Cyber insurance: Choosing the right cover for your business
A cyber incident is reported every six minutes in Australia.
In addition to revealing there were more than 84,700 cybercrime reports in FY25, the Australian Signals Directorate’s (ASD) 2024-25 Cyber Threat Report also showed that cybercrime is costing small businesses an average of $56,600 per incident and medium-sized enterprises an average of $97,200. The costs have risen since FY24 – up 16% for small businesses and up 55% for medium businesses.
Of course, those are the cyberattacks that are reported – many more are not.
More SMEs are taking up cyber cover
Cyberattack is consistently ranked amongst the top, if not the top, risk keeping business owners and management awake at night.
Cyberattack or data breach remains the number one risk facing businesses in the APAC region, according to the Aon 2025 Global Risk Management Survey, noting cyber risk is intensifying, with deepfakes, ransomware, and AI vulnerabilities driving business interruption and reputational damage. Meanwhile, the Allianz Risk Barometer 2025 ranked cyber incidents as the top business risk globally for the fourth year in a row – with 38% of respondents naming it their leading concern.
According to a McAfee Corp survey that included Australian respondents, 71% of SME participants cited cybersecurity as a major risk factor for their operations.
There has been a 50% increase in SME take up of cyber insurance over the past year, and an 85% increase over three years, according to insurance comparison platform BizCover. The heightened increase in cyber cover amongst SMEs has been noted by other sources too.
The reasons behind the surge in interest include:
- SMEs are prime targets – around half of all cyber incidents affect smaller enterprises, according to the McAfee Corp survey. Some sources indicate that SMEs have experienced a 40% increase in ransomware attacks and a 56% increase in fund transfer fraud incidents in the past year. A study by Astra Security Blog found over 50% of cyber insurance claims now originate from SMEs.
- New legislation – requirements such as the Notifiable Data Breach (NDB) scheme, Security of Critical Infrastructure Act, and mandatory reporting of ransomware payments.
- Third-party (customers and business partners) expectations – cybersecurity compliance is increasingly required as part of business agreements, contracts and tender processes.
- Costs – the escalating financial costs and operational consequences of a cyber incident, including data loss and downtime.
What should SMEs look for in cyber cover
Each business is unique, and your EBM Account Manager can discuss the key cyber risks that your business faces and the mitigation strategies you can employ to help address those risks. Amongst those strategies is ensuring that the business is adequately protected against cyber threats within your insurance program.
Key to ensuring adequate coverage is securing a policy, or policies, that protect against the specific risks facing your business.
While every business has some level of cyber risk exposure, the degree and types of risk, together with the likelihood of those risks being realised, varies greatly between businesses.
Your EBM Account Manager will work with you to identify your business’ cyber risk profile, but there are a few key considerations when looking at cyber cover, including common risks, coverage details, added benefits, and cover requirements.
What cyber risks are covered?
When selecting a policy, it is imperative to understand exactly which cyber threats are – and are not – covered. Some common risks include:
Data breaches
The Office of the Australian Information Officer (OAIC) noted there were 595 data breaches reported under the NDB scheme in H2 2024. Of those data breaches, 69% were the result of malicious or criminal attacks, while 29% were due to human error, and 2% stemmed from system faults.
The OAIC reports that 42% of all data breaches resulted from cybersecurity incidents: phishing 34%; ransomware 24%; compromised or stolen credentials 21%; hacking 9%; brute-force attack 7%; and malware 5%.
Not all businesses are subject to the NDB scheme, and many more data breaches are reported by various sources.
According to IBM, 241 days is the average length of time taken to identify and contain a data breach, globally, while the average cost of a breach is US$4.4 million.
Data breaches can have serious ramifications for businesses in terms of financial and reputational costs. The year saw major prosecutions of businesses that suffered data breaches, exposing private information of their customers. Read our article No More Unto the (Data) Breach.
Ransomware
Ransomware continues to be a leading threat to Australian SMEs. Australia/New Zealand is the third most targeted region in the world, with 78% of respondents having fallen victim to a ransomware attack in the last year, according to CrowdStrike’s 2025 State of Ransomware Survey. Zscaler ThreatLabz’ 2025 Ransomware Report noted the number of ransomware attacks within Australia had risen 110% over the last 12 months. Last financial year, 11% of all cyber incidents reported to the ASD included ransomware.
According to research from Opentext Cybersecurity, 40% of Australian businesses experienced at least one ransomware incident in the past year – with nearly half of those being targeted multiple times. Another survey, conducted for Arctic Wolf, found 85% of organisations across Australia and New Zealand reported experiencing at least one cyber incident over the past year.
Although the Australian Government and various agencies caution against paying ransom demands, the decision remains at the discretion of the impacted business (though businesses with an annual turnover of $3 million or more must now report any ransomware payments to the government within 72 hours). Read our article Ransom Paid.
Research by Arctic Wolf revealed businesses in Aus/NZ were likely to pay ransoms following an attack, with almost 75% acknowledging they had made payments to avoid data leaks. The Opentext Cybersecurity data also showed that one-third of those hit by ransomware opted to pay the demanded ransom – with 41% of payments exceeding US$250,000.
If a business would be inclined to pay a ransom, it is important to select a cyber policy that covers this cost. Even if a business was less likely to pay up, the costs associated with ransomware attacks can be high. CrowdStrike’s survey revealed 86% of Aus/NZ businesses thought they would recover from an attack within 24 hours but, in reality, just 9% did. It also found, on average, the global cost of downtime following a single attack is US$1.7 million.
Social engineering
Social engineering attacks, such as phishing, are an increasing threat to SMEs. Once a cybercriminal has coerced an insider to grant them some form of access, they can wreak havoc through the installation of malware, ransomware, identity theft, and funds transfers. Read our article Hacking the Human.
