricing of coverage.

The practical implication is that if you apply for cyber insurance without these controls in place, you may find that coverage is unavailable, that premiums are prohibitively high, or that you are offered coverage with exclusions that undermine its value. Sorting out the security controls before approaching insurers is not just good security practice — it is a prerequisite to being insurable on reasonable terms.

How Much Does Cyber Insurance Cost in Australia?

Premiums vary considerably depending on your business's revenue, industry, claims history, and the security controls you have in place. The following figures are indicative only and should be treated as a guide rather than a quote.

The most common mistake buyers make when comparing policies is focusing on the premium without reading the coverage terms. A policy priced at $2,000 per year with broad exclusions, low sublimits on ransomware payments, and a large excess may provide materially less real-world protection than a policy priced at $5,000 with comprehensive coverage, appropriate sublimits, and a workable excess. The premium is only meaningful in the context of what it actually buys.

Insurers offering cyber products in the Australian market include Chubb, Allianz, CGU, QBE, Berkley, and CFC Underwriting, among others. Several specialist cyber insurance brokers operate in Australia and have deeper product knowledge than general business insurance generalists — a distinction worth paying attention to given the complexity of cyber policy wording.

What to Look for When Buying Cyber Insurance

Approaching cyber insurance with a structured checklist reduces the risk of discovering coverage gaps at the worst possible time.

Use a specialist cyber insurance broker. A general business insurance broker who writes a small number of cyber policies per year will not have the same depth of product knowledge as a specialist. The policy wording in cyber insurance is consequential — the difference between a well-worded and a poorly-worded policy can be the difference between a paid and a disputed claim.

Read the exclusions section carefully. Before focusing on what is covered, read what is excluded. Pay particular attention to the acts of war exclusion, security control warranties, and the treatment of social engineering and BEC. These are the most common sources of claims disputes.

Confirm whether BEC and social engineering are included. This coverage often requires a specific endorsement. Confirm explicitly with your broker whether it is included in the base policy or needs to be added, and check the sublimit if it is included — it is often lower than the main policy limit.

Understand the sublimits. A policy with a $1 million overall limit may have a $100,000 sublimit for ransomware payments, a $50,000 sublimit for crisis communications, and so on. The headline limit is not necessarily what is available for any given category of loss.

Check the excess. An excess (deductible) of $20,000 or $50,000 may be unworkable for a small business facing an incident that costs $30,000 to resolve. The excess structure needs to match the realistic cost profile of incidents relevant to your business size.

Ask about the panel of approved service providers. Many insurers require you to use their approved forensics firms, legal counsel, and incident response providers when making a claim. You may not be permitted to engage your existing IT provider or legal adviser. Understanding this before an incident occurs avoids friction at the worst possible moment.

Understand the notification requirements. Most cyber policies require you to notify the insurer within 24–72 hours of discovering a potential incident. Missing this window can affect your ability to claim. Make sure the relevant people in your business know who to call and when.

Cyber Insurance and Ransomware — Special Considerations

Ransomware warrants specific attention because it is the most financially significant type of cyber incident for most Australian SMBs and the area where insurance interactions are most complex.

Contact your insurer before paying any ransom. This is not optional advice. The insurer needs to be notified as early as possible, both because the policy requires it and because they will have counsel who can assess the sanctions risk associated with the specific attacker. Paying a ransom to a threat actor linked to a sanctioned state or entity — North Korea, Iran, Russia, and others appear on Australian autonomous sanctions lists — may constitute a violation of Australian sanctions legislation regardless of whether you were aware of the affiliation. The insurer's panel counsel is best placed to advise on this before any payment is made.

Some policies require that you consult the insurer's approved negotiator before engaging with attackers at all. Engaging a third-party negotiator without the insurer's knowledge may create coverage complications.

