← Back to BlogBusiness Security

Cyber Insurance in Australia: What It Covers and What It Doesn't

Cyber Insurance in Australia: What It Covers and What It Doesn't

Cyber incidents have become a matter of "when," not "if" for many businesses. Cyber insurance has emerged as an important risk management tool — but it's not a substitute for good security practices, and it doesn't cover everything people assume it does.

Here's what to know.

What is cyber insurance?

Cyber insurance (also called cyber liability insurance) is a policy that helps businesses manage the financial consequences of a cyber incident — including data breaches, ransomware, business interruption, and legal liability.

What it typically covers:

  • Business interruption: Revenue lost during the period your systems are down
  • Data breach response costs: Forensic investigation, breach notifications, credit monitoring for affected customers
  • Ransomware: Some policies cover ransom payments (though this is controversial) and recovery costs
  • Legal costs: If affected customers or regulators take legal action
  • Regulatory fines: Some policies cover Privacy Act fines, though this varies
  • PR and crisis management: Communications help after a breach

What cyber insurance often does NOT cover:

  • Incidents caused by insufficient security practices. If you failed to implement reasonable security controls (like MFA or patching) and that directly enabled the breach, your claim may be denied.
  • Pre-existing vulnerabilities. If your systems were known to be compromised before the policy started.
  • Social engineering losses. Some policies exclude or limit coverage for fraud caused by social engineering (like BEC). Read the fine print carefully.
  • Reputational damage. Lost business due to reputational harm after a breach is generally not covered.
  • Intellectual property theft.

The security requirements trap

Insurers increasingly require businesses to implement baseline security practices as a condition of coverage. If you don't:

  • Use MFA on email and key systems
  • Have patching and update processes
  • Conduct staff security training
  • Have a data backup and recovery process

...you may find your claim denied, or struggle to get cover at all.

Should your business get cyber insurance?

For most Australian businesses that handle customer data, process payments, or rely on digital systems — yes, it's worth considering. The cost of a single incident (averaging $46,000 for SMBs) typically far exceeds annual premiums for reasonable coverage.

But cyber insurance works best as a safety net, not a primary strategy. It doesn't prevent breaches — only good security practices do that.

Getting a quote

Talk to a business insurance broker about cyber liability. Ask specifically about social engineering coverage and security requirement clauses.

Reduce the risk that insurance is covering with Phishbate →

Think you can spot a phish?

Put your knowledge to the test with the Phishbate interactive quiz. It only takes a few minutes.

Take the Quiz →