Do I Need Cyber Insurance for My Small Business?
Five years ago, cyber insurance was something only banks and hospitals bought. Today, Australian insurers are writing cyber policies for businesses with five employees. The market has changed fast - and if you're running a Melbourne SMB, you need to understand what's happening, because the question is shifting from "should I get it?" to "will anyone insure me?"
What Cyber Insurance Actually Covers
Cyber insurance isn't one product. It's a bundle of coverages that typically includes:
- Incident response costs: Forensic investigation, legal advice, crisis communication - the experts you need the moment an attack is detected.
- Business interruption: Lost revenue while your systems are down. For a business doing $50K/month in online orders, two weeks of downtime is a $25K hit.
- Data restoration: The cost of recovering or rebuilding corrupted data, including emergency IT labour.
- Ransom payments: Some policies cover ransom payments and the negotiation costs (though this is increasingly restricted).
- Legal liability and regulatory fines: If customer data is breached, you may face lawsuits and OAIC penalties. Legal defence alone can exceed $100K.
- Notification costs: Under the Notifiable Data Breaches scheme, you may be required to notify affected individuals. Printing, postage, call-centre setup, and credit monitoring for affected customers add up fast.
Real Example
A Melbourne-based accounting firm with 12 staff was hit by a Business Email Compromise attack. The attacker impersonated the managing partner and directed a $48,000 payment to a fraudulent account. Their cyber policy covered the full loss plus forensic investigation costs - total claim: $71,000. Without insurance, that's coming out of the partner's pocket.
What Insurers Are Now Demanding (And Why It Matters)
Here's the part most SMB owners don't know: you can't just buy a policy anymore. Insurers have been burned by a wave of claims and are now requiring applicants to demonstrate a baseline level of security before they'll even quote.
The standard requirements now include:
- Multi-factor authentication on all email and remote access: This is non-negotiable. If you don't have MFA, you won't get a quote.
- Tested, offline backups: "We back up to an external drive that sits next to the server" isn't going to cut it. Insurers want air-gapped or immutable backups that ransomware can't reach.
- Endpoint detection and response (EDR): Traditional antivirus is no longer considered adequate. Insurers expect active threat detection on all endpoints.
- Patch management: A documented process for applying security updates within defined timeframes - typically 14 days for critical patches.
- Security awareness training: Your staff need to be trained to recognise phishing. Most insurers require annual training with phishing simulation testing.
Think of it like car insurance: you can't get comprehensive coverage if your car doesn't have working brakes. Cyber insurers are applying the same logic - show us you've done the basics, then we'll talk.
How Much Does It Cost?
For a typical Melbourne SMB with 10-50 staff and $1M-$5M in coverage:
- Premium: $1,500–$5,000 per year, depending on your industry, security posture, and claims history.
- Excess: Typically $2,500–$10,000 per claim.
Premiums have risen 30-50% year-on-year since 2021, driven by the surge in ransomware claims. But the cost of not having coverage - a single incident that costs $150K+ - dwarfs the premium.
Do You Need It?
Ask yourself three questions:
- Do you hold customer data? Names, emails, phone numbers, payment details - if you have any of these, you have exposure under the Privacy Act.
- Could your business survive two weeks of downtime? If the answer is "barely" or "no," you need business interruption coverage.
- Do you rely on email to send or receive payments? Business Email Compromise is the most common - and most lucrative - attack against SMBs. If you move money via email instructions, you are a target.
If you answered "yes" to any of these, cyber insurance should be on your radar. If you answered "yes" to two or more, it should be a priority.
How to Get Insurable
The good news: the security baseline insurers require is the same baseline that actually protects your business. It's not a box-ticking exercise - it's the minimum effective defence against the threats that are actually hitting Australian SMBs right now.
Here's the three-step path:
- Get an honest assessment of your current security posture. You can't fix what you don't know is broken.
- Close the gaps the insurer is going to ask about. MFA, backups, patching, EDR - in that order.
- Approach a broker who specialises in cyber insurance for SMBs. Generic business insurance brokers often don't understand the cyber market.
Get insurable - start with a free health check
We'll audit your security posture against the standard insurer requirements and tell you exactly what needs attention. No obligation, no pitch - just a clear one-page report.
Book Your Free Health CheckDisclaimer: This article provides general information and does not constitute insurance or legal advice. Consult a licensed insurance broker and legal professional for advice specific to your situation.