The cyber insurance market is entering one of its softest phases in recent years, with premiums easing across several sectors. While this shift does not necessarily indicate a broad uplift in cyber maturity, it does create more favourable conditions for those wishing to obtain cover.
Insurers are increasingly using external scanning and vulnerability testing instead of traditional proposal forms, enabling independent verification of risk and reducing administrative burden. This approach supports the development of comprehensive cybersecurity-focused policies, including enhanced incident response services, helping organisations strengthen their security posture and respond effectively to emerging threats.
AI risk
The rapid adoption of artificial intelligence is prompting insurers to reassess their risk exposure, with some now excluding AI-related liabilities from their standard corporate policies. This reflects growing concern around emerging technologies particularly autonomous ‘agentic’ AI systems. As these systems evolve from simple chatbots to tools capable of executing code or performing transactions, traditional insurance models may be less capable of addressing the associated risks.
In December 2025 the Australian Federal Government released its National AI Plan which sets out the steps the government will take to support an AI enabled economy. This includes establishing an Australian AI Safety Institute which will monitor and share insights and information on emerging AI capabilities. Its insights will support ministers and regulators to maintain safety measures and create frameworks that keep pace with rapid technological change.
Ransomware remains a pervasive threat
As we reported back in October 2025, Australia faces increasing cyber threats from both state-sponsored and criminal actors. Data breaches remain prevalent across key sectors, with a notable escalation in attacks on critical infrastructure. The growing interconnectivity between IT systems and operational technology is fuelling cyber incidents, shifting incidents beyond simple data theft toward actual physical damage to equipment and production environments.
Ransomware remains a persistent and evolving threat, increasingly targeting sensitive data rather than just system encryption. While strong backups aid recovery, protecting customer information and trade secrets requires robust cyber security measures and proactive threat detection.
Throughout the last six months of 2025, the Department of Home Affairs has focused on education in order to encourage early compliance with the new ransomware reporting obligations. From 1 January 2026, Phase 2 will emphasise active compliance with additional guidance, and gradual formal enforcement expected throughout the year.
Regulatory changes
In 2025, changes to the Privacy Act 2024 (Cth) and landmark enforcement actions marked a new era of accountability for data protection.
The first civil penalty judgment under the Privacy Act demonstrated the Office of the Australian Information Commissioner’s stronger enforcement stance while the new statutory tort for serious invasions of privacy enables individuals to sue without proving damage, extending protections beyond the existing Australian Privacy Principal obligations.
The Australian Signals Directorate (ASD) continues to reinforce the critical role boards play in overseeing and strengthening their organisation’s cyber security capabilities. We expect the Australian Securities and Investments Commission to continue to focus on Australian Financial Services Licence holders that lack adequate cyber security controls.1
Emerging technologies and the road ahead
Cyber criminals are expected to increasingly leverage artificial intelligence for sophisticated, targeted attacks. Autonomous (agentic) AI systems could probe networks, exploit vulnerabilities and gaps at scale, while advances in large language models may enable fully automated social engineering campaigns capable of convincingly impersonating organisations and deceiving employees.
Emerging technologies such as quantum computing also present significant long-term risks. With a cryptographically relevant quantum computer (CRQC) on the horizon, Australian organisations are being urged to accelerate preparations for post-quantum cryptography (PQC). A CRQC would be capable of breaking today’s public key cryptography. The ASD is encouraging organisations to consider their transition to PQC, as the window for ‘harvest now, decrypt later’ attacks narrows and legacy encryption standards become increasingly vulnerable.2
To conclude
In 2026, effective cyber security will require coordinated action across all aspects of organisations necessitating strong board oversight and a culture focused on resilience rather than compliance alone.
With AI-driven threats accelerating, insurance markets may struggle to keep pace as the gap between actual cyber exposure and available cover widens.
Organisations that clearly understand and articulate their risks will be best placed to secure appropriate protection, while those that do not may face significant underinsurance and heightened operational and governance consequences when incidents occur.
1 https://www.cyber.gov.au/business-government/protecting-business-leaders/cyber-security-for-business-leaders/cyber-security-priorities-for-boards-of-directors-2025-26
2 https://www.cyber.gov.au/business-government/secure-design/planning-for-post-quantum-cryptography
Continue reading our full range of market updates:
- Insurance Market Overview: January 2026
- Claims
- Workers Compensation
- Corporate and Multinational Risk
- Construction, Property and Development
- Financial Lines
