Cyber Liability Insurance

What is cyber liability insurance?

Cyber liability insurance is a financial product designed to help organisations manage the risks associated with cyber incidents. It typically covers costs related to data breaches, ransomware attacks, network failures, and other cyber-related losses.

Cyber-attacks can disrupt operations impacting everything from machinery to IT systems and result in significant financial and reputational damage. The more data a company holds, especially sensitive, health, or financial information, the greater the need for a cyber insurance policy to help manage the potential costs of a breach.

What’s included in a cyber insurance policy

The policy limit defines the maximum amount the insurer will pay for all covered losses and costs arising from a single cyber incident or claim notified during the policy period. Depending on how the policy is structured, this limit may be:

• Inclusive of legal defence costs, meaning legal expenses reduce the total amount available for other claims; or
• Exclusive of legal costs, where legal defence expenses are covered in addition to the stated limit.

This distinction is critical when assessing how much real protection is available during a significant incident involving litigation or regulatory investigations.

Cyber liability insurance policies typically include both an excess (or deductible) and a defined waiting period. The waiting period, usually between 8 and 48 hours, applies to business interruption coverage. This delay ensures that only sustained periods of downtime qualify for compensation related to lost income or extra operating expenses.

Factors such as business size, industry, employee count, and revenue, alongside cyber maturity, the number of systems and digital tools in use, and overall system usage significantly influence the cost of a cyber insurance policy.

Structure of a cyber policy

Cyber insurance is generally separated into two parts, first-party cover and third-party cover. The difference comes down to who is filing the claim, the policyholder or the third party.

First party cover will cover any losses that occur for the policyholder directly, providing the business with a financial safety net. For instance, if a business suffers a data breach and needs to pay for forensic investigations, notify affected individuals, restore lost data, and manage reputational fallout, these costs would be covered under first-party cyber insurance. This is because the losses are being experienced directly by the business itself.

However, if that same breach results in sensitive customer information being exposed, such as personal financial or health data, and those customers then sue the business for failing to protect their information, the legal defence costs and any settlements or damages would fall under third-party coverage. These are liabilities the business faces because another party was harmed by the breach.

A cyber liability insurance policy typically includes:

First-party cover

Refers to indemnification for losses sustained directly due to a cyber incident, such as:

• Incident response costs: cover for forensic investigations, notification costs, legal advice, public relations support.
• Business interruption cover: lost income or extra expenses incurred due to operational downtime caused by a cyberattack.
• Data recovery costs: to restore, or recover lost, stolen, or corrupted data.

Third-party cover

Provides protection against claims brought by external entities who allege loss or damage due to a failure to secure data or networks, such as:

• Liability claims: cover for lawsuits or claims from customers, vendors, or partners alleging data misuse, breach of privacy, service disruption etc.
• Legal defence and settlements: legal costs, court fees, and settlement expenses to defend against third-party claims.
• Regulatory fines and penalties: for penalties for breaches of regulation such as the Privacy Act 1988 (Cth), or General data protection regulation (GDPR) – applicable to businesses which handle personal data or transact with residents of the European Union.

Additional coverage sections of a cyber insurance policy

System failure (non-malicious outages)
This cover refers to unintentional disruptions in IT systems that are not caused by cyberattacks or malicious activity. These outages can result from software bugs, human error, hardware malfunctions, or power failures. Coverage protects organisations from financial losses due to operational downtime or data inaccessibility.

Funds transfer fraud
This cover typically protects against financial loss resulting from a fraudulent instruction, initiated through a cyber incident, that causes funds to be transferred without the policyholder’s authorisation (usually due to an instance of ‘phishing’ or business email compromise’). Cover may depend on documented “verification procedures”, such as dual authorisation controls or two-factor authentication. Failing to meet these requirements can void cover even if fraud occurred.

Social engineering fraud
To be classified as social engineering, an attack must involve deliberate human manipulation or deception such as impersonation or psychological pressure. In contrast, transactions resulting purely from technical breaches or automated processes are not considered social engineering. Cover for these events varies widely.

Cyber extortion and ransomware
Ransomware is a type of malicious software that encrypts an organisation’s data or systems, rendering them inaccessible until a ransom is paid (often in cryptocurrency) in exchange for a decryption key. Increasingly, these attacks involve a double extortion model, whereby threat actors also exfiltrate sensitive data and threaten to publish or sell it unless further payment is made. Cyber policies may provide cover for payments made to threat actors and the associated costs of legal support and incident management. New ransomware reporting regulations mean ransomware payments must be reported to the ASD. See our article for further detail.

