The Australian Signals Directorate's Stephanie Crowe was one of six intelligence chiefs to sign a joint statement on Sunday warning that AI-powered cyber attacks are months - not years - away from "fundamentally transforming" the threat landscape. It is the most urgent warning the Five Eyes has ever issued on the subject, and it came from Australia's own cyber chief.
The timing is awkward for the local market. Cyber GWP has never exceeded $73 million in a single quarter according to APRA data, in a country with hundreds of thousands of businesses carrying digital risk. The class is profitable right now - three consecutive quarters of positive results - but it is reaching an extraordinarily small share of the potential insured population, and it is doing so at a moment when the risk is accelerating.
EBM's May 2026 market outlook noted that cyber crime costs for Australian medium-sized businesses rose 55% year on year, with average incident costs close to $100,000. The Australian Signals Directorate's own data underpins that figure. The market has soft conditions but sharper underwriting, as Marsh's cyber specialist Jack Petts told Insurance Business - and the window of affordable, well-structured cover will not stay open forever.
The Five Eyes statement frames legacy systems as "strategic liabilities, not just technical debt" - a phrase that lands differently in a country where 46% of organisations have experienced breaches linked to third-party access failures. Jeffrey Gonlin, chief underwriter at Emergence Insurance, put the overall threat trajectory bluntly: "It might be that AI just makes everybody a super cyber criminal, and that turbocharges everything." The advisory also points at boards and executives, not IT departments: "It is not enough to have controls. Leaders must be confident those controls will perform during a real incident."
APRA and ASIC have already been moving in the same direction. APRA wrote to all regulated entities in April warning that governance practices are not keeping pace with AI adoption. ASIC followed in May urging licensees to strengthen AI and cyber controls. The Five Eyes warning is the third significant escalation in roughly six weeks.
On coverage, brokers should not assume current wordings will hold as the threat landscape shifts. Ed Ventham of Assured offers a straightforward steer: "As it stands, we have not seen any exclusions brought in for AI - however we would encourage businesses to be asking for AI to be affirmatively covered within their policy to avoid any potential knee-jerk changes from a potential upcoming and heightened risk landscape."
Caspar Rogers, Senior Broker at Assured, warns insurers may revisit language akin to Chubb's previous Widespread Vulnerability Exclusion to limit aggregated exposure from mass incidents. Tim Johnson, Partner and Head of Insurance at law firm Browne Jacobson, adds a subtler concern: many cyber policies define a hacker as a person, meaning some wordings may simply not pick up an AI attacker, with unintended consequences either way.
Johnson also points to a broader problem AI attacks will amplify: clients assuming that having a cyber policy means having cyber cover. "Cyber cover is shorthand for a whole load of different cyber-based coverages," he said. With more attacks and more victims, that gap will become harder to ignore, and harder to defend.
For brokers with SME client books, the APRA data is a useful prompt and the Five Eyes advisory is a harder one. The easy money in cyber's soft market is not going to last. The risk it covers is going nowhere but up.
