Cyber Insurance Requirements in Australia

Cyberattacks continue to rise across Australia. The Australian Cyber Security Centre recorded more than 42,500 phone calls to the Australian Cyber Security Hotline (up 16% from the previous year; and self-reported losses per cybercrime incident rose to $80,850 on average per incident (up 8%).

Cyber risks are increasing and becoming more complex, and many small businesses are exposed.

So, when it comes to cyber risks and cyber insurance, what are your obligations as a business owner?

What is cyber insurance?

Generally speaking, cyber insurance is designed to protect your business against financial loss arising from a cyber incident. This may include events such as malware infections, ransomware attacks, data breaches, or system outages that disrupt operations. While  coverage varies by policy and provider, cyber insurance commonly includes support for incident response, data recovery, system restoration, and liability claims made against your business following a security breach.

Is cyber insurance compulsory?

Cyber insurance is not a legal requirement in Australia. However, it is increasingly considered essential for many businesses due to the financial, legal, and operational impact a cyber incident can cause

Some highly regulated sectors may have certain cybersecurity compliance obligations around governance, risk controls and data protection duties. Part of these obligations could involve purchasing adequate cover. For example, the Australian Prudential Regulation Authority (APRA)’s CPS 234 standard requires regulated financial institutions to maintain strong information security. APRA has underscored that cyber risks are a significant systems and controls issue.

On the other hand, some clients or government agencies may require potential contractors to hold cyber insurance as part of their terms. It may not be required by law, but it could help you potentially secure more work.

Increased financial sector cybersecurity requirements

Financial services businesses hold large volumes of personal information. This can include names, contact details, identity numbers, account information and sensitive financial data. The nature and scale of this data makes these organisations a prime target for cyberattacks. A breach can expose customer records and disrupt services, impacting finances and reputation.

Both APRA and ASIC expect boards and senior leaders to embed cyber risk thinking into a risk management plan.

APRA requires regulated financial institutions to maintain strong information security frameworks. Under CPS 234 Information Security, banks, insurers, super funds and other APRA-regulated entities must implement measures to protect information assets from cyberattacks and other information security incidents. This includes having systems and controls that match the size, sensitivity and threat profile of the data they hold, and notifying APRA of material security incidents.

ASIC has also made it clear that cyber resilience is a key part of good risk management for licensed entities. Licensees must manage cyber security risks under their existing legal obligations, such as those in the Corporations Act 2001, and ensure they have systems and processes to detect, respond to and recover from cyber incidents.

These requirements do not apply to all small businesses, but they show how cybersecurity expectations are shifting in regulated industries. Other sectors may move in a similar direction over time.

Cybersecurity cover benefits

Cyber insurance can include a range of benefits. The scope of cover differs between policies, so it is important to review the policy wording to confirm what is included. Common benefits may include:

• Assistance with notifying affected customers if required by privacy laws.
• Incident response support to help contain and manage the event.
• Data recovery services for lost or corrupted information.
• Business interruption support that may help with lost income during downtime.
• System repair and restoration costs.
• Liability cover for claims made after a data breach.
• Access to legal and communication support to help manage reputational concerns.

Key considerations when choosing a cybersecurity policy

Selecting the right cyber insurance policy is important to help ensure your business is protected against digital threats. Before choosing cover, consider the following factors:

• The type of data your business holds and how sensitive it is.
• Whether the policy covers first party losses, third party losses or both.
• The insurer’s incident response process and support teams.
• Any exclusions or limits that could affect your situation.
• How the policy fits within your broader risk approach.

If you are looking for cyber protection, BizCover offers Cyber Liability insurance from selected leading Australian insurers. Get a quote today.