Who should purchase cyber liability insurance

Cyber liability insurance is recommended for organisations of all sizes. Businesses that handle sensitive data, such as healthcare providers, legal professionals, and service-based organisations, face strict legal obligations to protect personal, financial, and health information. Additionally, it is increasingly common for contracts to require cyber insurance to cover potential data breaches or intellectual property losses.

Recent updates to Australian cyber security legislation and the Cyber Security Act 2024 aim to strengthen national infrastructure resilience, enhance cyber-attack reporting obligations, and expand government powers for intervention. Further privacy and security reforms are expected to come.

Additionally, cyber security penalties for Australian Financial Services Licensees fall under the Corporations Act 2001 (Cth). Non-compliance can result in significant regulatory penalties, as demonstrated in the ASIC’s recent civil penalty proceedings against FIIG Securities Limited and Fortnum Private Wealth.

The cost of cyber crime

In today’s climate, one cybersecurity incident can cost a business tens of thousands of dollars. Even a relatively minor breach could lead to significant financial and operational disruption. According to the Australian Cyber Security Centre 2023-2024 cyber threat report, the average cost of a cybercrime incident in Australia is:

• $49,600 for small businesses
• $62,800 for medium businesses
• $63,600 for large businesses¹

Data protection

Data is becoming increasingly integral to operations. Organisations across all sectors must therefore implement appropriate levels of security and control. The types of data requiring protection vary in sensitivity and regulatory obligation, and may include:

• Personal identifiable information (PII): names, addresses, ID numbers, contact details
• Health information (PHI): medical histories, treatment records, other sensitive information
• Financial data: credit card and banking information
• Intellectual property: proprietary designs, formulas, patents, and trade secrets
• Human resource records and employee records: employee data, payroll, performance records
• Customer and client files: contractual data, or service data.

While many organisations rely on third-party vendors such as IT service providers or cloud platforms, the ultimate responsibility for safeguarding data remains with the organisation that collects it.  Effective data protection hinges on robust internal controls and comprehensive vendor risk management. Data retention policies must ensure information is retained only for legally mandated periods and securely destroyed thereafter.

Organisations must establish a clear lawful basis for data collection and processing, with transparency to data subjects regarding the use of their information. Access should be strictly limited on a ‘need-to-know basis’, supported by rigorous data classification and encryption standards. Continuous staff training is vital to reduce human error, a predominant factor in data breaches. Embedding ‘Privacy by Design’ principles – the process of implementing good privacy practices into a business’s decision-making, business practices and technological infrastructure – ensures that data protection is integrated into systems and processes from inception.

A well-structured incident response plan is essential to comply with regulatory requirements such as Australia’s Notifiable Data Breaches scheme facilitating prompt detection, containment, and notification of breaches.

The prevalence of data breaches remains a significant challenge. According to the 2025 Verizon Data Breach Report, system intrusions made up over half of all breaches, with human error contributing to 60 per cent of cases. Ransomware continues to pose a major threat, present in 44 per cent of breaches, disproportionately affecting small to medium-sized businesses. Credential compromise remains a leading cause of breaches, alongside vulnerability exploitation through unpatched systems, rising sharply by 34 per cent over the past year ². Collectively, these trends underscore the importance of strengthening internal cyber defences particularly in areas such as patch management, access control, employee awareness, and response readiness.

Common exclusions in a cyber insurance policy

While cyber liability insurance provides broad protection, there are important exclusions and limitations that policyholders should be aware of. Some common exclusions include:

1. Known facts, circumstances, and prior claims
   The policy does not cover any matter, fact, circumstance, or claim that has already been notified under a prior policy, or that should have been disclosed before the current policy commenced. (See our article on claims-made insurance for more detail.)
2. Retroactive date
   Claims arising from events that occurred before the retroactive date specified in the policy are excluded. It is critical that the retroactive date reflects the commencement of your services to ensure adequate coverage. An unlimited retroactive date is preferred, especially in cyber policies where even with forensics, the precise timing of an event can be difficult to determine.
3. Intentional acts
   Coverage is excluded for acts that are wilful, fraudulent, or deliberately dishonest on the part of the policyholder.
4. Bodily injury and property damage
   Cyber policies typically exclude claims arising from bodily injury or physical property damage. However, some policies may still cover mental harm associated with third-party claims following a data breach.
5. Infrastructure outage
   Losses due to outages in public infrastructure such as electricity, water, telecommunications, or gas are often excluded.
6. Acts of cyber war and terrorism
   Cyberattacks attributed to nation-states or events classified as acts of war or terrorism are generally not covered.
7. Professional errors and omissions (E&O)
   While cyber policies may cover security failures, they usually do not extend to claims arising from professional services errors or omissions, unless specifically endorsed.
8. End-of-life (EOL) or unsupported technology
   Cover is typically excluded for losses arising from software or hardware that has reached its end-of-life (EOL) or situations where the vendor has withdrawn technical support or updates.
9. ‘Computer’ and ‘network’ definitions
   Cover depends heavily on how terms like “computer system” or “network” are defined in the policy wording. Narrow definitions can significantly limit coverage, particularly for cloud environments or third-party platforms. Broad definitions are essential to ensure full protection across all operational systems.
10. Unencrypted data
    Some policies exclude coverage for breaches involving unencrypted data. The scope of this exclusion varies; in some cases, it only applies if the lack of encryption was a direct cause of the incident.

