Cyber insurance uptake falls as online risks remain widespread

Basic cyber safety measures also declined in the latest AIC survey

Cyber insurance uptake falls as online risks remain widespread

Cyber

By Roxanne Libatique

Fewer Australians are buying cyber insurance and taking basic online safety steps even as small and medium enterprises report growing business harm from cybercrime, according to the Australian Institute of Criminology’s (AIC) Cybercrime in Australia 2025 report. The divergence lands as the country’s cyber insurance line reaches its most stable underwriting position in years, yet take-up remains low. The report, released June 30, 2026, draws on the Australian Cybercrime Survey (ACS) of 10,593 online Australians aged 18 and over, conducted between May 27 and July 1, 2025.

A widening protection gap

For the second consecutive year, the survey recorded a fall in the share of respondents holding cyber insurance, down from 4.6% in 2024 to 3.7% in 2025. Other protective behaviours also declined, including the use of antivirus software or firewalls (39.3% to 36.2%), spam-filtering software (20.5% to 17.8%), and different passwords for secure accounts (50.9% to 47.7%). The AIC linked part of the antivirus decline to consumers relying on protection built into new devices. The retreat from protection sits against steady exposure. About 45.5% of respondents said they had been a victim of at least one measured cybercrime type in the prior 12 months, and 63.9% reported lifetime victimisation. Online abuse and harassment was the most reported category at 24.9%, followed by malware at 21.5%, identity crime and misuse at 20.6%, and fraud and scams at 11.4%.

The uptake puzzle for insurers

The AIC figures echo a pattern visible in regulatory data. Australian Prudential Regulation Authority (APRA) statistics show the cyber class posted positive insurance service results of $17 million, $10 million, and $10 million in the September 2025, December 2025, and March 2026 quarters, after a run of alternating small profits and losses in earlier periods. cyber gross written premium has never exceeded $73 million in a single quarter and stood at $32 million in the March 2026 quarter, accounting for less than 0.2% of total industry premium. The class recorded just 6,000 risks written in that quarter, against 4.78 million for domestic motor. Cyber premiums fell about 10% through 2025, according to EBM Insurance and Risk’s May 2026 market outlook. Lower prices have not yet lifted volumes.

Underwriters attribute the gap to how businesses perceive the risk. “It’s a real mystery. When people get animated about businesses not being insured for some natural peril, somehow when it comes to cyber – because it’s less concrete, it seems less real – there’s just no sense of urgency,” said Jeffrey Gonlin, chief underwriter at Emergence Insurance. Gerry Power, general manager of Cowbell in Australia, said many SMEs treat cyber as an intangible risk. “Many SMEs still believe they are too small to be targeted, despite the reality that cyber criminals often view smaller businesses as easier targets with fewer security controls,” Power said.

SME harm and the regulatory backdrop

The AIC report identified SME owners, operators, and managers as being at higher risk across all cybercrime types. An estimated 25.0% of SME owner respondents said cybercrime had affected their business in the prior 12 months, through disruption to everyday business function (28.7%), additional business expenses (16.4%), loss of information (15.9%), harm to reputation or revenue (14.1%), impacts on staff (10.0%), and legal or regulatory issues (7.9%).

Two impact categories rose. Staff impacts increased from 5.9% to 10.0%, driven by employees or owners resigning or losing their jobs, and legal or regulatory issues rose from 5.1% to 7.9%, driven by litigation or legal action against businesses. Among SME owners reporting harm, insurance premiums increased for 5.5%. The rise in legal and regulatory harm coincides with an expanding compliance regime. Since May 30, 2025, businesses with annual turnover of $3 million or more, and entities responsible for critical infrastructure assets, must report ransomware and cyber extortion payments to the Australian Signals Directorate (ASD) within 72 hours under Part 3 of the Cyber Security Act 2024. Failure to report can attract civil penalties of up to $19,800, and the Department of Home Affairs moved from an education-first approach to active enforcement on Jan. 1, 2026.

Ransomware drives losses out of proportion to its frequency

The survey found the proportion of respondents experiencing pure ransomware rose from 2.5% to 3.1%, which the AIC linked to ASD data showing more frequent ransomware reports in the 2024-25 financial year. The severity signal is sharper than the frequency figure suggests: among malware victims who lost money, 36% said the incident involved ransomware, despite ransomware accounting for only 21.8% of malware victims overall.

Most victims did not lose money at all. Financial losses were most common among fraud and scam victims (36.0%) and identity crime and misuse victims (29.6%). After recoveries, median losses ranged from $180 for fraud and scams to $300 for online abuse and harassment and identity crime and misuse, though mean losses reached $4,214 for online abuse and harassment, skewed by a small number of large losses. Across all cybercrime types, just over one in 10 victims made an official report to police or ReportCyber, well below the 75% police reporting rate for house break-ins the AIC cited for 2023-24.

A distribution question, not a product one

For brokers and underwriters, the two datasets point the same way. The AIC survey shows exposure holding and SME harm rising while individual and business protection erodes; the APRA data shows a line that is profitable, moderately priced, and reaching a fraction of its potential market. The constraint is not the economics of the product but the reach of its distribution – a gap that widens each year the protection figures fall.

Related Stories

Keep up with the latest news and events

Join our mailing list, it’s free!