For WA businesses of every size, a cyberattack is no longer a matter of it - it's a matter of when and how prepared you are when it happens.
In August 2025, the University of Western Australia was forced into an overnight emergency lockdown of its own systems after attackers gained access to staff and student passwords. Closer to the ground level of WA business, a Perth jeweller appeared on a ransomware group's dark web leak site in November 2025, and a Perth-based mining company faced public claims of 1TB of data stolen the following month.
These incidents reflect a national trend that hits smaller businesses particularly hard. According to the Australian Signals Directorate's Annual Cyber Threat Report 2024–25, the Australian Cyber Security Centre received more than 84,700 cybercrime reports in the last financial year - one every six minutes. The average cost of a single cyber incident for a small business rose 14% year-on-year to $56,600. For medium businesses, it jumped 55% to $97,000.
Cyber insurance has moved from a specialist niche to a commercial necessity. Yet Swiss Re data cited by the Insurance Council of Australia shows that only 10–20% of Australian SMEs currently hold a policy. Most business owners either assume their existing cover handles it, that they're too small to be a target, or that cyber insurance is simply too expensive to be worth it. All three assumptions are increasingly dangerous.
This article explains what cyber insurance actually covers, what the market looks like in 2026, what it takes to qualify - and critically, what causes claims to be denied even when a policy is in place.
Australia's mandatory ransomware payment reporting regime commenced in June 2025, requiring businesses with turnovers above $3 million to report payments to cybercriminals. Separately, Privacy Act reforms that took effect in June 2025 introduced a statutory tort for serious invasions of privacy, with expanded OAIC investigation powers and new civil and criminal penalties. Cyber insurance now sits at the intersection of IT risk, legal liability, and regulatory compliance.
The short answer is that most cybercriminals aren't choosing you specifically - their tools are. Modern cyberattack infrastructure is largely automated. AI-powered scanners probe millions of internet-connected systems simultaneously, looking for open ports, unpatched software, and weak credentials. When they find a vulnerability, the attack proceeds regardless of whether you're a multinational or a two-person accounting firm in Osborne Park.
Small businesses make attractive targets for a second reason: they tend to hold more valuable data than their security investment would suggest. Client financial records, payment details, supplier contracts, employee information - all of this has a market value, and much of it sits behind surprisingly thin defences.
Western Australia's economy amplifies the exposure. The state's concentration of mining and resources businesses, professional services firms supporting that sector, construction and civil contractors, and healthcare providers across regional areas creates a profile that intersects with the sectors seeing the highest insurance claim values nationally.
The threat types dominating claims nationally break down in a predictable but still sobering way. Ransomware - where attackers encrypt your systems and demand payment to restore access - generates the highest dollar value of losses by a significant margin. Business Email Compromise (BEC), where criminals impersonate executives or suppliers to divert payments, is the most frequent attack type by volume. Data breaches triggering Privacy Act notification obligations have become a third major category as regulators sharpen their focus.
A ransomware attack doesn't just lock files - it stops a business entirely. The question is how long yours could absorb the interruption, and who pays the bill.
Cyber insurance is a specialist policy covering financial losses arising from a cyberattack, data breach, or related digital incident. Unlike standard business insurance, which protects physical assets, cyber insurance covers digital and informational assets - and the cascading costs that follow when those assets are compromised.
A well-structured policy operates across two broad categories: first-party losses (costs to your own business) and third-party losses (your liability to clients, suppliers, or regulators). The table below shows what a comprehensive policy should include, what typically requires a separate add-on, and what is almost universally excluded.
