Following our January 2025 update, cyber insurance premiums remain largely stable, with signs of softening in some areas. Market appetite continues to be strong. Most industries can obtain cyber coverage by meeting only basic cybersecurity control requirements. Policyholders taking a proactive approach to cybersecurity are beneficiaries of 5 to 15 per cent reductions.
Despite this, a significant portion of businesses, especially SMEs, remain without coverage, highlighting a substantial protection gap. Ongoing difficulties remain in placing insurance for some Mangaed Service Providers due to insurers’ caution around tech-related exposures.
Both internationally and in the domestic context, governments are introducing stricter regulations concerning data protection and cyber resilience. Non-compliance can result in significant regulatory penalties, as highlighted by a series of high-profile cyber incidents across Australia’s financial sector. See our article here for a recent example. Cyber-attacks continue to rise, with notable trends including the surge in ransomware, exploitation of supply chain vulnerabilities, and the emerging risks associated with generative AI.
Data breaches “Hackers don’t break in, they log in”
Industries such as healthcare and financial institutions remain at the forefront of cyber-attacks followed closely by a rising trend of attacks in the manufacturing industry. This trend is expected to continue, compounded by a reliance of legacy systems and increasing use of Internet of Things (IoT) or smart devices that can be easily exploited. See our article here for further detail.
Third-party supply chain risks remain a leading cause of data breaches, posing significant challenges for organisations and cyber insurers alike1.
Notably, and across the board when it comes to data breaches, human error remains a leading role in breaches. According to Verizon’s Data Breach Investigations Report 2025, human error accounted for 60 per cent of cases and hidden risks remain around the use of BYOD (bring your own device). In 46 per cent of cases, corporate login data was stolen from personal devices. Without corporate cyber protections on these devices, and notwithstanding the gap in insurance to recover from the financial implications of a BYOD breach, organisations are faced with a serious risk2.
Cyber attacks
Cyber criminals continue to utilise generative AI for cyber-attacks. The rise in credential theft, with stolen login details widely available on the dark web, has been notably fuelled by attackers leveraging AI to create phishing emails at scale3. Multi-factor authentication (MFA) remains a straightforward yet essential security measure for protecting email and system access. Despite this, it continues to be an underutilised tool of defence by many organisations.
While ransomware incidents have remained stable in terms of frequency, their financial impact continues to grow. Business interruption costs now account for 81 per cent of cyber related losses, often exceeding the ransom payment itself. Approximately 50 per cent of ransomware threats result in payment, placing significant pressure on business continuity plans4.
As noted in our recent article, the amendments under the Cybersecurity Act, including the Ransomware Payment Reporting obligation, came into effect on 30 May 2025. This requires businesses to file a report within 72 hours of making a ransomware payment or becoming aware that a ransomware payment has been made. Other notable changes include the minimum cybersecurity standard for smart devices and the establishment of a Cyber Incident Review Board have also taken effect5.
Regulatory enforcement
As we highlighted in our January Update, regulatory enforcement in the cybersecurity space is gaining momentum. Notably the legal action taken by Australian Securities and Investments Commission (ASIC) against FIIG Securities earlier this year underscores the need for organisations to maintain a focus on their cyber risk management obligations.
We anticipate further action from ASIC on its 2025 enforcement priorities, particularly around director duties and their responsibility to maintain cyber resilience. As reported by ASIC, it will continue to “bring[ing] the full force of the law against those found to have failed in their duties”6.
As previously traversed here, Australia’s privacy laws underwent significant reform to align more closely with international standards, such as the EU’s GDPR. As part of this reform, the new Statutory Tort for Serious Invasions of Privacy (STSIP) was passed and comes into effect on 10 June 2025 following amendments to the Privacy and Other Legislation Amendment Bill 2024 (Cth)7.
The Tort enables individuals to pursue claims relating to an invasion of privacy which:
- intrudes upon the plaintiff’s seclusion;
- or misuses information that relates to the plaintiff;
The broad scope and class-action potential of this Tort heightens the obligations of organisations to enhance data protection practices and safeguard sensitive data, particularly, as it does not apply solely to personal information as defined by the Privacy Act but extends to any “information that relates to the plaintiff.”8.
The second tranche of reforms, currently under consultation, will likely tighten the rules on collecting, using, and disclosing personal information, and introduce a fair and reasonable test, envisioned to encourage businesses to proactively consider the impact that their data handling practices may have on an individual9.
1 Notifiable Data Breaches Report: January to June 2024
2 Verizon’s Data Breach Investigations Report 2025
3 IBM X-Force 2025 Threat Intelligence Index
4 Verizon’s Data Breach Investigations Report 2025
5 2023–2030 Australian Cyber Security Strategy
6 ASIC Key issues outlook 2025
7 Privacy and Other Legislation Amendment Bill 2024
8 A cause of action for two types of invasion of privacy
9 Government response to the Privacy Act Review Report
Continue reading our full range of market updates:
- Insurance Market Overview: July 2025
- Property
- Commercial General Liability
- Motor
- Contractors Plant & Equipment
- Renewable Energy
- Strata
- Claims
- Workplace Risk
- Executive & Professional Risk
- Construction
