How Much Cyber Insurance Do I Need?

Many Australian SME cyber policies are available with limits from $250,000 to $5 million, depending on occupation, insurer, and underwriting appetite. The right amount depends on your contracts, data, revenue, downtime exposure, and the cost of recovering from a serious event. This guide helps you work out the number.

Most businesses spend more time comparing cyber insurance premiums than thinking about whether the limit they chose would actually cover a serious incident. A $500,000 policy at $1,500 per year might look like a good deal. It is also a policy that only pays out $500,000 on a $1.2 million loss. The premium tells you what you pay. The limit determines what you recover.

At a Glance

• There is no single cyber insurance limit that suits every business.
• Start with the highest limit required by any client contract, tender, or vendor agreement.
• Then estimate your exposure: breach response, downtime, ransomware, funds transfer fraud, and third-party claims.
• The average self-reported cost of cybercrime across all Australian businesses was $80,850 per report in FY2024-25, up 50% year-on-year (ASD/ACSC). For small businesses, the average was $56,600.
• Check sublimits. A $1M policy may have lower caps for ransomware, BEC, or business interruption.
• Cyber policies may have territorial or jurisdictional limits. Check before relying on cover for overseas clients or data.
• Cyber insurance does not replace controls such as MFA, tested backups, and staff training.
• upcover arranges Cyber and Technology Insurance for eligible Australian businesses.

What Cyber Insurance Limits Are Available in Australia?

These are illustrative starting points, not recommendations. Your actual limit should be based on your contracts, revenue, data exposure, policy sublimits, and broker or insurer advice.

Does Your Contract Require a Minimum Cyber Limit?

Many businesses do not choose a cyber limit from a risk model. They choose it because a client, tender, or platform told them to. Common sources of a minimum requirement:

• Enterprise clients may require evidence of cyber insurance during vendor onboarding
• Government tenders may specify minimum cyber cover as a condition
• Healthcare and finance contracts may specify $1M to $5M minimums where the supplier handles sensitive data
• Franchise or platform agreements may require cyber cover to operate under the brand

Here is the part most people miss: some contracts specify not just an overall cyber limit but minimum sublimits for privacy liability, network security, ransomware, and business interruption. Check whether your policy's sublimits satisfy the contract, not just the headline number.

The highest contractual requirement is usually the minimum your policy may need to satisfy. Your actual exposure may still be higher.

How to Estimate Your Cyber Insurance Limit

If no contract sets a minimum, the question becomes: what would a serious incident actually cost your business?

Cyber losses do not scale predictably with business size. A ransomware event that costs $207,600 to recover from can hit a sole trader with 500 clients just as easily as a mid-market company with 50,000 clients. This is what makes cyber different from public liability or professional indemnity, where claim severity tends to correlate more closely with the scale of the business. Start by estimating these cost categories:

A quick way to size it: The average self-reported cost of cybercrime for Australian small businesses was $56,600 per report in FY2024-25 (ASD/ACSC), but that is an average across all incident types. A ransomware event with system recovery, business interruption, and customer notification can cost multiples of that. Take your annual revenue, divide by 365, and multiply by 14 to 21 days for a realistic ransomware recovery window. A business earning $2M per year loses roughly $7,700 per day of downtime. Three weeks offline is $115,000 in lost revenue alone, before forensics, legal, notification, and recovery costs are added.

For serious or repeated privacy interferences, maximum civil penalties for corporate bodies can reach the greater of $50 million, three times the benefit obtained, or 30% of adjusted turnover. Since 30 May 2025, businesses with annual turnover of $3 million or more must also report ransomware payments to ASD within 72 hours under the Cyber Security Act 2024.

Add your exposures together. A useful aim is to choose a limit that helps reduce the chance of a major funding gap from one significant event. For more on what underwriters check, see cyber insurance requirements in Australia.

How Industry Changes the Calculation

Not every business faces the same type of cyber risk. The industry you operate in shapes both the likelihood of an incident and how expensive it gets.

1. E-commerce and retail: Payment fraud, site outages, and customer data. Downtime directly hits revenue. A week-long outage during a peak sales period can cost more than the annual premium.
2. Healthcare and allied health: Sensitive health data, strict privacy obligations, and high notification costs. Ransomware incidents against the Australian healthcare sector doubled in FY2024-25 (ASD/ACSC).
3. Professional services and accountants: BEC and funds transfer fraud are the primary risks. You hold client money and client data, which makes you a high-value target for invoice redirection scams.
4. SaaS and IT providers: Platform uptime is tied to client contracts. If your system goes down and exposes client data, you face both business interruption and third-party liability.
5. Trades and construction: Invoice redirection fraud is the biggest risk. Digital tools like ServiceM8 and Tradify hold client addresses, access codes, and payment details.

