Why the question is usually framed wrong
Most SMBs ask whether they should get cyber insurance. The better question is how much they actually need — and what the policy should contain to be worth anything when it’s called on.
A $100,000 cyber policy looks like cover. For most businesses holding customer or employee data, it isn’t. The Notifiable Data Breaches (NDB) scheme alone creates mandatory notification costs — letters, credit monitoring, call centre setup for affected parties — that can reach tens of thousands of dollars before you’ve paid a single lawyer or forensic investigator.
The real cost components of a cyber incident
Assessing how much cyber insurance you need starts with understanding what a cyber event actually costs your specific business. The major components:
Forensic investigation
Who got in, how, and what did they access? A specialist incident response firm — the kind that can produce evidence usable in regulatory proceedings — will charge $15,000–$80,000+ for a thorough investigation. The cost depends on system complexity and the nature of the incident.
Legal costs
Privacy obligations, regulatory response, potential litigation from affected parties. Cybersecurity lawyers billing at senior commercial rates for a six-week regulatory response will exceed a $100,000 limit before the case is resolved.
Notification costs
Under the NDB scheme, any eligible data breach requires notification to the OAIC and to affected individuals. For a business holding 50,000 records, the cost of individual notification — including credit monitoring services, which some incidents require — is a material spend on its own.
Business interruption
If your systems are down, what does a week of lost revenue cost? For a $5M revenue business, a week of operational outage is $100,000+ in lost income. For most SMBs, this is the single largest cost component of a serious cyber incident.
Ransomware payment and recovery
Ransom demands for SMBs have escalated significantly. $50,000–$500,000 is no longer unusual for a targeted attack on a small business. Decryption and system restoration costs following a ransomware event can equal or exceed the ransom itself.
How to assess your own exposure
A practical self-assessment:
- How many records do you hold? Customers, employees, suppliers, and any other personal information held in your systems.
- What type of data? PII, financial data, and health records each carry different notification obligations and reputational implications.
- What’s your annual revenue? Your business interruption exposure is proportional to your revenue base.
- Could you operate without your systems for a week? Businesses that can’t answer “yes” have a material BI exposure that needs to be reflected in their cyber limit.
If you hold more than 10,000 records, a $250,000 limit is unlikely to be adequate. Healthcare and professional services businesses face additional PI exposure from a privacy breach — if client data is compromised as a result of a cyber event, the PI claim follows.
What a good cyber policy actually contains
Beyond the headline limit, the policy wording is what determines whether cover responds when it’s needed.
Incident response support vs reimbursement
A policy that activates a forensic response team at point of event is worth significantly more than one that reimburses costs after the fact. The first 24–48 hours of a cyber incident are critical for evidence preservation, regulatory response, and containing the breach. A reimbursement-only policy leaves you navigating this alone at the worst possible moment.
Ransomware treatment
Some policies sub-limit ransomware payments or exclude payments to specific threat actors. The ransomware sub-limit is one of the most common ways a headline cyber limit understates actual coverage. Confirm how ransomware is treated before binding.
Business interruption trigger
Does BI trigger on any system failure, or only on a covered cyber attack? A system outage that results from software failure or infrastructure issues — not a malicious attack — may not trigger a policy that requires a “cyber event” as the cause.
War exclusions
Post-Russia/Ukraine, many insurers tightened war exclusions in cyber policies. Some remain broad enough to exclude state-sponsored attacks, which are the source of many of the most significant ransomware campaigns globally. How the war exclusion is drafted matters for real-world coverage.