Australian businesses are facing a different kind of risk than they did even 3 years ago. Data breaches, AI-assisted fraud, and ransomware have moved from rare headlines to routine operating hazards. The insurance market is now scrambling to keep pace.

The Australian Cyber Security Centre (ACSC) reports that cybercrime costs average $56,600 for small businesses and $97,200 for medium businesses.

Overall, cyber incidents cost the Australian economy $33 billion in the last financial year

That shift is changing how cover is priced, written, and bought. Premiums are rising, exclusions are tightening, and insurers increasingly expect proof of basic security before they will quote.

According to Morgan Insurance Brokers, the shift has been rapid. In less than two years, cyber cover has moved from a low-cost policy add-on to a board-level business concern, widening the gap between companies with strong protection and those still exposed.

Cyber Risk Insurance (Cyber Liability Insurance)

With cyberattacks becoming increasingly sophisticated, businesses—especially those that handle sensitive customer data, store intellectual property, or process online payments—are highly vulnerable.

That’s why cyber risk insurance (or cyber liability insurance) has become essential for businesses to manage the financial, legal, and operational fallout from digital threats like data breaches, ransomware, and online fraud.

It covers expenses that traditional business or commercial liability policies typically exclude

The Threat Picture Has Shifted

The numbers tell a blunt story. The national notifiable data breaches report records more than 500 reportable breaches every 6 months, with malicious or criminal attacks the leading cause. Health and finance sit among the hardest-hit sectors, and the totals have stayed high for 3 straight years.

Fraud has scaled alongside it. Australians reported more than 2 billion dollars in scam losses in a single recent year, a trend documented by the government’s Scamwatch service.

For a business, one incident can mean weeks of downtime, mandatory breach notifications, regulatory exposure, and lasting reputational damage. Recovery costs frequently run into 6 figures even for a mid-sized firm, well before any fine is considered.

Three forces are driving the change:

• More attacks, with breaches now a routine business event.
• Higher costs, as recovery, notification, and legal bills climb.
• Tighter regulation, raising the price of getting it wrong.

None of this is theoretical. It is the daily backdrop against which insurers now set their terms.

AI Cuts Both Ways

Artificial intelligence is reshaping both sides of the ledger. Attackers use it to craft convincing phishing, clone voices, and probe systems at scale, which lowers the skill needed to cause real harm.

Defenders use the same technology to detect anomalies and respond faster. The trouble is that the offensive use is spreading quicker than many small firms can counter.

A convincing AI-written phishing email now takes seconds to produce, and voice-cloning has turned a 30-second audio clip into a fraud tool. That imbalance is exactly what insurers are pricing in.

The result is a market in flux. Cover that was cheap and broad 2 years ago is now scrutinised line by line. Insurers increasingly model AI-enabled attacks as a base case, not an edge case.

Smaller firms feel this most. They rarely have a dedicated security team to point to when an underwriter asks hard questions. The advice gap, not just the threat, is what leaves them exposed.

What This Means for Your Cover

Insurers have responded by reworking cyber and liability policies. Businesses are feeling it in three ways at once.

• Premiums have climbed, often sharply for higher-risk sectors.
• Exclusions have widened, carving out unpatched systems or weak controls.
• Eligibility has tightened, with multi-factor authentication now a common precondition.

Underwriters increasingly ask for evidence, not assurances. A firm that cannot show basic controls may find cover expensive, limited, or simply unavailable.

The link between a strong security posture and an affordable premium has never been tighter. It is the same dynamic behind how scammers exploit weak points to target organisations.

Where Brokers Fit In

This complexity is why broker advice has gained value. Comparing cyber policies now means reading fine print on sublimits, waiting periods, and incident-response clauses that vary widely between insurers.

A broker translates that detail into plain terms and matches cover to a firm’s actual risk. They also help a business present itself well to underwriters, which can move a premium meaningfully.

Comparing even 3 or 4 insurers by hand is slow and error-prone. Two policies with similar headline limits can differ sharply once you read the exclusions.

As coverage of Australia’s wider digital gaps shows, infrastructure and risk vary across the country, and tailored advice matters more than a one-size quote.

For small and mid-sized firms without an in-house risk team, that guidance is often the difference between adequate cover and a costly gap.

Lauren Spice, Director of Morgan Insurance Brokers, said,“ clear communication became critical during a recent claims surge, after a hail event left the brokerage handling dozens of claims at once,”

She said the first step was to tell clients what was happening, explain who needed urgent help, and move quickly on lodgements, insurer notifications, assessors and repair teams,

Practical Steps for Australian Businesses

The encouraging part is that the same measures that reduce risk also improve insurability. Insurers reward firms that take security seriously.

A sensible starting point:

• Enable multi-factor authentication across all critical systems.
• Keep software patched, since unpatched flaws are a common exclusion.
• Back up data offline, so ransomware loses its grip.
• Train staff on phishing, the entry point for most breaches.

Document those controls, too. Being able to evidence them is increasingly what separates a clean quote from a declined one.

Many insurers now send a short security questionnaire before they will quote, and a complete, honest answer can shave real money off the premium.

Treating these 4 measures as standard practice, rather than a compliance chore, is the cheapest risk reduction most firms can make.

The Market Will Keep Moving

Cyber risk is not a passing concern, and the insurance market will keep adjusting to it. Firms that treat security and cover as linked, not separate, will weather that change best.

Regulators are tightening as well. Mandatory breach reporting is now the norm, and penalties for mishandling personal data have risen.

That adds a compliance dimension to what was once a purely commercial decision. The smart move is to build security, cover, and reporting into one plan rather than three afterthoughts.

The practical takeaways are simple:

• Expect ongoing change in pricing and terms.
• Invest in controls before you renew, not after a claim.
• Get specialist advice when the fine print gets complex.

Handled early, rising cyber risk becomes a managed cost rather than an existential threat. The businesses that adapt now will be the ones still insurable when the next wave arrives.

Morgan’s business insurance page says businesses should not rely on a standard business insurance policy for cyber attacks, directing readers instead to a cyber insurance policy.

It says cyber insurance is “not about if, it’s about when,” and describes it as a necessity for businesses facing data breaches, ransomware, business interruption and incident response costs.

Its 2026 small business insurance guide lists cyber risks as data breaches, ransomware and system crashes that can bring an operation to a standstill.