Why Your $1M Policy Might Only Pay $250K

Your headline policy limit is not always what you recover. Most cyber policies apply sublimits to specific claim types, and the sublimit is often where the real cap sits.

Ransomware and cyber extortion are often sublimited to $250K or $500K, even on a $1M policy.

Social engineering and BEC sublimits are often $50K to $250K. Emergence's 2025 Cyber Claims Report identified BEC as the number one claim type for Australian businesses. If your BEC sublimit is $50K on a $1M policy, the policy pays $50K for the most common claim type.

Business interruption may have an 8 to 24 hour waiting period before cover kicks in, plus a cap on how long it runs.

Check your policy schedule before assuming the headline number is what you get. For more, see why cyber insurance claims get denied and business email compromise insurance.

Three Mistakes That Leave Businesses Underinsured

1. Mistake #1: Choosing the minimum because the premium is cheap. The average cost of cybercrime across all businesses hit $80,850 per report in FY2024-25, up 50% year-on-year. A $250K limit may feel safe until a ransomware event hits $207,600 and business interruption pushes it higher.
2. Mistake #2: Ignoring sublimits. You have a $1M policy. Your social engineering sublimit is $50K. A BEC scam redirects $120,000 in supplier payments. The policy pays $50K. You cover the remaining $70,000 yourself.
3. Mistake #3: Not updating as the business grows. You started with $250K when you had 100 clients and no online payments. Now you have 10,000 clients, process card payments, and store health data. Same limit, completely different exposure.

How upcover Can Help

upcover arranges Cyber and Technology Insurance for eligible Australian businesses with selected insurers and underwriters. Depending on your occupation, revenue, systems, and data exposure, you may be able to compare options, choose a limit, and access a Certificate of Currency.

• 70,000+ businesses covered across Australia.
• 4.9/5 customer rating.
• Instant Certificate of Currency on policy confirmation.

For more on what cyber insurance covers, see the cyber insurance guide for small businesses.

upcover Pty Ltd ABN 17 628 197 437 is a Corporate Authorised Representative (CAR 1299211) of Experience Insurance Services Pty Ltd ABN 41 657 596 506, AFSL 539078.

FAQ

How much cyber insurance do I need?

Start with the highest limit required by any contract, then estimate what a serious incident could cost across breach response, downtime, ransomware, and third-party claims. Count your records, calculate your daily revenue, and add regulatory exposure.

What cyber insurance limit do most small businesses choose?

Many start between $500K and $1M. Regulated industries or businesses with enterprise contracts may need $1M to $5M.

Is $1 million cyber insurance enough?

Check sublimits first. A $1M policy with a $250K ransomware sublimit and a $50K BEC sublimit may not be enough if those are your biggest risks. The headline limit is not always what you recover.

What are sublimits in cyber insurance?

A sublimit caps what the insurer pays for a specific claim type, set below the overall policy limit. Common sublimits apply to ransomware, social engineering, business interruption, and regulatory costs.

Does cyber insurance cover overseas clients or offshore data?

Many Australian SME policies are designed for domestic operations. Claims from overseas clients, especially US or Canada, may be excluded. Check territorial limits before buying.

Does cyber insurance cover business email compromise?

Many policies cover BEC and funds transfer fraud, but often with a sublimit and verification conditions. BEC is one of the most common cyber claim types, so check this section carefully.

Do contracts require minimum cyber insurance?

Increasingly, yes. Government tenders, enterprise vendor onboarding, and healthcare or finance contracts may specify minimums for both the overall limit and specific sublimits.

Can I increase my cyber insurance limit later?

In many cases, yes. Speak with your broker or insurer about adjusting at renewal if your business grows or contracts change.

‍

_{Written by upcover's editorial team. Reviewed for insurance content accuracy. The information in this article is general in nature and provided for informational purposes only. It does not constitute personal insurance, legal, financial, or cyber security advice. It does not take into account your objectives, financial situation, or needs. Cyber insurance limits, sublimits, territorial limits, and coverage vary by occupation, insurer, and policy wording. The cover levels discussed are illustrative starting points and may not be available for every occupation or insurer. Statistics cited are sourced from ASD/ACSC Annual Cyber Threat Report 2024-25 and Emergence Insurance Cyber Claims Report 2025. Before purchasing or relying on an insurance product, consider the relevant PDS, Target Market Determination, policy wording, and Financial Services Guide. upcover Pty Ltd ABN 17 628 197 437 is a Corporate Authorised Representative (CAR 1299211) of Experience Insurance Services Pty Ltd ABN 41 657 596 506, AFSL 539078. upcover arranges insurance products with selected insurers and underwriters and does not compare all general insurers or insurance products available in the market.}