The Australian cyber insurance market has changed substantially since 2020. A significant increase in ransomware claims led to premium increases, sub-limits on ransomware coverage, and the introduction of security control requirements as a condition of coverage. Businesses that have not reviewed their policy recently may have assumptions about their coverage that no longer hold.
What Policies Typically Cover
Incident response and forensic investigation costs. Business interruption losses during system downtime. Ransom payments — usually subject to a sub-limit and conditions. Notification costs under the NDB scheme. Regulatory defence costs. Third-party liability for privacy breaches.
What Policies Typically Exclude
Failure to maintain specified security controls — particularly MFA — is a common exclusion trigger. War and state-sponsored attack exclusions have expanded following high-profile incidents. Bodily injury and property damage from a cyber incident are typically excluded. Pre-existing conditions — known vulnerabilities not disclosed at application.
Security Control Requirements
Most policies now require MFA on remote access systems, email platforms, and privileged accounts as a condition of coverage. Some require EDR deployment, regular backups tested within defined timeframes, and patch management within specified windows. Misrepresenting security controls at application can void a policy at the point of claim.
Should we prioritise cyber insurance or security investment?
The framing is incorrect — they are not alternatives. Insurance covers residual risk after controls are in place. Controls reduce both the likelihood of an incident and the insurance premium. Businesses that invest in genuine security controls pay less for better coverage. Businesses that buy insurance without investing in controls pay more for narrower coverage that may not respond when needed.