| Coverage area | What it pays for | Included? |
|---|---|---|
| Incident response & forensics | Specialist IT investigators to determine how the breach occurred, what was accessed, and how to contain it. Often the single most expensive component - $20,000 to $200,000+ for a significant incident | ✓ Standard |
| System restoration | Cost of rebuilding compromised infrastructure, recovering or recreating lost data, and returning systems to operation | ✓ Standard |
| Business interruption | Revenue replacement while systems are down, including extended indemnity periods for complex recovery - covers both your own IT systems and contractor systems you rely on | ✓ Standard |
| Legal advice | Legal counsel for regulatory response, Privacy Act obligations, and defence of third-party claims arising from the breach | ✓ Standard |
| Crisis management & PR | External communications support to manage reputational damage, customer notifications, and media response | ✓ Standard |
| Regulatory fines & penalties | Fines and defence costs arising from OAIC investigations, Privacy Act breaches, and Notifiable Data Breaches scheme obligations | ✓ Standard |
| Third-party liability | Compensation claims from clients or suppliers who suffered losses as a result of your breach | ✓ Standard |
| Criminal financial loss (BEC) | Funds lost through social engineering, invoice fraud, or business email compromise - a separate endorsement in most policies | ◐ Add-on required |
| Supply chain / non-IT interruption | Business losses from a cyberattack on a supplier that cascades to your operations without directly hitting your systems | ◐ Add-on required |
| Directors & Officers exposure | Personal liability for directors where a breach results from governance failures or inadequate board-level oversight | ◐ Add-on required |
| Nation-state / war attacks | Attacks attributed to foreign government actors - Lloyd's of London guidance, widely adopted in Australia, requires these to be excluded | ✗ Excluded |
| Intentional acts by staff | Deliberate insider sabotage - may be partially addressed under a separate crime or fidelity policy | ✗ Excluded |
| Unencrypted data breaches | Some policies reduce or deny coverage where data was not encrypted at rest, on the basis that reasonable precautions were not in place | ✗ Often excluded |
BEC (Business Email Compromise) - where criminals redirect invoice payments by impersonating a director or supplier - is one of the most common and financially damaging cyber incidents in Australia. It is also one of the most commonly excluded from standard policies without a specific add-on. If your business processes supplier payments or handles client funds, this endorsement is not optional.
The Australian cyber insurance market reached AUD $467 million in 2025 and is on a strong growth trajectory, according to IMARC Group market research. But growth in the market hasn't made it easier for businesses to get covered - if anything, the reverse.
After several years of dramatically rising premiums and strict underwriting, the market is now moving into a softer phase. S&P Global has forecast premium increases of 15–20% in 2026 following two years of declining rates, driven by rising claims severity, the growing impact of AI-powered attacks, and the 126% increase in ransomware incidents recorded in Q1 2025. However, businesses with demonstrably strong security postures are finding they can negotiate meaningfully better terms.
Fortuna Advisory Group recently hosted a business insurance event where specialists from Emergence Insurance and Fortuna Tech's managed IT team shared their perspectives on how the market is shifting for WA businesses. The consistent message from both: insurers are applying far greater scrutiny at the underwriting stage, and they are investigating claims far more rigorously than they did even two years ago.
The sector data is instructive. Professional and technical services businesses - accounting firms, consultants, engineers, lawyers - have generated the highest value of paid claims nationally. Healthcare comes second, followed by industrial and manufacturing businesses. For WA firms in any of these categories, or in construction and resources services, the exposure is not theoretical.
Source: Cyber insurance claims data - Australian market. Relative values shown; exact figures vary by insurer and reporting period. Note that the WA economy's concentration in mining, resources services, and professional services makes these sector rankings directly relevant to local businesses.
A comprehensive cyber policy covers four interconnected areas - each activated from the moment a claim is lodged, not just when costs are finally tallied.
The single most important shift in cyber insurance over the past two years is this: insurers no longer simply ask whether you have cybersecurity measures in place. They require documented proof - and they check. If what you claim on your application doesn't match the reality they find during a claims investigation, the consequences can be severe.
Most Australian insurers now use the Australian Cyber Security Centre's Essential Eight framework as their baseline for assessing risk. Businesses that can demonstrate maturity across these eight controls typically pay 20-40% less in premiums than equivalent businesses without a documented programme, according to underwriting data cited by Cliffside Security. Businesses that can't demonstrate them face restricted cover, higher deductibles, or outright rejection.
1. Application whitelisting
2. Patch applications
3. Configure Microsoft Office macros
4. User application hardening
5. Restrict admin privileges
6. Patch operating systems
7. Multi-factor authentication (MFA)
8. Daily backups
Beyond the Essential Eight, insurers are increasingly asking for evidence of employee security awareness training (with proof of completion), a documented incident response plan, and network segmentation. Beazley's underwriting application, for example, explicitly asks whether MFA is required for remote access and web-based email, what endpoint protection is deployed, and whether a tested incident response plan exists.
