What Australian Businesses Need to Know About Cyber Insurance

Cybersecurity insurance has moved from a niche product for large enterprises to an essential consideration for businesses of all sizes. The average global cost of a data breach now exceeds $4.45 million — and around 60% of small businesses that suffer a significant cyber incident close within six months. For most SMBs, a single serious breach without insurance coverage is an existential event.

But the cyber insurance market has changed significantly in recent years, and many businesses are finding it harder and more expensive to get the coverage they need. Here’s what you need to know.

What Cyber Insurance Covers

A standard cyber insurance policy covers the typical costs associated with a data breach or cyberattack, including recovering compromised data, repairing affected systems, notifying customers, providing identity monitoring for affected individuals, IT forensics to investigate the incident, legal expenses, and in some cases ransomware payments. The specifics vary significantly between insurers and policies, which is why reading the fine print carefully matters.

Premiums Are Increasing

As the volume and cost of cyberattacks has grown, insurance payouts have risen sharply — and insurers have responded by increasing premiums substantially. This trend has continued in recent years and shows no sign of reversing. Cyber insurance is becoming more expensive at exactly the same time as it is becoming more necessary. Businesses that delay getting coverage risk facing even higher premiums when they eventually do apply.

Demand Is Growing

Businesses across every sector are recognising that cyber insurance is as essential as their general business liability coverage. With more organisations seeking coverage, the market is expanding and more policy options are becoming available — which is good for buyers willing to do their research and compare policies carefully.

Certain Coverages Are Being Dropped or Restricted

Two areas in particular are becoming harder to insure.

Nation-state attacks — cyberattacks originating from or sponsored by foreign governments — are being excluded from some policies. This matters more than it might seem, because many major ransomware groups have ties to nation-state actors. If a policy excludes nation-state attacks, a ransomware incident could potentially fall outside its coverage depending on the attacker’s origin.

Ransomware payouts are also being restricted or removed from some policies. Insurers have grown reluctant to cover organisations that haven’t taken adequate steps to prevent ransomware or protect their backups. This puts a greater burden on businesses to ensure their backup and recovery strategy is genuinely robust — and tested — rather than relying on insurance as a safety net.

Before signing any policy, confirm exactly what is and isn’t covered for both of these scenarios.

It’s Harder to Qualify

Insurers are increasingly selective about who they will cover. Businesses with poor cyber hygiene — weak passwords, no MFA, outdated software, no security training — will find it difficult to qualify, and may be offered only limited coverage at high premiums even if they do.

When you apply, expect a detailed questionnaire covering your current security posture. Insurers typically ask about network security, multi-factor authentication, BYOD and device management policies, advanced threat protection, automated security processes, backup and recovery strategy, administrative access controls, anti-phishing measures, and employee security training.

The good news is that working through these questions with your IT provider before applying serves two purposes — it helps you qualify for better coverage at lower premiums, and it identifies genuine security gaps that are worth fixing regardless of the insurance outcome.

Getting the Right Coverage

Cyber insurance applications are more complex than most business insurance products, and answering questions incorrectly can mean paying significantly more than you should — or finding out at claim time that you’re not actually covered for what happened.

Carter Tech can help you understand what insurers are looking for, identify security improvements that will strengthen your application, and ensure you’re not paying for coverage you don’t need or missing coverage you do. Contact us to discuss your situation.