APRA carves out cyber, management liability as standalone data

Widely supported – until you ask how bundled cover counts

APRA carves out cyber, management liability as standalone data

Claims

By Roxanne Libatique

The Australian Prudential Regulation Authority (APRA) will finalise a non-confidentiality determination that, for the first time, publishes cyber insurance and management liability as their own categories in the National Claims and Policies Database (NCPD). For insurers writing in a market the regulator’s own stakeholders describe as too data-thin to price reliably, that reclassification carries real commercial stakes – both the promise of better market-wide pricing signals and the risk that individual insurers become identifiable in segments where few players are active.

Why this matters commercially

The Insurance Council of Australia (ICA) has pointed out that cyber cover can’t be priced off historical claims experience the way older products can, and that gaps in the available data make premium-setting difficult, with underinsurance for cyber risk a continuing concern. Separating cyber and management liability into standalone NCPD categories is meant to close part of that gap. APRA has said the change reflects the market’s rapid growth and a lack of usable data on how these two products are actually performing.

But the same thin-data conditions that make better reporting valuable also make it risky. The ICA’s submission on the consultation raised a specific concern: that individual insurers could become identifiable once cyber and management liability are broken out as their own categories, particularly in smaller segments with limited participation. APRA’s response was that published figures will retain the existing aggregation and masking protections it already applies elsewhere in the NCPD, with more detailed data available on request under privacy conditions.

What APRA’s response does not specify – at least in the materials reviewed for this article – is the precise aggregation methodology behind that protection: whether masking is applied by insurer count, premium band, or some other threshold. That detail matters to any insurer trying to assess its own exposure to identification once its cyber or management liability book is reported as a distinct line, and it isn’t addressed in APRA’s published response.

A market growing faster than the data supporting it

Research firm IMARC Group estimates the Australian cyber insurance market at US$467.1 million in 2025, on track to reach US$1,994.3 million by 2034 at a compound annual growth rate of 17.50%. The ICA has separately told a federal small business insurance inquiry that cyber insurance take-up among small businesses stays low despite businesses’ growing reliance on digital systems, pointing to limited cyber awareness, older technology, and stretched security budgets as reasons smaller firms carry more exposure. That’s a different submission addressing a different inquiry, but it points to the same underlying condition driving the NCPD changes: a market this size and this new, growing this quickly, is one where actuarial need is running ahead of available data.

The reclassification is an operational problem, not just a filing change

Cyber insurance has, until now, sat inside a broader “Public Liability – Other” bucket in NCPD reporting, while management liability has been counted under professional indemnity, with neither line broken out in published figures. Unwinding years of blended reporting into two standalone categories is not a simple relabelling exercise. The ICA’s submission flagged a specific practical complication: several insurers don’t sell cyber cover as its own product at all, instead embedding it within management liability policies. For those insurers, reporting the two lines separately means first deciding how to attribute a single bundled policy’s premium and claims history across two categories that, in their own product design, were never meant to be separated.

The ICA asked APRA to settle on consistent product definitions across the industry and, where insurers need it, allow time to adjust their systems before the new categories become mandatory – a request that treats this as genuine implementation work, not a paperwork update. Neither APRA’s response nor the ICA’s submission specifies a compliance timeline for making that change, though APRA said it will work with industry on definitional questions as implementation proceeds.

The regulatory backstory, briefly

APRA first proposed collecting cyber insurance and management liability as separate categories back in November 2020, and by March 2021 had agreed with the ICA that insurers should report cyber claims data tied only to stand-alone cyber policies at that point. No objections surfaced when APRA first raised the prospect of separate publication in 2020, yet the regulator held off issuing a formal non-confidentiality determination at the time. This year’s consultation, opened in May 2026, addresses the publication question that had been left open since then; APRA released its response on July 1, 2026. The underlying database itself dates to 2003, established by APRA at the Australian government’s request to give insurers, the community, and governments a clearer picture of the relevant insurance classes.

What to watch next

The initial refreshed NCPD publication will cover data reported up to Dec. 31, 2024, with 2025 figures still going through validation ahead of a later release this year. That release will be the first real test of whether the masking APRA has promised is enough to keep individual insurers unidentifiable in a market this size – and whether insurers that have spent years reporting cyber and management liability as blended lines are ready to report them apart.

Related Stories

Keep up with the latest news and events

Join our mailing list, it’s free!