This is the part most business owners don't hear until it's too late. Industry data from 2024 shows approximately 40% of cyber insurance claims were denied or significantly disputed. Understanding why is not just useful - it may determine whether your policy is worth the premium you're paying.
Coalition's underwriting data found that 82% of denied claims involved businesses where MFA was not fully implemented. The critical word is "fully." Insurers don't care whether MFA was purchased, or whether it was active on most accounts. They care whether it was enforced on every email account, every remote access gateway, every cloud platform, every VPN connection, and every administrative account - without exception.
The clearest legal precedent is the Travelers v. International Control Services case in the United States. ICS declared on its insurance application that MFA was in use for email, remote access, and all endpoints. When ransomware hit, the forensic investigation found MFA was only configured on the firewall. The servers - the actual targets of the attack - had no MFA at all. Travelers successfully had the entire policy rescinded. No coverage for any past, present, or future claims. The court found the misrepresentation was material to the underwriting decision.
A comparable case involved a US municipality that had a $18.3 million ransomware claim denied because MFA was active on most accounts but not on every system. One unprotected legacy account was enough.
Do not overstate your controls on a cyber insurance application - even unintentionally. If MFA is active on email but not on your VPN or privileged admin accounts, the honest answer to "do you use MFA?" is no. Insurers are now using AI-driven underwriting tools that scan public-facing systems to verify what applicants have claimed. A discrepancy between what you stated and what they find is grounds for policy rescission, not just claim denial.
| Denial reason | What happened | How to avoid it |
|---|---|---|
| MFA not fully deployed | Attacker entered through one account, server, or access path without MFA - insurer voids coverage | Audit every system and access path. Document MFA coverage with screenshots before applying |
| Material misrepresentation | Application overstated security controls - even unintentionally - and investigation revealed the gap | Review your application annually; notify insurer if your security posture changes between renewals |
| Failure to report in time | Most policies require notification within 24–72 hours of discovering a breach - delays give insurers grounds to deny | Store your insurer's claims hotline number somewhere accessible without a computer. Make it step one of your incident response checklist |
| BEC not covered | Social engineering / invoice fraud loss submitted but no social engineering endorsement on the policy | Confirm whether your policy includes BEC/funds transfer fraud cover - if not, add it as an endorsement |
| Patch negligence | Attacker exploited a known, publicly patched vulnerability - insurer argues the loss was preventable and therefore not insurable | Maintain a documented patch management programme with defined timeframes for critical updates |
| Insufficient log retention | Insurer's forensic team could not verify the sequence of events - timeline needed to support the claim could not be reconstructed |
Ensure endpoint detection logs are retained for at least 90 days; document your monitoring setup |
A common misconception among WA business owners is that strong IT security means you don't need cyber insurance - or that insurance is a substitute for not investing in security. Neither is true. The two are complementary layers of a risk management strategy, each covering what the other cannot.
Your IT controls reduce the likelihood and severity of an incident. Your insurance policy covers the residual financial risk when something still gets through - and something eventually will. Fortuna Tech, Fortuna's managed IT arm, works with business owners on exactly this balance: building a security posture that satisfies insurer requirements while practically protecting the business day to day.
The framework that connects these layers is straightforward:
The human element matters at every stage. Staff who can recognise a phishing attempt, know not to click suspicious links, and understand what to do when something looks wrong are part of the defence layer too. Insurers are now asking for evidence of security awareness training and phishing simulations as part of the underwriting process - not because these are box-ticking exercises, but because human error remains the starting point for the majority of breaches.
Based on what underwriters are now requiring, and the controls most commonly cited in claim denials, the following checklist gives WA business owners a starting point for an honest assessment. If you cannot answer yes to most of these, your policy may not perform when you need it - regardless of whether you have one.
Is MFA enforced on all email accounts, VPN access, cloud services, and admin accounts - without exceptions for any user or legacy system?
Do you have a documented patch management process with defined timeframes for critical security updates?
Are your backups daily, isolated from your main network, and - critically - tested for restoration on a regular schedule?
Is administrative access restricted to only those who genuinely need it, with separate privileged credentials for system administrators?
