Insight
Cyber insurance for small business explained: what it covers, what insurers now require you to have, what it costs, and when it's genuinely worth it.
Cyber insurance for small business explained: what it covers, what insurers now require you to have, what it costs, and when it's genuinely worth it.
For most Australian small businesses that hold client data or rely on their systems to trade, cyber insurance is worth having, but it works best as a backstop, not a substitute for basic security. It helps cover the costs of recovering from an attack, things like IT forensics, legal advice, lost income and notifying affected clients. If a breach would seriously hurt your business, insurance is worth a serious look.
Best practice: Treat insurance as the last layer rather than the first, and get MFA, backups and updates in place before you shop for a policy.
That said, insurance is the last layer, not the first. Insurers increasingly expect you to have the basics in place before they will pay out or even offer cover. Here is how to decide.
Cyber insurance typically covers the costs of responding to and recovering from a cyber incident. That usually includes incident response, data recovery, legal and notification costs, business interruption, and sometimes cyber extortion. Policies vary a lot, so the detail matters more than the headline.
It depends on how much you would lose if your systems went down or client data leaked. If a week offline or a data breach would threaten the business, insurance is a sensible safeguard. If you hold little sensitive data and could operate on paper for a while, it is less urgent, though still worth pricing.
Be honest about your exposure. Professional services firms holding client financials or health information usually have more at stake than a business that keeps very little data.
Tip: Write down what a week offline would actually cost you in lost income and recovery, because that number tells you how much cover is worth.
Insurers increasingly require basic controls before they will offer cover or pay a claim, especially MFA, backups and updates. Turning these on can also lower your premium. In other words, the same basics that protect you also make you insurable.
| Commonly required control | Why insurers care |
|---|---|
| Multi-factor authentication | Blocks most account takeovers |
| Tested backups | Reduces ransomware payouts |
| Regular updates | Closes known vulnerabilities |
| Staff awareness training | Cuts successful phishing |
You will notice these are the same steps in our cyber security essentials guide. Get them in place and you are both safer and cheaper to insure.
Note: The controls that satisfy an insurer are the same ones that prevent the incident, so the work pays off twice, once in protection and once in a lower premium.
Premiums for a small business commonly start from a few hundred to a couple of thousand dollars a year, depending on your size, industry, revenue and the controls you have in place. The stronger your security, the lower the premium tends to be. Get a broker who understands cyber cover to compare policies, because the exclusions vary widely.
The short version: cyber insurance is worth it for most small businesses as a backstop, but only alongside the basic controls insurers now expect. Fix the basics first, then insure the residual risk.
No, it is not legally required for most small businesses. It is optional risk cover, though some contracts or clients may ask you to hold it.
Possibly not. Many insurers now require controls like MFA and backups, and a claim can be reduced or denied if the agreed controls were not in place.
It varies, but common exclusions include losses from known unpatched vulnerabilities, breaches where required controls were missing, and sometimes social-engineering fraud unless specifically added.
No. It covers the cost of recovery, but it cannot undo the disruption or reputational damage. Strong basics reduce both your risk and your premium.
Want to know whether your security would satisfy an insurer? See how our cyber security service works, or take the free business health check.
Tell us where your business is at, and we will tell you where we would start.