Cyber Insurance: A Plain-English Guide for Small Business

Cyber insurance is one of those topics that makes most small business owners' eyes glaze over. It sounds expensive, complicated, and perhaps unnecessary — surely your general business insurance covers this stuff? The answer, in most cases, is no. And with cyber incidents costing Australian small businesses tens of thousands of dollars on average, understanding what cyber insurance is and whether you need it is increasingly important.

What Is Cyber Insurance?

Cyber insurance (sometimes called cyber liability insurance) is a policy specifically designed to cover your business for losses arising from cyber incidents. Unlike your standard public liability or business interruption insurance — which typically excludes or has very limited coverage for cyber events — a dedicated cyber policy is built around the unique costs that come with data breaches, ransomware attacks, and other digital threats.

Think of it this way: if a fire damaged your office, your building and contents insurance would respond. But if a hacker encrypted all your files and demanded a ransom, or a staff member accidentally emailed a customer database to the wrong person, that's a cyber insurance job.

What Does Cyber Insurance Actually Cover?

Policies vary significantly between insurers, so always read the Product Disclosure Statement (PDS) carefully. But most comprehensive cyber insurance policies for small businesses in Australia will cover some or all of the following:

First-Party Costs (Things That Happen to You)

• Incident response costs: The cost of hiring forensic IT experts to understand what happened, contain the damage, and recover your systems
• Business interruption: Lost revenue and ongoing fixed costs while your systems are down
• Data recovery: The cost of restoring or recreating lost or corrupted data
• Ransomware payments: Some policies will cover ransom payments (though paying ransoms is generally discouraged by the ACSC)
• Notification costs: Under Australia's Notifiable Data Breaches scheme, you may need to notify affected customers — the costs of doing so can be significant
• Public relations and reputation management: Help managing the reputational fallout from a breach
• Credit monitoring: If customer financial data was exposed, providing credit monitoring services to affected individuals

Third-Party Costs (Things That Affect Others)

• Privacy liability: If a customer or employee sues you because their personal information was compromised in a breach
• Regulatory defence and fines: Defending an investigation by the OAIC or other regulators, and potentially covering resulting fines (though not all policies cover fines — check carefully)
• Network security liability: If your compromised systems are used to attack a third party
• Media liability: For content-related claims arising from your online presence

What Cyber Insurance Does NOT Cover

Just as important as knowing what's covered is understanding what isn't. Common exclusions include:

• Prior breaches: If you had a breach before taking out the policy, it won't be covered
• Unencrypted data: Some policies exclude breaches of data that wasn't encrypted when it should have been
• Failure to maintain basic security: If you hadn't applied software updates or had no antivirus protection, some insurers may decline a claim
• Intentional acts: Fraud or deliberate misconduct by you or your staff
• Physical damage: Cyber policies generally don't cover physical damage to equipment (that's covered by other policies)
• War and nation-state attacks: This exclusion has been growing and is worth scrutinising carefully

How Much Does Cyber Insurance Cost?

For a small Australian business, cyber insurance premiums can range from around $500 to $5,000 per year, depending on factors including:

• Your industry (health, finance, and legal sectors face higher premiums due to the sensitivity of data they handle)
• Your annual revenue
• The amount of personal or sensitive data you hold
• Your existing security controls — businesses with stronger security (MFA, regular patching, staff training) typically pay less
• The coverage limits and excesses you choose

When comparing policies, don't just look at price. A cheap policy with a high excess and narrow coverage may leave you significantly exposed.

Do You Actually Need Cyber Insurance?

The honest answer is: it depends on your risk profile. Consider cyber insurance seriously if any of the following apply:

• You hold personal information about customers, patients, or employees (most businesses do)
• You process credit card or other payment information
• Your business would be seriously disrupted if your systems were offline for several days
• You operate in a high-risk sector like health, legal, financial services, or retail
• You don't have the financial reserves to absorb a $20,000–$50,000 unexpected cost
• Your contracts with clients or suppliers require you to maintain cyber insurance

If you're a sole trader with minimal customer data and work primarily offline, the cost-benefit calculation is different. But for most businesses with staff, customer databases, and cloud systems, cyber insurance is increasingly a sensible part of your risk management toolkit.

Before You Buy: Improve Your Security First

Insurers are increasingly scrutinising applicants' security practices at underwriting. If you apply without basic controls in place, you may be declined, face a significantly higher premium, or find that a future claim is rejected because you didn't meet the policy's security requirements.

The basics insurers typically want to see include:

• Multi-factor authentication on email and key business systems
• Regular software and security updates applied promptly
• Regular data backups stored separately from your main systems
• Staff training on phishing and social engineering
• A basic written cyber security policy

Investing in these controls first isn't just good for getting insurance — it's good for your business regardless.

How to Find Cyber Insurance in Australia

You can access cyber insurance through:

• Your existing business insurance broker: A good starting point — they can often add cyber cover to your existing portfolio
• Specialist cyber insurance brokers: For more tailored advice, particularly if you hold significant amounts of sensitive data
• Direct insurers: Some insurers offer packaged cyber policies directly to small businesses online

Always get at least two or three quotes and, importantly, read the PDS — particularly the exclusions section. Ask your broker specifically about the "nation-state" exclusion and how claims are handled if your insurer disputes whether you met your security obligations.

Key Takeaways

• Standard business insurance typically does NOT cover cyber incidents — you need a dedicated cyber policy.
• Cyber insurance can cover incident response, business interruption, data recovery, notification costs, and legal liability.
• Key exclusions include prior breaches, unencrypted data, and failure to maintain basic security controls.
• Premiums for Australian small businesses typically range from $500 to $5,000 per year depending on your risk profile.
• Improve your basic security controls before applying — it affects both your premium and your ability to make a claim.
• Always compare policies on coverage breadth, not just price, and read the exclusions carefully.

Before shopping for cyber insurance, it helps to understand your current risk profile. Take the free assessment at flagged.com.au to identify your key vulnerabilities — the results will help you have a more informed conversation with your insurance broker and potentially secure a better premium.