Claims data from Emergence Insurance found business email compromise (BEC) was the leading cause of cyber claims, accounting for nearly half of all incidents in 2024. Socially engineered fraud (SEF) was the second most frequent claim type, representing 16% of claims. The insurer noted business interruption (BI) was the main driver of cyber claim costs.
According to the ASD, phishing was involved in 60% of the incidents reported in FY25.
When it comes to SEF, it is vital to understand whether losses are covered under a cyber policy. In some instances, SEF is an exclusion. Alternative policies, such as crime cover, may be required to provide protection against SEF.
Denial of Service (DoS) and Distributed Denial of Service (DDoS)
A DoS attack is where the cybercriminals make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to a network. In a DDoS attack, the incoming traffic flooding the victim originates from many different sources.
These attacks can interrupt business operations, resulting in financial losses, reputational damage, operational disruption, and legal and regulatory ramifications.
In FY25, there was a 280% increase in the number of DoS and DDoS attacks on Australian businesses, according to the ASD.
Artificial intelligence (AI)
Cybercriminals are increasingly using AI to launch more sophisticated and effective attacks. Read our article AI & Cybercrime.
Through the use of AI, threat actors are deploying more targeted campaigns, such as phishing and other social engineering techniques. Cybercriminals are also using the technology to supercharge attacks, for example, through bots. Read our article Rise of evil chatbots.
While cover for the fallout from AI-generated or -augmented cyberattacks (ransomware, data breach, fraud, identity theft) can often be covered through cyber insurance (see above), other AI-related issues fall outside the cyber cover realm.
Depending on if and how your business uses AI, other covers may be required. As an example, copyright infringements associated with AI would usually require intellectual property cover. Read our article IP vs AI.
Management liability covers such as directors’ and officers’ (D&O), employment practices liability (EPL), products and public liability (PPL) or statutory liability would likely be needed to protect the business against AI failures. It is also important to recognise that insurance for some AI risks may not be available. Read our article AI vs Insurance Cover.
Your EBM Account Manager can explore insurance issues relating to AI with you.
What is the coverage?
Beyond what types of cyber threat are covered, it is also essential to understand other coverage matters such as:
- Limits of liability: how much cover is provided, in dollar and support terms? For example, is the level of cover sufficient to pay a ransom, investigation costs, statutory fines and so on?
- Conditions on cover: are there any conditions that must be met to obtain and retain coverage? For example, most businesses will need to exhibit good cybersecurity practices. Depending on the business, it may also be subject to various statutory requirements that must be complied with, such as the Notifiable Data Breach scheme, mandatory reporting of ransomware payments/cyber extortion, critical infrastructure incident reporting, privacy laws and so forth.
- Inclusions: what is included in the cover, when does cover apply and when does it not? For example, does the policy include:
-
- first-party and third-party liability
-
- business interruption (BI) costs (for forced closure or downtime)
-
- data recovery costs
-
- incident response and investigation costs
-
- legal fees
-
- fines and penalties
-
- reputation management.
- Exclusions: what is not included in the cover and are there alternative options to cover those risks? For example, SEF may not be covered, and a crime policy may be an option. Other matters that may not be covered include reputation damage, future lost profits, or liability to third parties if compliance requirements are not met.
What other cover and services does the policy include?
Cyber insurance policies vary greatly. Some covers offer the ‘bare bones’, while others take a more holistic approach, offering pre-, during and post-incident support. Policy features may include:
- Preventative and proactive services (e.g. risk assessments, device scanning, dark web monitoring, online threat intelligence).
- Incident response and investigation costs.
- Repair and recovery of IT systems and data.
- Loss, recovery and decontamination of data.
- Cover for financial losses arising from a cyber incident.
- Forced closure/downtown (BI cover).
- Cover for cybercrime, ransomware and fraud.
- Legal costs in defence and investigation.
- Government fines and penalties.
- Response and resumption services.
- Crisis management support.
- 24/7 access to cyber experts.
Other considerations
When choosing cyber insurance, there are some key considerations in addition to coverage. Your EBM Account Manager will look at policy options for your business that also take into account:
- Your risk profile: to ensure the policy selected meets the needs of your business based on the risks it faces, your mitigation strategies, and what viable options exist in the marketplace.
- Policy cost: while the cyber market is softening, premiums need to represent value for money and the right balance struck between adequate cover and affordability (evaluating the cost of the policy in relation to the potential financial impacts of cyber incidents).
- Insurer requirements: although the criteria for securing cover are less stringent in a soft market, insurers – to varying degrees – still require the business to provide evidence of their cyber practices and risk mitigations (i.e. certain cybersecurity standards need to be met).
- Insurer reputation: an insurer is only as good as its claims handling, and prospective carriers should have a strong track record of handling cyber incidents and providing support.
- Regulation compliance: the policy should comply with relevant data privacy regulations and industry-specific requirements.
- Your insurance program: cover for some cyber-related risks may be found in existing policies, while other risks will require separate cover (where available).
Key takeaway
Cyberattacks are a persistent threat against SMEs across Australia. Falling victim to an attack can not only be severely disruptive to operations, but expensive. With the every-increasing risk, more SMEs are looking at cyber insurance. And when it comes to cover, it is vital to choose the right policy to adequately protect the business.
With a myriad of policies available, finding the right cyber insurance solution can be challenging. This is where knowing what to look for in a policy is essential – as is getting guidance from a cyber insurance expert broker.
Need expert guidance?
Your EBM Account Manager can work with you to determine your cyber risk, develop your risk profile to present to prospective insurers, go to the market on your behalf, provide guidance on cover options, and ensure your cyber policy complements your insurance program. The right policy can provide comprehensive protection against cyber risks and support your business continuity and recovery efforts should you fall victim to an attack.
