The cyber insurance market in Australia hit USD 467 million in 2025. By 2034, analysts project it will be close to USD 2 billion. That growth is being driven by one thing: risk is not slowing down.

In 2026, the threat picture looks different to how it looked even twelve months ago. The way claims are happening has changed. The way insurers are responding has changed. And the regulatory environment around data, AI, and privacy has shifted meaningfully. Whether you run a small business, a growing startup, or a mid-size company, here is what is actually happening in the Australian cyber insurance market this year and what it means for you.

1. Business Email Compromise Has Overtaken Ransomware as the Top Claim Driver

Ask most business owners what cyber attack they are most worried about and they say ransomware. The 2026 claims data tells a different story.

According to Coalition's 2026 Cyber Claims Report, drawing on data from over 100,000 policyholders, business email compromise (BEC) and funds transfer fraud now make up 58 percent of all cyber insurance claims. The average loss from a single funds transfer fraud incident is approximately AUD 199,000. More than half of those incidents started with a compromised email account.

BEC is the attack pattern where an attacker gains access to a business email account, or impersonates one convincingly, and redirects a payment, tricks a staff member into transferring funds, or manipulates a supplier relationship. It is not dramatic in the way ransomware is. There is no countdown clock, no ransom note. Often the business does not realise anything has happened until the payment has cleared and the recipient cannot be reached.

The good news from the claims data: fast reporting significantly improves recovery outcomes. AUD 30.7 million in stolen funds was recovered on behalf of policyholders last year, with an average recovery of AUD 285,000 per incident. The common factor was speed. Businesses that flagged suspicious activity quickly gave investigators the best chance of intervening before funds moved beyond reach.

58%  of cyber insurance claims are now BEC and funds transfer fraud (Coalition 2026)

2. Ransomware Is Getting More Expensive Even as Frequency Stabilises

Ransomware attacks have not decreased. But the pattern has changed in a way that makes individual incidents significantly more costly.

The dominant ransomware approach in 2025 and into 2026 is dual extortion: attackers encrypt your systems and steal your data simultaneously. This gives them two points of leverage. Pay to get your systems back. Pay again, or they publish the data. Ransomware incidents that involved data theft were more than twice as expensive as encryption-only attacks.

Munich Re's 2026 Cyber Insurance Risks and Trends report notes that ransomware-as-a-service (RaaS) providers now offer AI-powered, turnkey attack packages to affiliates, complete with tutorials, lead site hosting, and encrypted money laundering infrastructure. The skill barrier to launching a sophisticated ransomware attack has dropped significantly. Groups that previously could not run these attacks now can.

WTW's 2026 Cyber Risk Outlook observes that while improved security controls have reduced business interruption duration for most incidents, large-scale events are increasingly exceeding USD 1 billion in losses. For Australian businesses in high-risk sectors, the message is that frequency stabilising does not mean the risk is going away. It means the individual events that do occur are likely to be more serious.

3. AI Is Arming Attackers and Creating New Policy Gaps

AI is changing cybercrime in two distinct ways: it is making attacks easier and cheaper to execute, and it is creating a new category of liability that most existing cyber insurance policies were not designed to address.

AI as an attack tool

Deepfakes, voice clones, and synthetic identities are being used at scale to bypass traditional verification processes. An attacker who can convincingly impersonate a CEO or CFO in a voice call, or generate a realistic video of an executive authorising a transfer, creates a social engineering problem that no email filter or MFA setup catches. Munich Re flags this trend explicitly in their 2026 report: AI systems are becoming inherently dual-use, blending into both financially motivated cybercrime and geopolitically motivated attacks.

AI as a policy gap

On the policy side, insurers are responding to the growing use of AI inside businesses by adjusting what their policies cover. AI model errors, biased algorithm outputs, intellectual property breaches from training data, and deepfake-enabled fraud are either being explicitly excluded from standard cyber policies or requiring specific endorsements to be covered. WTW notes that a material first-time AI loss is widely considered an inevitable watershed moment in the industry. When it happens, it will drive rapid policy re-pricing across the market.

If your business builds or uses AI in any capacity, it is worth confirming specifically whether your current cyber policy responds to AI-related incidents. Many do not, by default.

4. Supply Chain and Vendor Attacks Are the Growing Threat

Individual businesses have generally improved their cyber hygiene over the past few years. The path of least resistance for attackers has shifted accordingly. Rather than attacking a well-defended target directly, attackers are increasingly going through the target's vendors, software providers, and technology partners.

Munich Re reports that more than two-thirds of large organisations experienced at least one third-party cybersecurity incident in the past 12 months. Their 2026 outlook explicitly flags that the next generation of cyberattacks will increasingly involve the impersonation of suppliers, logistics providers, and digital service partners, exploiting the implicit trust that exists in established business relationships.

For Australian businesses, this creates a practical problem. Your cyber posture is only as strong as the weakest point in your supply chain. A breach at your accounting software provider, your cloud storage vendor, or your communications platform can expose your data without your systems ever being directly compromised.

WTW notes that a multi-day supply chain outage could generate exponentially higher losses than current large-scale incidents. Most outages in 2025 were resolved within a day. One that runs for a week or longer has the potential to trigger losses that would stress-test the coverage limits of even well-insured businesses.

5. Premiums Are Stabilising, But the Window May Be Closing

The cyber insurance market has been buyer-friendly since 2022. After sharp premium increases between 2020 and 2022 driven by the ransomware surge, competitive conditions prevailed through 2025, with year-over-year premium reductions across most market segments.