Cyber liability insurance policies are confidential documents. Details should not be disclosed publicly unless required, such as when providing a certificate of insurance for contractual or regulatory purposes.

Top tips for strengthened cyber security controls

Cyber insurers increasingly mandate robust protection measures, including multi-factor authentication (MFA), simulated phishing exercises, regular patching, and up-to-date antivirus software.

Layered security controls aligned with recognised industry best practices such as the ISO/IEC 27000 standards, the Australian Cyber Security Centre’s Essential 8, and other relevant frameworks help organisations effectively reduce cyber risk and enhance resilience. To effectively safeguard data privacy, accuracy, and availability, organisations should focus on the core cybersecurity principle known as the CIA triad: Confidentiality, Integrity, and Availability – maintaining proactive, layered security controls to minimise cyber risks and their potential impact.

 Key cyber security measures should be considered for organisations of all types:

• Governance and leadership: assign clear accountability for cyber risk at the Executive and Board level. Implement policies, frameworks, and reporting structures to manage and oversee cyber security initiatives.
• Role-based access control (RBAC): Restrict user access based on job roles to minimise the risk of privilege misuse and unauthorised data exposure.
• Dynamic incident response: regularly conduct exercises, such as executive-level tabletop simulations, to test and refine incident response capabilities.
• Phishing awareness: run phishing simulations multiple times per year to improve staff vigilance of social engineering attacks.
• Layered security: adopt a defence-in-depth approach that includes multi-factor authentication (MFA), network segmentation, immutable backups, and continuous threat monitoring through solutions such as managed detection and response (MDR) or a security operations centre (SOC).
• Transaction security: require dual approvals and secondary verification for actions such as fund transfers or changes to account details to prevent fraud.
• Vendor risk management: evaluate the cyber security posture of third-party vendors by reviewing their policies, controls, and incident response readiness.

Claims examples with a cyber insurance policy

Some recent claims examples include:

• A complaint is made by a patient to the Privacy Commissioner after a pharmacist suffers a cyber attack and health information is misused or lost. A cyber liability insurance policy will provide cover for the costs of notifying the affected individuals and the legal costs of responding to the investigation by the Privacy Commissioner.
• A large construction contractor received a fraudulent invoice for payments under a contract. The invoice was sent by a hacker who used an email address near identical to that of the invoicing party. The invoice was paid and monies lost. The policyholder sought cover under the Social Engineering extension of their policy to recover the monies paid to the fraudster.
• A malicious software was uploaded to the network of a real estate business causing files with credit card and personal information to be accessed. The company was advised to notify all affected individuals and engage a PR consultant to manage reputational damage from the incident. These costs were covered under the Reputational Expenses extension of the policy.
• A law firm received a cyber extortion threat and malware attack on its computer network rendering all computers unusable until the demand of 0.5 Bitcoin was paid. Even after payment was made the malware was not removed. The policy provided cover: a) under the Cyber Extortion section for the 0.5 Bitcoin, b) under the Crisis Costs section for IT specialists to rebuild the computer network, and c) under the Business Interruption section for loss of income during the attack.

How Bellrock Advisory adds value

Bellrock can oversee the cyber risk assessment process, working with our specialist cyber partners to identify critical assets and vulnerabilities and prepare a cyber maturity report to identify areas of improvement and support a request for cyber liability insurance.

Information needed to obtain a cyber liability insurance quotation:

1. Standard company profile information including employee numbers, revenue and growth targets
2. Employee cyber training schedule and reports
3. Incident response plan
4. Business continuity plan
5. Any external or internal cyber risk audits or reports.

For personalised advice regarding cyber liability insurance and to obtain a quote, please contact a Bellrock Advisor.

1 ACSC Annual Cyber Threat Report 2023/2024
2 2025 Verizon Data Breach Investigations Report