Cyber insurers will be closely monitoring the impact of the new Australian cyber security legislation, which will inevitably lead to increasing scrutiny on organisations and how they respond to data breaches, as well as heightened scrutiny on data processing and how businesses manage their third-party suppliers.
As we relayed in our last update, cyber insurance premiums remain stable due to increasing capacity. Insurers continue to expect policyholders to actively engage with cyber risk from board level down including the consideration of operational exposures.
Insurers continue to broaden their service offering within cyber policy wordings to include end-to-end claims support and vulnerability scanning and testing; thereby enhancing efforts to mitigate and manage cyber risk before it becomes a larger issue or even a claim.
Greater Government focus on cyber security
The Australian Government has recently released its inaugural Cyber Security Legislation. As detailed here the changes aim to increase the resilience of Australia’s infrastructure in responding to cyber-attacks, provide greater visibility in reporting of cyber-attacks, and enhance Government powers to intervene.
Increase in high-profile incidents
In 2024, the number of notified data breaches under the National Data Breach (NDB) scheme reached its highest ever level, increasing by more than 9 per cent from 2023, with cyber security incidents representing 38 per cent of the total notifications received. The focus of the NDB is shifting from simply reporting on breaches to education and enforcement action. This is expected to manifest into civil penalties against companies, as witnessed in the recent proceedings taken against Medibank Private Limited.
Company boards and cyber risk
In 2025, we expect to observe more high-profile data breaches making mainstream news. ASIC is putting greater focus on investigating how directors prepare for and respond to cyber-attacks with legal action being taken by the regulator against directors who fail to adequately prepare for cyber attacks. Alongside taking proactive steps to review business continuity plans and cyber security policies, companies can take practical steps like tabletop activities or simulations.
The cost of cyber crime
Cyber crime continues to be a persistent and disruptive threat across all industries. Cyber criminals are adapting their approaches, capitalising on new opportunities such as AI deepfake scams. New reforms introduced by the Australian government will greatly impact whether organisations pay ransoms.
Ransomware and data theft continue to impact companies, constituting 11 per cent of all data breach incidents responded to by the Australian Signals Directorate (ASD) in 2024 including a demand for ransomware, (a 3 per cent increase from last year). It is important that businesses enact robust security measures that guard against common threats and conduct regular vulnerability scanning to protect and monitor their security systems.
Australian SMEs continue to fall behind cyber insurance adoption when compared to the rest of the world with only about 20 per cent having stand-alone cyber insurance. The data, securities and reputation of small businesses are increasingly at risk. The cost of cybercrime is rising with estimates that it costs the Australian economy around $42B per year. With almost half of all cyber-attacks targeting small businesses (and at an average cost of $49,000 to respond) having robust security controls in place could make all the difference. For small businesses even a minor breach could have momentous impact.
Third party data concerns
Anticipated reforms to the Privacy Act in 2024-2025 bring changes to how personal and sensitive information is processed. The legislation is expected to focus on cross-border transfers of personal information resulting in businesses being held liable for breaches by overseas recipients. Most companies have some component of outsourced data processing, whether is it is their web and data hosting to a third party, offshore data centres, software as a service, or other resource planning tools.
Companies should review the contracts they hold with third party suppliers as, if the third-party supplier suffers a breach, the organisation contracting the supplier can be found liable for the breach. Further to this, if a number of individuals have been affected, even if the company is not at fault, responding to and defending the claim can be a costly and time-consuming process.
Conclusion
As organisations navigate the complex and evolving cyber climate in 2025, a proactive approach to cyber security is paramount. Maintaining a focus on incident response, implementing security controls, and reviewing vendor assessment protocols, will be crucial for organisations to be able to identify and respond to cyber threats. The cyber insurance landscape continues to develop capability to support organisations in identifying and closing gaps in security.
To review your cyber security controls and ensure compliance with new cyber legislation, speak with your Bellrock Advisor today.
Continue reading our full range of market updates:
- Insurance Market Overview
- Property
- Commercial General Liability
- Motor
- Contractors Plant & Equipment
- Strata
- Claims
- Workplace Risk
- Executive & Professional Risk
- Construction