That trend is showing signs of slowing. WTW's early 2026 market analysis notes a deceleration in the rate of softening, with some prominent insurers pushing for flat primary renewals in high-risk sectors including healthcare and aviation. Premium affordability has emerged as the top concern for Australian insurers in 2026, up from sixth place the previous year.

The practical implication is that 2026 remains a reasonable window to buy coverage or expand limits at competitive rates. Businesses that have deferred getting cyber insurance or have not reviewed their limits recently are in a better position to act now than they may be in 2027. This is particularly relevant for businesses in healthcare, financial services, and tech, where insurer appetite for new risk is already more selective.

6. Insurers Are Getting Pickier. Here is What They Want to See

The era of filling in a form and getting covered is over for businesses with meaningful cyber exposure. Insurers are conducting what WTW calls underwriting discipline, and what feels to applicants more like a security audit.

The baseline expectations now include multi-factor authentication across email and remote access, tested offline backups, documented incident response procedures, and evidence of staff training on phishing and social engineering. The ACSC's Essential Eight framework is increasingly referenced as the minimum security standard insurers expect to see in place.

Businesses that cannot demonstrate these controls face one of three outcomes: higher premiums, restricted coverage, or outright decline. The Insurance News 'Outlook 2026' conference in Sydney in March explicitly covered the tightening of underwriting standards as a core industry theme.

The practical upside is that businesses with strong security controls get better terms, not just in price but in coverage scope. Demonstrating a documented incident response plan, evidence of regular staff training, and technical controls aligned to the Essential Eight are the most effective levers for improving your cyber insurance outcome.

7. Australia's Privacy Reforms Are Raising the Stakes for Non-Compliance

The regulatory environment around data privacy has shifted significantly in the past twelve months and will continue shifting through 2026.

The Privacy and Other Legislation Amendment Act 2024 introduced a statutory tort for serious privacy invasions from June 2025, allowing individuals to sue organisations directly for significant breaches. Maximum penalties for serious breaches are now AUD 50 million. From May 2025, businesses with turnover above AUD 3 million must report ransomware payments to the Australian Signals Directorate within 72 hours.

In January 2026, the OAIC launched its first privacy compliance sweep, reviewing approximately 60 entities across six sectors. Healthcare was among them. This signals a shift toward proactive enforcement rather than reactive investigation following breach notifications. If your privacy practices are not compliant, you may not hear about it after a breach. You may hear about it before one.

Looking further ahead, the second tranche of Privacy Act reforms, which includes the potential removal of the small business exemption from the AUD 3 million threshold, is progressing. When that takes effect, estimated for late 2026, the population of businesses with mandatory Privacy Act obligations will expand dramatically.

What This Means for Australian Businesses in 2026

The threat picture in 2026 is more varied than it has ever been. Ransomware is no longer the only story. BEC claims are more common. AI is being weaponised and is also creating coverage gaps. Supply chains are the new attack surface. And the regulatory and legal consequences of a breach are more serious than they were even a year ago.

• If you do not have cyber insurance: The cost of a data breach in Australia averages AUD 4.26 million according to IBM's 2024 report. Most small and mid-size businesses cannot absorb that from cash flow. The premiums remain competitive right now.
• If you have cyber insurance but have not reviewed it recently: Check whether your policy addresses BEC and funds transfer fraud, AI-related incidents, vendor and supply chain breaches, and business interruption from technology outages. Many policies written two or three years ago do not.
• If you are in a high-risk sector (healthcare, financial services, tech): Insurer appetite is tightening in these sectors specifically. Document your security controls, align to the ACSC Essential Eight, and have your incident response plan in writing before approaching insurers.

Getting the Right Cyber Insurance for 2026

upcover arranges cyber insurance for Australian businesses across 1,000+ industries. Whether you are a sole trader, a growing tech startup, or an established business with complex risk, upcover works with 80+ insurance partners to find the right coverage.

Subject to policy terms and conditions, cyber insurance arranged through upcover may include cover for data breach response, business interruption, forensic investigation, regulatory costs, ransomware and extortion, and third-party liability claims. Always read the Product Disclosure Statement for the specific policy.

About upcover

upcover is a digital-first insurance broker helping Australian businesses arrange the right cover in minutes, not days. 70,000+ businesses covered. 4.9/5 customer rating. 80+ insurance partners.

upcover is a Corporate Authorised Representative (CAR 1299211) of Experience Insurance Services Pty Ltd ABN 41 657 596 506, AFSL 539078.

‍

_{The trend and market data cited in this article are drawn from publicly available industry reports including Munich Re Cyber Insurance Risks and Trends 2026, Coalition 2026 Cyber Claims Report, WTW Cyber Risk 2026 Outlook, OAIC Notifiable Data Breaches Statistics January-June 2025, and IBM Cost of a Data Breach Report 2024. This article is general in nature and provided for informational and awareness purposes only. The insurance information has been prepared without taking into account your individual needs, objectives or financial situation. It should not be relied upon as personal advice. All insurance products arranged through upcover are subject to the terms, conditions, limits and exclusions of the relevant policy wording and Product Disclosure Statement. Before deciding whether a particular insurance product is right for you, please read the relevant PDS and consider your personal circumstances. upcover Pty Ltd ABN 17 628 197 437 is a Corporate Authorised Representative (CAR 1299211) of Experience Insurance Services Pty Ltd ABN 41 657 596 506, AFSL 539078.}