Insurance does not eliminate ransomware risk — it offsets the financial cost of a successful attack. Preventing ransomware through layered security controls — ransomware prevention practices including EDR, MFA, and tested offsite backups — remains more effective and less disruptive than relying on insurance for recovery. A business that experiences a ransomware attack will face days of downtime, potential data loss, staff distraction, and reputational damage regardless of whether the financial costs are ultimately covered by an insurer.

How Pickle Supports Your Cyber Insurance Posture

Most of the security controls that cyber underwriters require — MFA across all user and administrative accounts, endpoint detection and response, offsite and tested backup regimes, patch management, and documented incident response — are the same controls that Pickle implements as part of its managed IT services for Australian SMBs.

There is a direct relationship between the security posture Pickle builds and maintains for its clients and those clients' ability to obtain cyber insurance on competitive terms. Businesses with well-documented, properly implemented security controls are more insurable, qualify for better premiums, and — critically — are far less likely to need to make a claim in the first place.

If you are reviewing your cyber insurance position, or are being asked by an insurer or broker about your current security controls, Pickle can provide documentation of the controls in place and advise on any gaps that need to be addressed before you go to market for coverage.

To talk through your current setup, call 1300 688 588 or email [email protected].

Frequently Asked Questions

Q: Is cyber insurance mandatory for Australian businesses?

A: No. Cyber insurance is not currently mandated by Australian law for most businesses, though certain regulated sectors — such as financial services firms licensed by ASIC or entities subject to APRA oversight — face regulatory expectations around cyber risk management that make insurance a practical necessity. For other SMBs, it is a commercial decision. Given the cost trajectory of cyber incidents and the expanding regulatory obligations under the NDB scheme and the Privacy Act, the question for most businesses is not whether they can afford cyber insurance, but whether they can afford not to have it.

Q: Will cyber insurance pay out if we did not have MFA enabled?

A: This depends on what you represented to the insurer at the time of underwriting. If the application for insurance asked whether MFA was in place and you answered that it was — or if the policy contains a warranty that MFA would be maintained — and MFA was not in fact enabled when the incident occurred, the insurer may decline the claim on the basis of a misrepresentation or breach of warranty. This is one of the most common grounds for cyber claim disputes. Even if the application did not ask explicitly, a policy condition requiring you to maintain reasonable security practices may be applied. Get MFA deployed before you apply, and keep it deployed.

Q: Does cyber insurance cover the cost of paying a ransom?

A: Most cyber policies include coverage for ransomware extortion payments, but with important conditions. You must notify your insurer before paying. The insurer's counsel will need to assess whether the payment would breach Australian autonomous sanctions legislation — paying a ransom to certain designated entities is unlawful regardless of insurance. Payment is also not guaranteed to result in working decryption keys. Policies often have specific sublimits for ransom payments that are lower than the overall policy limit. Check these details with your broker before you assume this coverage applies at the level you need.

Q: What is the difference between cyber insurance and public liability insurance?

A: Public liability insurance covers physical injury or property damage suffered by a third party as a result of your business operations. It does not cover losses arising from cyber incidents — data breaches, ransomware, system outages, or the financial losses of third parties that result from a failure in your network security. Cyber insurance is a separate product designed specifically for these digital risks. Some businesses assume their public liability or professional indemnity policy will respond to a cyber incident; this assumption is worth testing explicitly with your broker, as the answer is usually that it will not.

Q: Should a business with strong IT security still get cyber insurance?

A: Yes. Strong security controls significantly reduce the likelihood of an incident, but they do not eliminate it. Even well-defended businesses can be compromised through zero-day vulnerabilities, supply chain attacks, insider threats, or targeted sophisticated adversaries. Cyber insurance serves as a financial backstop for the residual risk that security controls cannot fully eliminate. Additionally, the regulatory and legal costs following an incident — OAIC investigations, notification obligations, privacy liability claims — arise even where the business has done everything right and a sophisticated attacker still got through. Insurance addresses the financial consequences of incidents that good security practices could not prevent.