Why Cyber Insurance Is No Longer Optional
Cyber insurance has moved from a niche product to a business essential for Australian SMEs. With cyber attacks increasing in frequency and severity, the financial impact of an incident can threaten the survival of a small business. The ACSC reports that cyber crime costs Australian businesses over $33 billion annually, and SMEs bear a disproportionate share.
Cyber insurance does not replace good security practices — it complements them. Think of it as the safety net beneath your security controls. When prevention fails, insurance helps your business survive the financial impact.
What Cyber Insurance Covers
Policies vary between insurers, but typical coverage includes:
First-party costs: Incident response and forensic investigation, data recovery and system restoration, business interruption losses during downtime, ransomware negotiation and payment (though this is increasingly restricted), notification costs under the Notifiable Data Breaches scheme, and crisis communication and public relations.
Third-party liability: Legal defence costs if clients or partners sue following a breach, regulatory fines and penalties (where insurable by law), and settlements or judgments arising from data breaches.
Social engineering coverage: Some policies cover losses from business email compromise and invoice fraud. This is often an optional add-on and may have sub-limits — check the fine print.
What Cyber Insurance Does Not Cover
Common exclusions include loss of future revenue or market value, known vulnerabilities that were not patched, incidents resulting from deliberate non-compliance with security requirements, infrastructure failures unrelated to cyber events, and war and state-sponsored attacks (an increasingly contentious exclusion).
Read your policy carefully. Exclusions related to unpatched systems and non-compliance are particularly relevant — if your insurer can demonstrate you failed to maintain basic security controls, they may deny your claim.
What Insurers Expect From You
Cyber insurance underwriting has become significantly more rigorous. Insurers now require evidence of specific security controls before providing coverage. Common requirements include multi-factor authentication on all remote access and email, endpoint detection and response (EDR) on all devices, regular patching of operating systems and applications, encrypted and tested backups (including offline or immutable copies), email security controls including SPF, DKIM, and DMARC, security awareness training for staff, and an incident response plan.
Businesses that cannot demonstrate these controls may face higher premiums, reduced coverage, or outright refusal. The good news is that these requirements align with the ASD Essential Eight — implementing one framework satisfies both your security and insurance obligations.
How Much Does It Cost?
Premiums for Australian SMEs typically range from $1,500 to $10,000 per year, depending on the business size and revenue, industry (legal and financial services pay more), coverage limits (typically $250,000 to $5 million), security posture (better controls mean lower premiums), and claims history.
Given that the average cost of a cyber incident for an SME exceeds $46,000, the premium is modest relative to the potential loss.
How to Choose a Policy
Work with a broker who specialises in cyber insurance. They understand the nuances of different policies and can match coverage to your risk profile. Key questions to ask include what is the retroactive date (does the policy cover incidents that occurred before the policy start date but were discovered during the policy period)? What are the sub-limits for specific coverage areas like social engineering or regulatory fines? Is ransomware payment covered, and under what conditions? What is the insurer’s incident response panel, and can you choose your own providers? Are there any co-insurance or self-insured retention requirements?
Cyber Insurance and Legal Practices
Professional indemnity insurance for solicitors typically excludes cyber events. A standalone cyber policy fills this gap. Given the sensitivity of client data and the trust account exposure, cyber insurance is particularly important for legal practices. Some law societies are beginning to recommend or require it.
Cyber Insurance and the Claims Process
If an incident occurs, contact your insurer immediately — most policies require notification within 24 to 72 hours. The insurer will typically assign an incident response team to assist with containment and investigation. Do not engage your own forensic investigators or make public statements without coordinating with the insurer, as this may affect your coverage.
Getting Started
Before approaching an insurer, get your security house in order. Implement MFA, EDR, and regular backups at minimum. These controls reduce your premiums and — more importantly — reduce the likelihood of needing to make a claim. Contact TechAssist to assess your security posture and prepare for a cyber insurance application.