Has your team completed documented security awareness training in the past 12 months, including phishing simulations?
Do you have a written incident response plan that includes who to call, in what order, within what timeframe - including your insurer's claims hotline?
Does your current policy include a BEC / social engineering endorsement for funds transfer fraud?
Have you reviewed the accuracy of your last insurance application against your current security posture?
Do you understand your obligations under the Notifiable Data Breaches scheme and the Privacy Act reforms that took effect in June 2025?
Do your contracts with clients, head contractors, or government bodies now require you to hold cyber insurance as a condition of engagement?
More than two or three "no" answers - or "I'm not sure" - represents a material gap. The good news is that most of these are addressable before your next renewal, and addressing them typically reduces your premium as well as your risk.
Fortuna Advisory Group is in an unusual position in the WA market: our insurance team, IT managed services arm (Fortuna Tech), accounting and business advisory practice, and legal team operate under the same roof. That means we can review cyber risk as part of your broader business picture - not just as an isolated policy question.
Most businesses come to us in one of three situations: they have no cyber cover and want to understand what they need; they have a policy but aren't sure it's adequate; or they've been through a renewal and found premiums have jumped significantly. In all three cases, the starting point is the same - a clear-eyed review of your actual security posture against what the policy requires, before anything is signed.
The Fortuna Insurance team, operating as an Authorised Representative of Community Broker Network Pty Ltd (AFSL 233750), can help with:
Cyber insurance is also relevant beyond your own protection. If your business tenders for government contracts, works as a subcontractor to larger firms, or provides services to healthcare or financial services organisations, you may already be required to hold a policy as a contractual condition. Fortuna's insurance services sit alongside our business planning and business law capabilities - so contract requirements and risk management can be addressed together.
Australian Cyber Security Centre (ACSC), Australian Signals Directorate (ASD), Office of the Australian Information Commissioner (OAIC), Insurance Council of Australia, NIBA - National Insurance Brokers Association, APRA, Emergence Insurance, Fortuna Tech, University of Western Australia, ASD Essential Eight Framework, Australian Privacy Act 1988 Notifiable Data Breaches Scheme Community Broker Network Pty Ltd.
Insurance broking services are provided by Fortuna Insurance Services Pty Ltd, Authorised Representative 001300492 of Community Broker Network Pty Ltd ABN 60 096 916 184, AFSL 233750. Community Broker Network Pty Ltd is the holder of the Australian Financial Services Licence under which Fortuna Insurance Services Pty Ltd operates. Before engaging any insurance broking service, please request and read the relevant Financial Services Guide (FSG).
General advice warning. The information contained in this article is general in nature and has been prepared without taking into account your personal objectives, financial situation, or needs. It does not constitute financial product advice, insurance advice, or legal advice. Before acting on any information in this article, you should consider whether it is appropriate for your personal circumstances. You should obtain and read the relevant Product Disclosure Statement (PDS) and Target Market Determination (TMD) for any insurance product before making any decision. We recommend you seek advice from a qualified insurance broker or financial adviser who can take your individual circumstances into account.
Target Market Determinations (TMD). Under Australia's Design and Distribution Obligations (DDO), insurance products referenced in this article have Target Market Determinations available from their respective issuers. Before acquiring any insurance product, please request the applicable TMD to ensure the product is appropriate for your objectives, financial situation, and needs.
Third-party information. Statistics, data, and claims figures referenced in this article are sourced from third-party organisations including the Australian Signals Directorate, the Australian Cyber Security Centre (ACSC), Emergence Insurance, and other independent research sources. This information is reproduced for general educational purposes only. Fortuna Advisory Group makes no representation as to its ongoing accuracy, completeness, or applicability to your circumstances. Data was current at the time of publication - April 2026.
Event content. Presentation content attributed to Michael Lee (Emergence Insurance) and Mehul Aggarwal (Fortuna Tech) was delivered at a Fortuna Advisory Group educational event in 2026 and is summarised here for general information purposes. It does not represent a formal product recommendation, comparison, or advice. Emergence Insurance products discussed are subject to their own policy terms, conditions, exclusions, and eligibility criteria. Please refer to the applicable PDS for full details.