Australia’s prudential regulator is seeking industry input on plans to restructure how it publishes aggregated insurance statistics, including a push to break out cyber insurance and management liability into their own reporting categories for the first time. The Australian Prudential Regulation Authority (APRA) launched a public consultation on May 19 on proposed changes to the National Claims and Policies Database (NCPD), targeting both the legal framework that governs what data can be released and the mechanics of how that data reaches end users. The deadline for written submissions is June 16, 2026.
The NCPD draws on six reporting standards – GRS 800.1, 800.2, and 800.3, and LOLRS 800.1, 800.2, and 800.3 – that cover policies, claims, and facilities lodged by general insurers and Lloyd’s of London syndicates operating in Australia. Under section 56 of the Australian Prudential Regulation Authority Act 1998, data collected through these standards carries protected status. Any public release requires APRA to first make a non-confidentiality determination under section 57 of the same legislation.
The most immediate operational change proposed is the retirement of a portal-based system that historically produced a large volume of preprepared reports. APRA is moving toward a narrower set of downloadable spreadsheets, standardized across consistent measures, and dimensions. The regulator has been clear that this is a structural change to delivery rather than a substantive change to what is measured. The core data dimensions, aggregation thresholds, and existing exclusions for high-granularity cross-tabulations would carry over from the current non-confidentiality framework.
For general insurers, APRA is proposing four policy cross-sections and four claims cross-sections, each sliced along the same two axes: one pairing state with either limit of indemnity bucket or excess/deductible/attachment point (EDA) bucket and another pairing occupation or industry group with those same two variables. That structure produces eight cross-sections in total across both policy and claims outputs. Policy cross-sections would capture the number of policies, number of risks written, number of risks in force, gross earned premium, and gross written premium for each data bucket. Claims cross-sections would record the number of all claims, number of finalised claims, gross claim payments, and gross claims incurred.
A single facilities publication would cover the number of facilities, number of policies, premium received during the reporting period, number of claims, and gross payments made during the same period. Lloyd’s data would continue to appear in three separate outputs – policies, claims, and facilities – but with a narrower set of dimensions and measures than those published for general insurers. The Lloyd’s policy publication, for example, would not include occupation or industry group, EDA, limit of indemnity, state, product type, or the number of risks in force.
The more consequential shift for insurers and market analysts may be the reclassification of cyber insurance and management liability into distinct product categories. Both lines have historically sat inside broader buckets. Cyber insurance has been captured under “Public Liability – Other,” while management liability has been folded into existing professional indemnity product types. Neither has appeared as a named, standalone category in published NCPD outputs.
APRA first flagged its intent to collect and separately publish this data during a 2020 consultation, at which time it invited objections to treating both lines as non-confidential at the same aggregation level as other products. No objections were received. Reporting standards were subsequently updated to collect the data, but APRA stopped short of issuing a formal non-confidentiality determination at that stage. The regulator now says the datasets for both product types have reached sufficient maturity to warrant separate publication. Doing so requires replacing the current determination – Australian Prudential Regulation Authority (confidentiality) determination No. 2 of 2021 – with an updated instrument that explicitly covers these categories.
APRA has drawn a clear boundary around the scope of the proposal. Underlying data items will not be made non-confidential. Granularity and aggregation thresholds will not be loosened. The existing carve-out for cross-dimensional combinations that are considered too granular to release – specifically combinations of state and occupation or industry and combinations of limit of indemnity bucket and EDA bucket – remains in place.
One question the consultation does not resolve is how the downloadable outputs will reach users. APRA confirmed it is still working through whether additional privacy safeguards are needed for residual granular data in the proposed publications, and whether conditions on access or use should apply. The regulator said those questions would be addressed after the non-confidentiality consultation closes.
APRA is inviting feedback specifically on whether any information included in the proposal should instead remain confidential. Submissions should be directed to [email protected] by June 16, 2026, and addressed to the Manager, Supervisory Data, General Insurance and Banking Division. A timeline for publication of the new NCPD outputs will be released alongside the finalised non-confidentiality determination once the consultation process is complete.
